Category Archives: consent

Data protection nonsense on gov.uk

It feels like a while since I randomly picked on some wild online disinformation about data protection, but when you get an itch, you gotta scratch, and this page of government guidance for businesses – “Get your business ready to employ staff: step by step” – specifically on “Personal data an employer can keep about an employee” certainly got me itching. It starts off sensibly enough by saying that

Employers must keep their employees’ personal data safe, secure and up to date.

This is true (Article 5(1)(f) and part of 5(1)(c) UK GDPR). And the page goes on to list some information can be “kept” (for which I charitably read “processed”) without employees’ permission, such as: name, address, date of birth, sex, education and qualifications, work experience, National Insurance number, tax code, emergency contact details, employment history with the organisation, employment terms and conditions, any accidents connected with work, any training taken, any disciplinary action. All pretty inoffensive, although I’m not sure what it’s trying to achieve. But then…oh my. Then, it says

Employers need their employees’ permission to keep certain types of ’sensitive’ data

We could stop there really, and snigger cruelly, Consent (aka “permission”) as a condition for processing personal data is complicated and quite frankly to be avoided if possible. It comes laden with quite strict requirements. The Information Commissioner puts it quite well

Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair…employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given

And let’s consider the categories of personal data the government page thinks employers should get “permission” to “keep”: race and ethnicity, religion, political membership or opinions, trade union membership, genetics [sic], biometrics, , health and medical conditions, sexual history or orientation.

But how quickly would an employer’s wheels grind to a halt if it couldn’t process personal data on an employee’s health “without her permission”? It would be unable to refer her to occupational health if she didn’t “permit” it. It would be unable to keep a record of her sickness absence if she withdrew her consent (consent should be as easy to withdraw as it is to give (see Article 7(3)). During the COVID pandemic, it would have been unable to keep a record of whether she had tested positive or not, if she said she didn’t want a record kept.

It’s nonsense, of course. There’s a whole range of gateways, plus a whole Schedule of the Data Protection Act 2018), which provide conditions for processing special categories of data without having to get someone’s consent. They include pressing social imperatives, like compliance with public health law, and promotion of equality of treatment and safeguarding of children or other vulnerable people. The conditions don’t apply across the board, but the point is that employees’ permission – their consent – is rarely, if ever, required when there is another compelling reason for processing their data.

I don’t really understand what need, what gap, the government page is trying to fill, but the guidance is pretty calamitous. And it is only likely to lead to confusion for business owners and employers, and runs the risk of pitting themselves against each other – with disputes arising – amidst the confusion.

BAH!

Now, that felt better. Like I say, sometimes it’s good to scratch that itch.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Data Protection, Data Protection Act 2018, Let's Blame Data Protection, UK GDPR

Data reform – hot news or hot air?

I’ve written a piece for the Mishcon de Reya website on the some of the key proposals (for our client-base) in today’s data protection reform announcement.

Data protection law reform – major changes, but the (mishcon.com)

Leave a comment

Filed under adequacy, consent, cookies, Data Protection, Data Protection Act 2018, DPO, GDPR, Information Commissioner, international transfers, nuisance calls, PECR, UK GDPR

COVID booster messages and the law

GET BOOSTED NOW Every adult needs a COVID-19 booster vaccine to protect against Omicron. Get your COVID-19 vaccine or booster. See NHS website for details

On Boxing Day, this wording appears to have been sent as an SMS in effect to every mobile telephone number in the UK. The relevant government web page explains that the message is part of the national “Get Boosted Now” campaign to protect against the Omicron variant of COVID-19. The web page also thanks the Mobile Network Operators for “their assistance in helping deliver the vitally important Get Boosted Now message”.

It is inevitable that questions may get raised raised about the legality of the SMSs under data protection law. What is important to note is that, although – to the extent that the sending involved the processing of personal data – the GDPR may apply (or, rather, the UK GDPR) the relevant law is actually the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). Under the doctrine of lex specialis where two laws govern the same situation, the more specific rules will prevail over more general rules. Put another way, if the more specific PECR can justify the sending of the SMSs, then the sending will also be justified under the more general provisions of UK GDPR.

Regulation 16A of PECR (inserted by a 2015 amendment), provides that where a “relevant communications provider” (in this case a Mobile Network Operator) is notified by a government minister (or certain other persons, such as chief constables) that an “emergency” has occurred, is occurring or is about to occur, and that it is expedient to use an emergency alert service, then the usual restrictions on the processing of traffic and location data can be disregarded. In this instance, given the wording on the government website, one assumes that such a notification was indeed made by a government minister under regulation 16A. (These are different emergency alerts to those proposed to be able to be sent under the National Emergency Alert system from 2022 which will not directly involve the mobile network operators.)

“Emergency” is not defined in PECR, so presumably will take its definition here from section 1(1)(a) of the Civil Contingencies Act 2004 – “an event or situation which threatens serious damage to human welfare in a place in the United Kingdom”.

The effect of this is that, if the SMSs are legal under PECR, they will also be legal under Article 6(1)(c) and 6(1)(e) of the UK GDPR (on the grounds that processing is necessary for compliance with a legal obligation to which the controller is subject, and/or necessary for the performance of a task carried out in the public interest).

There is an interesting side note as to whether, even though the SMSs count as emergency alerts, they might also be seen as direct marketing messages under regulations 22 and 23 of PECR, thus requiring the content of the recipient before they could be sent. Under the current guidance from the Information Commissioner (ICO), one might argue that they would be. “Direct marketing” is defined in the Data Protection Act 2018 as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals” and the ICO defines it further by saying that this “covers any advertising or marketing material, not just commercial marketing. All promotional material falls within this definition, including material promoting the aims of not-for-profit organisations”. Following that line of thought, it is possible that the Omicron SMSs were both emergency alerts and direct marketing messages. This would be an odd state of affairs (and one doubts very much that a judge – or the ICO, if challenged on this – would actually agree with its own guidance and say that these SMSs were indeed direct marketing messages). The ICO is in the process of updating its direct marketing guidance, and might be well advised to consider the issue of emergency alerts (which aren’t covered in the current consultation document).

[Edited to add: I don’t think what I say above necessarily covers all the legal issues, and no doubt there are aspects of this that could have been done better, but I doubt very much there is any substantive legal challenge which can be made.]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under communications data, consent, Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, PECR, UK GDPR

ICO – HMRC must delete 5 million voice records

I have a piece on the Mishcon de Reya website, on news that the ICO has required HMRC to delete 5 million unlawfully gathered Voice ID records.

Leave a comment

Filed under consent, Data Protection, HMRC, Information Commissioner

Prospective customers and PECR

Who is a “prospective customer”, and can businesses rely on the PECR soft opt-in to send such persons unsolicited direct electronic marketing?

The law says – in terms – that one cannot send unsolicited direct marketing by electronic means (for instance by email) to an email address belonging to an “individual subscriber” (in broad terms, this will be a person’s home, or private, email address) unless the recipient has consented to receive it, or if the sender has obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service to that recipient, the marketing is in respect of the sender’s similar products and services only and the recipient was given the option to opt out of such marketing at the time their details were collected, and in any subsequent communication. This is what regulation 22 of the Privacy and Electronic Communications (EC Directive) 2003 (PECR) says, and has done for fifteen years (the General Data Protection Regulation (GDPR) has slightly altered what is meant by consent, but, other than that, is largely irrelevant here).

For the purposes of this blog post I want to focus on the following words in italics:

…if the sender has obtained the contact details of the recipient in the course of the sale or negotiations for the sale of a product or service…

This clearly means that direct electronic marketing can be sent, in appropriate circumstances, to someone who is not yet, and indeed might not ever become, an actual retail customer of the sender.

In light of this, I’m surprised to note the following words in the Information Commissioner’s Office’s guidance on PECR

The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts

It seems to me that “prospective customers” is capable of a range of meanings. On one hand, a prospective customer might be (as the ICO goes on to mention as an example) someone from a bought-in contact list, and with whom the sender who proposes to send electronic marketing has no relationship whatsoever. But, on the other hand, someone who enters into “negotiations for the sale of a product or service” is surely also a “prospective customer”?

I can’t see the ICO’s guidance here as anything but confusing and potentially misleading.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under consent, Information Commissioner, PECR

GDPR doesn’t always mean “opt in”

TL;DR – the law says that when you’re buying something from them companies only have to offer you an opt out from marketing. GDPR hasn’t changed this.

I see a lot of criticism of companies on social media by people who accuse the former of not complying with the General Data Protection Regulation (GDPR). Here’s an example:

But the criticism is generally misguided. GDPR does not itself deal directly with direct marketing (other than to provide for an unqualified right to opt out of it (at Article 21(3)) and a statement in one of the recitals to the effect that the processing of personal data for the purposes of direct marketing may be regarded as carried out for a legitimate interest).

The operative law in the UK regarding electronic direct marketing is, and remains, The Privacy and Electronic Communications (EC Directive) Regulations 2003 (which implement a 2002 European Directive).

These provide that one cannot send direct marketing to an individual subscriber* by unsolicited “electronic mail” (which these days largely boils down to email and SMS) unless the recipient has consented or unless the sender

has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient…the direct marketing is in respect of that person’s similar products and services only…and the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

In plain language, this means that when you buy, or enter into negotiations to buy, a product or service from someone, the seller only has to offer an “opt out” option for subsequent electronic marketing. Nothing in GDPR changes this.

*”individual subscriber” means the person who is a party to a contract with a provider of public electronic communications services for the supply of such services- in effect, this is likely to be someone using their personal email address, and not a work one).

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under consent, Data Protection, GDPR, marketing, PECR

The “GDPR consent” email I’d like to receive

“Dear Jon

You know us. We’re that firm you placed an order with a few months ago. You may remember that at the time we took your order we explained we were going to send occasional marketing emails to you about similar products and services, but you could opt out then, and at any subsequent point.

We know that since 2003 (with the Privacy and Electronic Communications Regulations) (PECR) it’s been unlawful to send unsolicited marketing emails except in circumstances like those above.

We’re contacting you now because we’ve noticed a lot of competitors (and other firms) who are either utterly confused or utterly misrepresenting a new law (separate to PECR) called the General Data Protection Regulation (GDPR). They’re claiming it means they have to contact you to reconfirm your consent to receive marketing emails.

GDPR actually says nothing of the sort. It does explain what “consent” means in data protection terms in a slightly more strict way, but for companies like us, who’ve respected our customers and prospective customers all along, it makes no difference.

In fact, the emails you’re getting from those companies, asking you to “reconsent”, are probably actually direct marketing emails themselves. And if the companies don’t already have your consent to send them they may well be breaking the law in sending them. If you think we’re exaggerating, look at the fine the Information Commissioner’s Office (ICO) levied on Honda last year.

In fact, you’d do well to look at the ICO’s website – it’s got some good stuff on this, both for customers like you, and for companies who are confused by this.

It all really boils down to treating customers well, and not assuming you can send direct electronic marketing without actually looking at what the law says.

So yes, this is a marketing email, and yes, it is lawful, and yes, it is more than a little pompous.”

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

12 Comments

Filed under consent, GDPR, Information Commissioner, marketing, PECR, spam

Rennard, the facts

Has the former LibDem Campaigns guru been engaging in unsolicited electronic marketing?

If I want to market my product or service to you as an individual, the general rule is that I cannot do so by email unless I have your prior consent informing me that you wish to receive it. This applies to me (if, say, I’m promoting this blog by email), it applies to any business, it applies to political parties, and it also applies to Baron Rennard of Wavertree, when he is promoting his new memoirs. However, a recent media story about the Lord Rennard’s promotional activities suggests he may not be aware of his legal obligations here, and for someone who has held senior roles within the Liberal Democrats, someone renowned as a “formidable and widely respected practitioner of political campaigning”, this is rather concerning.

The law (regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended)) outlaws the sending of unsolicited email marketing to individuals, unless the recipient has previously consented to receive the marketing (the exception to the general rule is that email marketing can be sent if the sender has obtained the recipient’s email address “in the course of the sale or negotiations for the sale of a product or service to that recipient” and if it is explained to the recipient that they can opt out – this is often known as the “soft opt-in“).

Lord Rennard is reported as saying

I have emailed people from my address book, or using publicly available email addresses, about the publication of a volume of memoirs

But just because one already holds someone’s email address, or just because an email address is in the public domain, this does not justify or permit the sending of unsolicited marketing. The European Directive which the PEC Regulations implement makes clear that people have a right to respect for their correspondence within the context of electronic communications, and that this right is a part of the fundamental rights to respect for protection of personal data, and respect for a private and family life. It may be a lot to expect the average person sending an email promoting a book to know this, but when the sender is someone whose reputation is in part based on his skills as a political campaigner, we should surely expect better (I say “in part” because, of course, the Lord Rennard is known for other things as well).

At a time when the use of digital data for political campaigning purposes is under intense scrutiny, it will be interesting to see what the Information Commissioner (who is said to be investigating Rennard’s marketing exercise) says. It might not seem the most serious of issues, but it encapsulates a lot.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Information Commissioner, marketing, PECR

Serious DCMS error about consent and data protection 

I blogged on Monday about the government Statement of Intent regarding the forthcoming Data Protection Bill. What I missed at the time was an accompanying release on the Department for Digital, Culture,  Media and Sport (DCMS) website.  Having now seen it, I realise why so many media outlets have been making a profoundly misleading statement about consent under the new data protection law: they have lifted it directly from DCMS. The statement is

The Data Protection Bill will require ‘explicit’ consent to be necessary for processing sensitive personal data

It should only take a second to realise how wrong this is: sensitive personal data will include information about, among other things, health, and criminal convictions. Is the government proposing, say, that, before passing on information about a critically injured patient to an A&E department, a paramedic will have to get the unconscious patient’s explicit consent? Is it proposing that before passing on information about a convicted sex offender to a local authority social care department the Disclosure and Barring Service will have to get the offender’s explicit consent? 

Of course not – it’s absolute nonsense to think so, and the parliamentary drafters of the forthcoming Bill would not dream of writing the law in such a way, not least because it would contravene our obligations under the General Data Protection Regulation (GDPR) around which much of the Bill will be based. GDPR effectively mirrors the existing European Data Protection Directive (given effect in our existing Data Protection Act 1998). Under these laws, there are multiple circumstances under which personal data, and higher-category sensitive personal data can be processed. Consent is one of those. But there are, in Article 9(2) of GDPR, nine other conditions which permit the processing of special category data (the GDPR term used to replicate what is called “sensitive personal data” under existing domestic data protection law), and GDPR affords member states the power to legislate for further conditions.

What the DCMS release should say is that when consent is legitimately relied upon to process sensitive personal data the consent must be explicit. I know that sentence has got more words on it than the DCMS original, but that’s because sometimes a statement needs more words in order to be correct, and make sense, rather than mislead on a very important point regarding people’s fundamental rights.

I tweeted Matt Hancock, the minister, about the error, but with no answer as yet. I’ve also invited DCMS to correct it. The horse has already bolted though, as a Google news search for the offending phrase will show. The Information Commissioner’s Office has begun a series of pieces addressing GDPR myths, and I hope this is one they’ll talk about, but DCMS themselves should still issue a corrective, and soon.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Data Protection, DCMS, GDPR, Information Commissioner, Uncategorized

Public houses, private comms

Wetherspoons delete their entire customer email database. Deliberately.

In a very interesting development, the pub chain JD Wetherspoon have announced that they are ceasing sending monthly newsletters by email, and are deleting their database of customer email addresses.

Although the only initial evidence of this was the screenshot of the email communication (above), the company have confirmed to me on their Twitter account that the email is genuine.

Wetherspoons say the reason for the deletion is that they feel that email marketing of this kind is “too intrusive”, and that, instead of communicating marketing by email, they will “continue to release news stories on [their] website” and customers will be able to keep up to date by following them on Facebook and Twitter.

This is interesting for a couple of reasons. Firstly, companies such as Flybe and Honda have recently discovered that an email marketing database can be a liability if it is not clear whether the customers in question have consented to receive marketing emails (which is a requirement under the Privacy and Electronic Communications ((EC Directive) Regulations 2003 (PECR)). In March Flybe received a monetary penalty of £70,000 from the Information Commissioner’s Office (ICO) after sending more than 3.3 million emails with the title ‘Are your details correct?’ to people who had previously told them they didn’t want to receive marketing emails. These, said the ICO, were themselves marketing emails, and the sending of them was a serious contravention of PECR. Honda, less egregiously, sent 289,790 emails when they did not know whether or not the recipients had consented to receive marketing emails. This also, said ICO, was unlawful marketing, as the burden of proof was on Honda to show that they had recipients’ consent to send the emails, and they could not. The result was a £13,000 monetary penalty.

There is no reason to think Wetherspoons were concerned about the data quality (in terms of whether people had consented to marketing) of their own email marketing database, but it is clear from the Flybe and Honda cases that a bloated database with email details of people who have not consented to marketing (or where it is unclear whether they have) is potentially a liability under PECR (and related data protection law). It is a liability both because any marketing emails sent are likely to be unlawful (and potentially attract a monetary penalty) but also because, if it cannot be used for marketing, what purpose does it serve? If none, then it constitutes a huge amount of personal data, held for no ostensible purpose, which would be in contravention of the fifth principle in schedule 1 to the Data Protection Act 1998.

For this reason, I can understand why some companies might take a commercial and risk-based decision not to retain email databases – if something brings no value, and significant risk, then why keep it?

But there is another reason Wetherspoons’ rationale is interesting: they are clearly aiming now to use social media channels to market their products. Normally, one thinks of advertising on social media as not aimed at or delivered to individuals, but as technology has advanced, so has the ability for social media marketing to become increasingly targeted. In May this year it was announced that the ICO were undertaking “a wide assessment of the data-protection risks arising from the use of data analytics”. This was on the back of reports that adverts on Facebook were being targeted by political groups towards people on the basis of data scraped from Facebook and other social media. Although we don’t know what the outcome of this investigation by the ICO will be (and I understand some of the allegations are strongly denied by entities alleged to be involved) what it does show is that stopping your e-marketing on one channel won’t necessarily stop you having privacy and data protection challenges on another.

And that’s before we even get on to the small fact that European ePrivacy law is in the process of being rewritten. Watch that space.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Data Protection, marketing, monetary penalty notice, PECR, social media, spam