Dear Google…Dear ICO…

On 15 June this year I complained to Google UK. I have had no response, so I have now asked the Information Commissioner’s Office to assess the lawfulness of Google’s actions. This is my email to the ICO

Hi

I would like to complain about Google UK. On 15 June 2015 I wrote to them at their registered address in the following terms

Complaint under Data Protection Act 1998

When a search is made on Google for my name “Jonathan Baines”, and, alternatively, “Jon Baines”, a series of results are returned, but at the foot of the page a message (“the message”) is displayed:

Some results may have been removed under data protection law in Europe. Learn more

To the best of my knowledge, no results have in fact been removed.

The first principle in Schedule One of the Data Protection Act 1998 (DPA) requires a data controller to process personal data fairly and lawfully. In the circumstances I describe, “Jonathan Baines”, “Jon Baines” and the message constitute my personal data, of which you are clearly data controller.

It is unfair to suggest that some results may have been removed under data protection law. This is because the message carries an innuendo that what may have been removed was content that was embarrassing, or that I did not wish to be returned by a Google search. This is not the case. I do not consider that the hyperlink “Learn more” nullifies the innuendo: for instance, a search on Twitter for the phrase “some results may have been removed” provides multiple examples of people assuming the message carries an innuendo meaning.

Accordingly, please remove the message from any page containing the results of a search on my name Jonathan Baines, or Jon Baines, and please confirm to me that you have done so. You are welcome to email me to this effect at [redacted]”

I have had no response to this letter, and furthermore I have twice contacted Google UK’s twitter account “@googleuk” to ask about a response, but have had none.

I am now asking, pursuant to my right to do so at section 42 of the Data Protection Act 1998, for you to conduct an assessment as to whether it is likely or unlikely that the processing by Google UK has been or is being carried out in compliance with the provisions of that Act.

I note that in Case C‑131/12 the Grand Chamber of the Court of Justice of the European Union held that “when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State” then “the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State”. I also note that Google UK’s notification to your offices under section 18 of the Data Protection Act 1998 says “We process personal information to enable us to promote our goods and services”. On this basis alone I would submit that Google UK is carrying out processing as a data controller in the UK jurisdiction.

I hope I have provided sufficient information for you to being to assess Google UK’s compliance with its obligations under the Data Protection Act 1998, but please contact me if you require any further information.

with best wishes,

Jon Baines

Leave a comment

Filed under Data Protection, Information Commissioner

What does it take to stop Lib Dems spamming?

Lib Dems continue to breach ePrivacy law, ICO still won’t take enforcement action.

It’s not difficult: the sending of unsolicited marketing emails to me is unlawful. Regulation 22 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and by extension, the first and second principles in Schedule One of the Data Protection Act 1998 (DPA) make it so. The Liberal Democrats have engaged in this unlawful practice – they know and the Information Commissioner’s Office (ICO) know it, because the latter recently told the former that they have, and told me in turn

I have reviewed your correspondence and the [Lib Dem’s] website, and it appears that their current practices would fail to comply with the requirements of the PECR. This is because consent is not knowingly given, clear and specific….As such, we have written to the organisation to remind them of their obligations under the PECR and ensure that valid consent is obtained from individuals

But the ICO has chosen not to take enforcement action, saying to me in an email of 24th April

enforcement action is not taken routinely and it is our decision whether to take it. We cannot take enforcement action in every case that is reported to us

Of course I’d never suggested they take action in every case – I’d requested (as is my right under regulation 32 of PECR) that they take action in this particular case. The ICO also asked for the email addresses I’d used; I gave these over assuming it was for the purposes of pursuing an investigation but no, when I later asked the ICO they said they’d passed them to the Lib Dems in order that they could be suppressed from the Lib Dem mailing list. I could have done that if I wanted to. It wasn’t the point and I actually think the ICO were out of order (and contravening the DPA themselves) in failing to tell me that was the purpose.

But I digress. Failure to comply with PECR and the DPA is rife across the political spectrum and I think it’s strongly arguable that lack of enforcement action by the ICO facilitates this. And to illustrate this, I visited the Lib Dems’ website recently, and saw the following message

Untitled

Vacuous and vague, I suppose, but I don’t disagree, so I entered an email address registered to me (another one I reserve for situations where I fear future spamming) and clicked “I agree”. By return I got an email saying

Friend – Thank you for joining the Liberal Democrats…

Wait – hold on a cotton-picking minute – I haven’t joined the bloody Liberal Democrats – I put an email in a box! Is this how they got their recent, and rather-hard-to-explain-in-the-circumstances “surge” in membership? Am I (admittedly using a pseudonym) now registered with them as a member? If so, that raises serious concerns about DPA compliance – wrongly attributing membership of a political party to someone is processing of sensitive personal data without a legal basis.

It’s possible that I haven’t yet been registered as such, because the email went on to say

Click here to activate your account

When I saw this I actually thought the Lib Dems might have listened to the ICO – I assumed that if I didn’t (I didn’t) “click here” I would hear no more. Not entirely PECR compliant, but a step in the right direction. But no, I’ve since received an email from the lonely Alistair Carmichael asking me to support the Human Rights Act (which I do) but to support it by joining a Lib Dem campaign. This is direct marketing of a political party, I didn’t consent to it, and it’s sending was unlawful.

I’ll report it to the ICO, more in hope than expectation that they will do anything. But if they don’t, I think they have to accept that a continuing failure to take enforcement against casual abuse of privacy laws is going to lead to a proliferation of that abuse.

2 Comments

Filed under consent, Data Protection, enforcement, Information Commissioner, marketing, PECR, spam

What a difference a day makes

Back in 2013 I blogged about a little-known (not unknown, as some commenters thought I was suggesting) oddity of the Freedom of Information Act 2000 (FOIA). This oddity is that a bank holiday falling in any part of the United Kingdom counts as a non-working-day for the purposes of FOIA. So, as January 2nd (or the nearest substitute day) is a bank holiday in Scotland, it is not a working day for the purposes of calculating the maximum timescale for compliance with a request made under FOIA, despite the fact that Scotland has its own Freedom of Information (Scotland) Act 2002.
What “bank holiday” means, according to section 10(6) of FOIA, is 

any day other than a Saturday, a Sunday, Christmas Day, Good Friday or a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom

And section 1 of the Banking and Financial Dealings Act 1971 says 

the days specified in Schedule 1 to this Act shall be bank holidays in England and Wales, in Scotland and in Northern Ireland as indicated in the Schedule

The Schedule therefore provides a number of dates which are to be considered as bank holidays

All straightforward then? Not quite. Sections 1(2) and 1(3) of The Banking and Financial Dealings Act 1971 also provide that the Queen can effectively remove or add a bank holiday “by proclamation”. What this means has recently been considered by the First-tier Tribunal (Information Rights) (FTT), and it shows that even the Information Commissioner’s Office (ICO) can get this issue wrong sometimes. In the case, the ICO had said in its decision notice that the public authority, Monitor, had complied with its obligation to respond to a FOIA request within twenty working days, because the period involved included two bank holidays within the UK (on 14 July (Northern Ireland) and 4 August (Scotland)). However, when faced with an appeal to the FTT by the requester, the ICO faltered, and

recalculated the 20 day period and concluded that while July 14 was commemorated as the anniversary of the Battle of the Boyne for the purpose of a public holiday in Northern Ireland it was not a bank holiday and accordingly the response from Monitor had been outside the 20 day period

Not so fast, said the FTT – remember section 1(3) of the Banking and Financial Dealings Act 1971? Well, as the London Gazette records, on 14 June 2013 a proclamation was made by Her Majesty, providing that

…We consider it desirable that Monday the fourteenth day of July in the year 2014 should be a bank holiday in Northern Ireland

As the FTT said

The effect of this was to insert a bank holiday in July…accordingly [Monitor] responded within the time limit

All very arcane and abstruse, no doubt, but practitioners and requesters should note that the London Gazette records that on 18 July 2014 Her Majesty also proclaimed that 13th July 2015 would also be a bank holiday. So, for FOI requests whose normal twenty-working-day period includes the date of 13th July this year, everyone needs to bear in mind that, as hard as they may be working on that date, it is not to be counted as a FOIA working day. 

But everyone should also bear in mind that, if they find this tricky, even the ICO gets confused sometimes.

7 Comments

Filed under FOISA, Freedom of Information, Information Commissioner, Information Tribunal

Talk on the future of FOI

Mostly because I haven’t posted much on this blog recently, I’m uploading a version of a talk I gave at the recent conference of the National Police Chiefs Council (NPCC). I was asked to talk, alongside FOIKid Bilal Ghafoor, and tribunal judge David Farrer QC, about what the teenage years of the Freedom of Information Act 2000 might look like. After I’d reflected on this, I ended up rather more optimistic than I expected. YMMV, as they say.

Before I talk about the future, and FOI as it enters those awkward teenage years, I wanted to reflect a bit on its early infanthood. Has it achieved what it was hoped it would achieve? Has it worked well?

As is sometimes overlooked, Parliament declined to enact a purpose clause into the 2000 Freedom of Information Act (against the urging of the then Information Commissioner Elizabeth France). So when we talk about whether FOIA has achieved its aims, we are, to an extent, second guessing what Parliament intended. However, in 2012 the Justice Committee conducted post-legislative scrutiny of FOIA, and the Ministry of Justice (drawing on the original White Paper which preceded the Act) identified four objectives for it:

  • openness and transparency;
  • accountability;
  • better decision making;
  • and public involvement in decision making, including increased public trust in decision making by government

And the committee felt that FOIA has achieved the first three but the secondary objective of enhancing public confidence in Government had not been achieved, and was unlikely to be achieved.

And I think this is broadly right: we have seen more openness and transparency – when working well together FOIA feeds into the Transparency Agenda and vice versa. Huge amounts of public sector information have been made available where once it wasn’t. And with openness and transparency come, or should come more accountability and better decision making. But that final objective, involving increasing public trust in decision making, has almost been achieved in the negative – and that is partly to do with how the public hear about FOIA. Many, probably most, major FOIA stories run by the media almost inevitably involve scandal or highlight wasteful practice, and often go hand in hand with litigation aimed at preventing disclosure. The MPs expenses scandal was one of FOIA’s major victories (although, let us not forget, it was a leak to the Telegraph, rather than a final FOIA disclosure, that led to the full details coming out) but while it enhanced FOIA’s status, it’s hard to say it did anything but greatly damage public trust in government, and more widely, politicians.

But the Justice Committee report identified something else, and something very relevant when we start to look to the future of FOIA. It stated that “the right to access public sector information is an important constitutional right” – something which Lady Justice Arden also recognised in her recent Court of Appeal judgment in the Dransfield case. And when something is identified as part of our constitution, it becomes pretty hard to remove it, or amend it to any great extent. The Conservative government appear to be experiencing this at the moment, as their plans to repeal the Human Rights Act have been stalled. The Human Rights Act can also be said to have achieved constitutional status – by incorporating the European Convention on Human Rights into the domestic law of the UK, it represented a major shift in how individual rights are protected under British law. It may well end up being the case that the only way the Act could be repealed would be by replacing it with something essentially the same (or by pulling out of the Convention, and pulling out of Europe) and even then, as Lord Bingham said

“Which of these rights…would we wish to discard? Are any of them trivial, superfluous, unnecessary? Are any them un-British?”

The rights enshrined in the European Convention are fundamental, and they’re not going to go away, and when one considers that one of them – Article 10 – contains not just the right to freedom of expression, but the right to receive and impart information (subject to necessary and lawful conditions) one can begin to perceive that a Freedom of Information Act helps give effect to this fundamental right.

A majority of the Supreme Court, in the Kennedy judgment last year, went even further, and said that a (qualified) right to receive information from a public authority was not just enshrined in the Convention Rights, but existed (and always has existed) under the Common Law.

What I’m saying, by going off on a somewhat legalistic tangent, is that the right to request and receive public sector information is so fundamentally embedded in our legal and constitutional landscape, that I don’t see any realistic challenge to the principle (and I doubt any of you would). But it also means that any tinkering with the right becomes correspondingly difficult. And this is why although I think FOI will have some teenage tantrums, it won’t have a huge teenage meltdown and emerge from its bedroom a completely different individual.

But with that important caveat, what might we see?

Well, under Francis Maude in the Cabinet Office and Chris Grayling at the Ministry of Justice (although Lib Dem Simon Hughes had the actual FOI brief) we saw significant strides, and a lot of fine words, about the importance of transparency, with Maude even saying in 2012

“I’d like to make Freedom of Information redundant, by pushing out so much data that people won’t have to ask for it”

But they have all gone on to other things – Maude to the Lords, Grayling to Leader of the Commons and Simon Hughes back to his day job, after losing his seat last month. Will this lead to changes? Well, still very much in post is David Cameron, and he has spoken before about his concerns about FOI “furring up the arteries of government” and of FOI’s “buggeration factor”, which doesn’t bode well for those of us who support the Act. And minister with responsibility for FOI (under Michael Gove as Justice Secretary) is Dominic Raab. Raab is strong on civil liberties and is known to be a frequent user of FOI in his parliamentary and constituency work. One of his targets was the Police Federation – in 2011 he sent requests to all forces asking for figures on the number of police staff working full-time for the Federation. But Gove is reputed not to be so keen on FOI – indeed, in 2011 his then Department of Education was found to have used private email accounts to conduct government business, apparently in the belief that this took them outside FOIA.

It does seem clear that any changes to FOIA are not high on the government’s list of priorities: there was nothing in the Conservatives’ election manifesto, and there have been no obvious pronouncements in the early days.

For a flavour though of what might be on the cards it’s instructive to go back to the government response to the post-legislative scrutiny. On the subject of FOI cost limits there was a suggestion that further factors might be taken into account – so, added to the costs of locating and retrieving information it might become possible to take into account consideration and redaction time. This could have more profound effects that is immediately apparent – as most of you will know, those two activities can take up a large amount of time, and if that change were brought in I think we would see a huge increase in cost refusals.

Another related suggestion was that for costs purposes requests from the same person or group of persons could be aggregated EVEN where there was no similarity between the subject of the requests. It is not hard to see how this would be devastating for some journalists who make use of FOI.

And a further suggestion was the introduction of fees for appealing a case to the Information Tribunal. This would be unlikely to affect public authorities, but requesters could well be dissuaded. No doubt some of those would be the more speculative, persistent or frivolous of requesters, but I would be concerned that some well-intentioned requesters would decide not to exercise their rights if such a change were made.

On the more “pro-FOI” side, we are likely to see further public authorities made subject to FOIA. ACPO of course came in in 2012, Network Rail this year, and Theresa May has made clear that she would like to see the Police Federation covered.

But also discussions need to be had about the extent to which private contractors performing public functions are caught by FOI. The government has previously indicated that it thinks this can be achieved through appropriate contractual provisions, but I’m dubious – without a clear legal obligation, and associated enforcement mechanism, I struggle to see why this would happen.

So, despite my optimism that the fundamental principles of FOI are now constitutionally embedded, I don’t necessarily think there will be no changes. But I continue to think they will be essentially minor, and this is because I think there is a further factor which protects those fundamental principles. As I said, Dominic Raab has traditionally used FOI to gather information to better help him in his job. And thousands and thousands of other people do so. Journalists are the most obvious example (and when it comes to defenders of the right to receive information you couldn’t ask for a more vocal group) but campaign groups, other public authorities, academics and private citizens do so. And for this reason FOI is popular. Unlike the Human Rights Act there are no (or very few – I don’t know of any) journalists campaigning for FOIA’s repeal. Politicians don’t campaign on a platform of opposition to the right to receive public information.

FOI does promote better openness and transparency; better accountability; better decision making, and even if it hasn’t yet, and probably never will, improve the public trust in government decision-making, one thing which would further destroy that trust would be changes to make public authorities less accountable. And the media and campaigners would be lined up to make the point vociferously.

FOI may, in its teenage years, suffer from its own equivalent of angst, anger and acne, but it will have strong friends to support it.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..

4 Comments

Filed under Freedom of Information, transparency

No Information Rights Levy for ICO – where now for funding?

The ICO’s plan for an “information rights levy” appears to have been scuppered by the government. But is retaining data protection notification fees the way to solve the funding problem?

Back in the heady days of January 2012, when a naive but optimistic European Commission proposed a General Data Protection Regulation (GDPR), to replace the existing 1995 Directive, one of the less-commented-on proposals was to remove the requirement for data controllers to notify their processing activities to the national data protection authority. However, the UK Information Commissioner’s Office (ICO) certainly noticed it, because the implications were that, at a stroke, a large amount of ICO funding would disappear. Currently, section 18(5) of the Data Protection Act 1998 (DPA), and accompanying secondary legislation, mean that data controllers (unless they have an exemption) must pay an annual fee to the ICO of either £35 or £500 (depending upon the size of the organisation). In 2012-2013 this equated to an estimated income of £17.4m, and this income effectively funds all of the ICO’s data protection regulatory actions (its FOI functions are funded by grant-in-aid from the Ministry of Justice).

Three years later, and the GDPR is still not with us. However, it will eventually be passed, and when it is, it seems certain that the requirement under European law to notify will be gone. Because of this, as the Justice Committee recognised in 2013, alternative ICO funding means need to be identified as soon as possible. The ICO’s preferred choice, and one which Christopher Graham has certainly been pushing for, was an “Information Rights Levy”, the details of which were not specified, but which it appears was proposed to be paid by data controllers and public authorities (subject to FOI) alike. In the 2013/14 ICO Annual Report Graham was bullish in calling for action:

Parliament needs to get on with the task of establishing a single, graduated information rights levy to fund the important work of the ICO as the effective upholder of our vital right to privacy and right to know

But this robust approach doesn’t seem to have worked. At a recent meeting of the ICO Management Board a much more pessimistic view emerges. In a report entitled “Registration Fee Strategy” it is said that

The ICO has previously highlighted the need for an ‘information rights fee’ or one fee, paid by organisations directly to the ICO, to fund all information rights activities. Given concerns across government that this would result in private sector cross subsidising public sector work, the ICO recognises that this is unlikely in the short term

The report goes on, therefore, to talk about proposed changes to the current fee/notification process, and about ways of identifying who needs to pay. 

But, oddly, it seems to assume that although the GDPR will remove the requirement for a data controller  to notify processing to the ICO, the UK will retain the discretion to continue with such arrangements (and to charge a fee). I’m not sure this is right. As I’ve written previously, under data protection law at least some recreational bloggers have a requirement to notify (and pay a fee), and the legal authorities are clear that the law’s ambit extends to, for instance, individuals operating domestic CCTV, if that CCTV covers public places where identifiable individuals are. Indeed, as the 2004 Lindqvist case found 

The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number…constitutes ‘the processing of personal data…[and] is not covered by any of the exceptionsin Article 3(2) of Directive 95/46 [section 36 of the DPA transposes Article 3(2) into domestic law]

It is arguable that, to varying extents, we are all data controllers now (and ones who will struggle to avail ourselves of the data protection exemption for domestic purposes). Levying a fee on all of us, in order that we can lawfully express ourselves, has the potential to be a serious infringement of our right to freedom of expression under Article 10 of the European Convention on Human Rights, and even more directly, Article 11 of the Charter of Fundamental Rights of the European Union.

The problem of how to effectively fund the ICO in a time of austerity is a challenging one, and I don’t envy those at the ICO and in government who are trying to solve it, but levying a tax on freedom of expression (which notification arguably already is, and would almost certainly be if the GDPR doesn’t actually require notification) is not the way to do so.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..

1 Comment

Filed under Data Protection, Directive 95/46/EC, GDPR, Information Commissioner, Uncategorized

Google’s Innuendo

If you search on Google for my name, Jon Baines, or the full version, Jonathan Baines, you see, at the foot of the page of search results

Some results may have been removed under data protection law in Europe. Learn more

Oh-ho! What have I been up to recently? Well, not much really, and certainly nothing that might have led to results being removed under data protection law. Nor similarly, have John Keats, Eleanor Roosevelt and Nigel Molesworth (to pick a few names at random), a search on all of whose names brings up the same message. And, of course, if you click the hyperlink marked by the words “Learn more” you find out in fact that Google has simply set its algorithms to display the message in Europe

when a user searches for most names, not just pages that have been affected by a removal.

It is a political gesture – one that reflects Google’s continuing annoyance at the 2014 decision – now forever known as “Google Spain” – of the Court of Justice of the European Union which established that Google is a data controller for the purpose of search returns containing personal data, and that it must consider requests from data subjects for removal of such personal data. A great deal has been written about this, some bad and some good (a lot of the latter contained in the repository compiled by Julia Powles and Rebekah Larsen) and I’m not going to try to add to that, but what I have noticed is that a lot of people see this “some results may have been removed” message, and become suspicious. For instance, this morning, I noticed someone tweeting to the effect that the message had come up on a search for “Chuka Umunna”, and their supposition was that this must relate to something which would explain Mr Umunna’s decision to withdraw from the contest for leadership of the Labour Party. A search on Twitter for “some results may have” returns a seething mass of suspicion and speculation.

Google is conducting an unnecessary exercise in innuendo. It could easily rephrase the message (“With any search term there is a possibility that some results may have been removed…”) but chooses not to do so, no doubt because it wants to undermine the effect of the CJEU’s ruling. It’s shoddy, and it drags wholly innocent people into its disagreement.

Furthermore, there is an argument that the exercise could be defamatory. I am not a lawyer, let alone a defamation lawyer, so I will leave it to others to consider that argument. However, I do know a bit about data protection, and it strikes me that, following Google Spain, Google is acting as a data controller when it processes a search on my name, and displays a list of results with the offending “some results may have been removed” message. As a data controller it has obligations, under European law (and UK law), to process my personal data “fairly and lawfully”. It is manifestly unfair, as well as wrong, to insinuate that information relating to me might have been removed under data protection law. Accordingly, I’ve written to Google, asking the message to be removed

Google UK Ltd
Belgrave House
76 Buckingham Palace Road
London SW1W 9TQ

16 May 2015

Dear Google

Complaint under Data Protection Act 1998

When a search is made on Google for my name “Jonathan Baines”, and, alternatively, “Jon Baines”, a series of results are returned, but at the foot of the page a message (“the message”) is displayed:

Some results may have been removed under data protection law in Europe. Learn more

To the best of my knowledge, no results have in fact been removed.

The first principle in Schedule One of the Data Protection Act 1998 (DPA) requires a data controller to process personal data fairly and lawfully. In the circumstances I describe, “Jonathan Baines”, “Jon Baines” and the message constitute my personal data, of which you are clearly data controller.

It is unfair to suggest that some results may have been removed under data protection law. This is because the message carries an innuendo that what may have been removed was content that was embarrassing, or that I did not wish to be returned by a Google search. This is not the case. I do not consider that the hyperlink “Learn more” nullifies the innuendo: for instance, a search on Twitter for the phrase “some results may have been removed” provides multiple examples of people assuming the message carries an innuendo meaning.

Accordingly, please remove the message from any page containing the results of a search on my name Jonathan Baines, or Jon Baines, and please confirm to me that you have done so. You are welcome to email me to this effect at [REDACTED]

With best wishes,
Jon Baines

 

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with. Some words may have been removed under data protection law.

3 Comments

Filed under Data Protection, Europe

Shameless

Only very recently I wrote about how the Liberal Democrats had been found by the Information Commissioner’s Officer (ICO) to have been in breach of their obligations under anti-spam laws (or, correctly, the ICO had determined it was “unlikely” the Lib Dems had complied with the law). This was because they had sent me unsolicited emails promoting their party without my consent, in contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The ICO told me that “we have written to the organisation to remind them of their obligations under the PECR and ensure that valid consent is obtained from individuals”.

Well, the reminder hasn’t worked: today I went on the Lib Dem site and noticed the invitation to agree that “The NHS needs an extra £8bn”. Who could disagree? There was a box to enter my email address and “back our campaign”. Which campaign did they mean? Who knows? I assumed the campaign to promote NHS funding, but there was no privacy notice at all (at least on the mobile site). I entered an email address, because I certainly agree with a campaign that the NHS needs an extra £8bn pounds, but what I certainly didn’t do was consent to receive email marketing.

Untitled

But of course I did…within eight hours I received an email from someone called Olly Grender asking me to donate to the Lib Dems. Why on earth would I want to do that? And a few hours later I got an email from Nick Clegg himself, reiterating Olly’s message. Both emails were manifestly, shamelessly, sent in contravention of PECR, only a couple of weeks after the ICO assured me they were going to “remind” the Lib Dems of the law.

Surely the lesson is the same one the cynics have told us over the years – don’t believe what politicians tell you.

And of course, only this week there was a further example, with the notorious Telegraph “business leaders” letter. The open letter published by the paper, purporting to come from 5000 small business owners, had in fact been written by Conservative Campaign Headquarters, and signatories  were merely people who had filled in a form on the Conservative party website agreeing to sign the letter but who were informed in a privacy notice that “We will not share your details with anyone outside the Conservative Party”. But share they did, and so it was that multiple duplicate signatories, and signatories who were by no means small business owners, found their way into the public domain. Whether any of them will complain to the ICO will probably determine the extent to which this might have been a contravention, not of PECR (this wasn’t unsolicited marketing), but of the Data Protection Act 1998, and the Conservatives’ obligation to process personal data fairly and lawfully. But whatever the outcome, it’s another example of the abuse of web forms, and the harvesting of email addresses, for the promotion of party political aims.

I will be referring the Lib Dems matter back to the ICO, and inviting them again (they declined last time) to take enforcement action for repeat and apparently deliberate, or reckless, contraventions of their legal obligations under PECR.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, Data Protection, Information Commissioner, marketing, PECR, privacy notice, spam

Internal review request of case IRQ 0576154

Thanks for your reply. However, I would like to request an internal review of case IRQ0576154.

Specifically, I would like you to review the decision not to release the executive summary of your audit of Talk Talk’s compliance with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

I can understand and accept the application, in your initial response, of s31(1)(g) of the Freedom of Information Act 2000 (FOIA) in regard to most of the held (and withheld) information you have identified, but you say the disclosing the executive summary itself would or would be likely to prejudice the relevant exercise of your functions, and that the public interest favours the maintaining of the exemption. But neither in your consideration of the application of the exemption nor in your consideration of the public interest have you taken into account the fact that the executive summaries of your audits are prepared on the presumption that they will be published. As your document “Communicating Audits” says:

The ICO will expect to publish the Executive Summary on our website and will encourage the data controller to allow us to do so

And certainly in the case of some PECR audits you do (last year you published the summaries of audits into EE and Telefonica UK).

I appreciate that the document goes on to say that a data controller (and by inference a person, for PECR purposes) can “prevent” publication, but surely allowing, or purporting to allow, a person to prevent publication (without any other reason) is an impermissible restraint on your public law discretion to disclose information.

Furthermore, I would submit that you have failed to take into account, both when considering whether the exemption was engaged and when considering the public interest, the fact that publishing (or disclosing) the executive summary allows consumers to make a more informed choice about which telecoms provider to choose to do business with. If some providers’ PECR compliance is better, or worse, than others, then consumers have an interest in knowing this.

For these reasons I hope you can reconsider your decision and disclose the executive summary at least.

Best wishes,

Jon Baines

2 Comments

Filed under Uncategorized

ICO: Samaritans Radar failed to comply with Data Protection Act

I’ve written so much previously on this blog about Samaritans Radar, the misguided Twitter app launched last year by Samaritans, that I’d thought I wouldn’t have to do so again. However, this is just a brief update on the outcome of the investigation by the Information Commissioner’s Office (ICO) into whether Samaritans were obliged to comply with data protection law when running the app, and, if so, the extent to which they did comply.

To recap, the app monitored the timelines of those the user followed on Twitter, and, if certain trigger words or phrases were tweeted, would send an email alert to the user. This was intended to be a “safety net” so that potential suicidal cries for help were not missed. But what was missed by Samaritans was the fact the those whose tweets were being monitored in this way would have no knowledge of it, and that this could lead to a feeling of uncertainty and unease in some of the very target groups they sought to protect. People with mental health issues raised concerns that the app could actually drive people off Twitter, where there were helpful and supportive networks of users, often tweeting the phrases and words the app was designed to pick up.

Furthermore, questions were raised, by me and many others, about the legality of the app under data protection law. So I made a request to the ICO under the Freedom of Information Act for

any information – such as an assessment of legality, correspondence etc. – which you hold about the “Samaritans Radar” app which Samaritans recently launched, then withdrew in light of serious legal and ethical concerns being raised

After an initial refusal because their investigation was ongoing, the ICO have now disclosed a considerable amount of information. Within it, however, is the substantive assessment I sought, in the form of a letter from the Group Manager for Government and Society to Samaritans. I think it is important to post it in full, and I do so below. I don’t have much to add, other than it vindicates the legal position put forward at the time by me and others (notably Susan Hall and Tim Turner).

19 December 2014

Samaritans Radar app

Many thanks for coming to our office and explaining the background to the development of the Radar application and describing how it worked.  We have now had an opportunity to consider the points made at the  meeting, as well as study the information provided in earlier  teleconferences and on the Samaritans’ website. I am writing to let you know our conclusions on how the Data Protection Act applies to the Radar  application.

We recognise that the Radar app was developed with the best of intentions and was withdrawn shortly after its launch but, as you know, during its operation we received a number of queries and concerns about the application. We have been asked for our vtew on whether personal data was processed in compliance with data protection prlnciples and whether the Samaritans are data controllers. You continue to believe that you are not data controllers or that personal data has been processed so I am writing to explain detail our conclusions on these points.

Personal data

Personal data is data that relates to an identifiable living individual. It is  our well-established position that data which identifies an individual, even without a name associated with it, may be personal data where it is processed to learn or record something about that individual, or where the processing of that information has an impact upon that individual. According to the information you have provided, the Radar app was a web-based application that used a specially designed algorithm that searched for specific keywords within the Twitter feeds of subscribers to the Radar app. When words indicating distress were detected within a Tweet, an email alert was automatically sent from the Samaritans to the subscriber saying Radar had detected someone they followed who may be going through a tough time and provided a link to that individual’s Tweet. The email asked the subscriber whether they were worried about the Tweet and if yes, they were re-directed to the Samaritans’ website for guidance on the best way of providing support to a follower who may be distressed. According to your FAQs, you also stored Twitter User IDs, Twitter User friends’ IDs, all tagged Tweets including the raw data associated with it and a count of flags against an individual Twitter user’s friends’ ID. These unique identifiers are personal data, in that they can easily be linked back to identifiable individuals.

Based on our understanding of how the application worked, we have reached the conclusion that the Radar service did involve processing of personal data. It used an algorithm to search for words that triggered an automated decision about an individual, at which point it sent an email alert to a Radar subscriber. It singled out an individual’s data with the purpose of differentiating them and treating them differently. In addition, you also stored information about all the Tweets that were tagged.

Data controller

We are aware of your view that you “are neither the data controller nor data processor of the information passing through the app”.

The concept of a data controller is defined in section 1 of the Data Protection 1998 (the DPA) as

“a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”

We have concluded that the Radar service has involved processing of personal data. We understand that you used the agency [redacted] to develop and host the application. We are not fully aware of the role of [redacted] but given your central role in setting up and promoting the Radar application, we consider that the Samaritans have determined the manner and purpose of the processing of this personal data and as such you are data controllers. If you wish to be reminded of the approach we take in this area you may find it helpful to consult our guidance on data controllers and data processors. Here’s the link: https://ico.org.uk/media/about-the-ico/documents/1042555/data-controllers-and-data-processors-dp-guidance.pdf

Sensitive personal data

We also discussed whether you had processed sensitive personal data. You explained that the charity did deal with people seeking help for many different reasons and the service was not aimed at people with possible mental health issues. However the mission of the Samaritans is to alleviate emotional distress and reduce the incidence of suicide feelings and suicidal behaviours. In addition, the stated aims of the Radar project, the research behind it and the information provided in the FAQs all emphasise the aim of helping vulnerable peopie online and using the app to detect someone who is suicidal. For example, you say “research has shown there is a strong correlation between “suicidal tweets” and actual suicides and with Samaritans Radar we can turn a social net into a safety net”. Given the aims of the project, it is highly likely that some of the tweets identified to subscribers included information about an
individual’s mental health or other medical information and therefore would have been sensitive personal data.

At our meetings you said that even if you were processing sensitive personal data then Schedule 3 condiüon 5 (“The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject”) was sufficient to legitimise this processing. Our guidance in our Personal Information Online Code of Practice makes it clear that although people post personal information in a way that becomes publicly visible, organisations still have an overarching duty to handle it fairly and to comply with the rules of data protection. The Samaritans are well respected in this field and receiving an email from your organisation carries a lot of weight. Linking an individual’s tweet to an email alert from the Samaritans is unlikely to be perceived in the same light as the information received in the original Tweet — not least because of the risk that people’s tweets were flagged when they were not in any distress at all.

Fair processing

Any processing of personal data must be fair and organisations must consider the effect of the processing on the individuals concerned and whether the processing would be within their reasonable expectations. You indicated that although you had undertaken some elements of an impact assessment, you had not carried out a full privacy impact assessment. You appear to have reached the conclusion that since the Tweets were publicly visible, you did not need to fully consider the privacy risks. For example, on your website you say that “all the data is public, so user privacy is not an issue. Samaritans Radar analyses the Tweets of people you follow, which are public Tweets. It does not look at private Tweets.”

It is our view that if organisations collect information from the internet and use it in a way that’s unfair, they could still breach the data protection principles even though the information was obtained from a publicly available source. It is particularly important that organisations should consider the data protection implications if they are planning to use analytics to make automated decisions that could have a direct effect on individuals. Under section 12 Of the Data Protection Act, individuals have certain rights to prevent decisions being taken about them that are solely based on automated processing of their personal data. The quality of the data being used as a basis for these decisions may also be an issue.

We note that the application was a year in development and that you used leading academics in linguistics to develop your word search algorithm. You also tested the application on a large number of people, although, as we discussed, most if not of these were connected to the project in some way and many were enthusiastic to see the project succeed. As our recent paper on Big Data explains, it is not so much a question of whether the data accurately records what someone says but rather to what extent that information provides a reliable basis for drawing conclusions. Commentators expressed concern at the apparent high level of false positives involving the Radar App (figures in the media suggest only 4% of email alerts were genuine). This raises questions about whether a System operating with such a low success rate could represent fair processing and indicates that many Tweets were being flagged up unnecessarily.

Since you did not consider yourselves to be data controllers, you have not sought the consent of, or provided fair processing notices to, the individuals whose Tweets you flagged to subscribers. It seems unlikely that it would be within people’s reasonable expectations that certain words and phrases from their Tweets would trigger an automatic email alert from the Samaritans saying Radar had detected someone who may be going throuqh a tough time. Our Personal Information Online Code of Practice says it is good practice to only use publicly available information in a way that is unlikely to cause embarrassment, distress or anxiety to the individual concerned. Organisations should only use their information in a way they are likely to expect and to be comfortable with. Our advice is that if in doubt about this, and you are unable to ask permission, you should not collect their information in the first place.

Conclusion

Based on our observations above, we have reached the conclusion that the Radar application did risk causing distress to individuals and was unlikely to be compliant with the Data Protection Act.

We acknowledge that the Samaritans did take responsibility for dealing with the many concerns raised about the application very quickly. The application was suspended on 7 November and we welcomed [redacted] assurances on 14 November that not only was the application suspended but it would not be coming back in anything like its previous form. We also understand that there have been no complaints that indicate that anyone had suffered damage and distress in the very short period the application was in operation.

We do not want to discourage innovation but it is important that organisations should consider privacy throughout the development and implementation of new projects. Failing to do so risks undermining people’s trust in an organisation. We strongly recommend that if you are considering further projects involving the use of online information and technologies you should carry out and publish a privacy impact assessment. This will help you to build trust and engage with the wider public. Guidance on this can be found in our PIA Code of Practice. We also recommend that you look at our paper on Big Data and Data Protection and our Personal Information Online Code of Practice. Building trust and adopting an ethical approach to such projects can also help to ensure you handle people’s information in a fair and transparent way. We would be very happy to advise the Samaritans on data protection compliance in relation any future projects.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

10 Comments

Filed under Data Protection, Information Commissioner, social media

ICO finds Lib Dems in breach of ePrivacy law

A few months ago, when I entered my email address on the Liberal Democrats’ website to say that I agreed with the statement 

Girls should never be cut. We must end FGM

I hoped I wouldn’t subsequently receive spam emails promoting the party. However I had no way of knowing because there was no obvious statement explaining what would happen. But, furthermore, I had clearly not given specific consent to receive such emails.

Nonetheless, I did get them, and continue to do so – emails purportedly from Nick Clegg, from Paddy Ashdown and from others, promoting their party and sometimes soliciting donations.

I happen to think the compiling of a marketing database by use of serious and emotive subjects such as female genital mutilation is extraordinarily tasteless. It’s also manifestly unlawful in terms of Lib Dems’ obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which require specific consent to have been given before marketing emails can be sent to individuals.

On the lawfulness point I am pleased to say the Information Commissioner’s Office (ICO) agrees with me. Having considered my complaint they have said:

I have reviewed your correspondence and the organisations website, and it appears that their current practices would fail to comply with the requirements of the PECR. This is because consent is not knowingly given, clear and specific….As such, we have written to the organisation to remind them of their obligations under the PECR and ensure that valid consent is obtained from individuals.

Great. I’m glad they agree – casual disregard of PECR seems to be rife throughout politics. As I’ve written recently, the Labour Party, UKIP and Plaid Cymru have also spammed my dedicated email account. But I also asked the ICO to consider taking enforcement action (as is my right under regulation 32 of PECR). Disappointingly, they have declined to do so, saying:

enforcement action is not taken routinely and it is our decision whether to take it. We cannot take enforcement action in every case that is reported to us

It’s also disappointing that they don’t say why this is their decision. I know they cannot take enforcement action in every case reported to them, which is why I requested it in this specific case.

However, I will be interested to see whether the outcome of this case changes the Lib Dems’ approach. Maybe it will, but, as I say, they are by no means the only offenders, and enforcement action by the ICO might just have helped to address this wider problem.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

8 Comments

Filed under consent, enforcement, Information Commissioner, marketing, PECR, spam, Uncategorized