Friday, 15 March 2024

Another day in court (arguing against the ICO)

Going to court is always an interesting and educational experience, and to some extent I quite like it because judges are generally methodical impartial people who are just trying to come to reasonable conclusions and aren't trying to prove a point.

So, right off the bat, here are some things I learnt this time around:

  • "Do not disturb" mode on my Android phone doesn't appear to stop WhatsApp from going "bong".  I got told off for not turning my phone off because of this one!
  • Make sure you put all of your claims on the original (N1CPC) claim form.  If you neglect any claim, the judge will strike it out from the start.
  • Ensure you include all evidence that might be relevant in the trial bundle.  In the interests of keeping the trial bundle relatively small, I had omitted some of the emails that I thought weren't relevant.  Of course the judge asked me questions about those emails and, although I don't think it affected the outcome, it did make it a bit harder to make my arguments.
  • Although methodical, the judge won't necessarily address your claim in the order that you've presented it in the witness statement.  This means it can be hard to find the appropriate information within the trial bundle (even though it should contain an index page).  I'm not sure if there's really any way to resolve this since you can't predict exactly how the judge is going to approach it, but if you're claiming for several different things, its probably best to try and separate out each claim in the witness statement and group all of the information relating to that claim together.  I had, instead, done a chronological account so gathering together the info for each specific claim was a bit of a pain.  Maybe it is wise to organise the information both ways, even if it feels like you're repeating yourself?

Anyway, this organisation started spamming me.  Article 14 of the UK GDPR says they should have sent me privacy information (including contact details of their data protection officer) when they acquired my personal data, but they didn't do that.  Here's where I made one of my mistakes - I neglected to mention their breach of Article 14 when I filled in the claim form, and so even though I included this point within my witness statement, the judge said that he couldn't rule on it.  The moral of the story is to list all breaches in the claim form so that you can later rely on them to support your claim.

The spam emails did contain an unsubscribe link (which I didn't click on, because clicking random links in unsolicited emails is a pretty stupid thing to do from a security stand point), but didn't link to any privacy policy.  Their website also has no privacy policy.

So without a better point of contact, I emailed the "Reply To" address from their spam emails to make a Subject Access Request.  I got no reply, so ended up complaining to the Information Commissioner's Office, who told the Defendant to respond to me within 28 days.  The Defendant ignored the ICO's instructions, so I asked the ICO to reopen the complaint and the ICO instructed them to contact me within 7 days.

What is personal data?

The Defendant ignored the ICO's 7 day deadline, but did eventually send me an email, in which they stated that they had sent me a marketing email, but that my email address was not personal data.

The email address in question did not contain my "real name", but as far as I can see it should still be considered to be personal data, by the UK GDPR's definition.  Article 4(1) says "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."  Sticking the email address in question (surrounded by quotes) into Google gives exactly 1 hit, clearly identifying me by name, so IMHO the email address is personal data.

The problem is that the ICO waded in and reversed their original decision and decided that my email address isn't personal data after all, because the address didn't itself contain any "personal identifiers", and there was no evidence to suggest that the Defendant were themselves holding other information to link the address to me.

This interpretation that "it's only personal data if you're using it as such" seems very problematic to me: data protection legislation requires that organisations protect personal data, in part, to prevent it falling into the wrong hands and being used for nefarious purposes.  If you are able to say "we don't need to prevent it from falling into the wrong hands, because we're not linking it to an individual ourselves", that exposes individuals to great risk since the data controller can't prevent it from being misused once it has been taken by a bad actor.  Furthermore, this interpretation doesn't seem to be supported by the legislation, which says that its personal data if it can be used "directly or indirectly" to identify an individual - nowhere does it qualify that by saying "if it can be used to directly or indirectly identify an individual using only data held by the data controlled".

As you can imagine, the ICO's decisions carry considerable weight, so arguing in court that they are wrong felt tough.  Thankfully, the judge agreed with me that the ICO's interpretation wasn't supported by the legislation, and ruled that me email address is personal data, even though it doesn't contain my name.

Right of access

The Defendant had repeatedly ignored my Subject Access Request, and their justification for this was that the Right of Access by the Data Subject (UK GDPR Article 15) only applied to personal data, and since my email address wasn't personal data, they didn't need to comply.

At this point, I should point out that they could have answered the questions in my Subject Access Request whether or not they were dealing with personal data.  Its just that if you're dealing with personal data you're required to answer them.  Had they responded, they would have saved both of us a lot of bother.  Their refusal to engage with me on this just felt like wrong-headed stubbornness.

Anyway, with the judge's decision that my email address is indeed personal data, their only defence for ignoring my SAR disappeared and the judge agreed with me that they had not fulfilled their obligations.

Unfortunately I still don't have the answers to the questions I raised in my SAR almost 2 years ago, and the judge said that he didn't believe it was in his gift to order the Defendant to provide a full response.  I may send the court's decision to the ICO and ask them to reopen the complaint, but frankly the ICO are so useless I don't expect anything useful to come of that.

PECR

I am a director of a limited company, but also operate a separate unincorporated business as a sole trader.  Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) says that you can't send marketing emails to an "individual subscriber".  As I've mentioned previously, the definition of an "individual subscriber" is messy, but for the purposes of this claim, the email address in question is used by me in my capacity as a sole trader, and by sending email to it you are therefore emailing an "individual subscriber".  (Had the Defendant sent spam to an address owned by the limited company, this would probably have been lawful, although they would still have needed to meet their data protection obligations.)

The Defendant made various claims about my email address belonging to my limited company, which is not true - the DNS for the domain is hosted by the limited company, and they are the administrative contact (as they are for most other customers' domains that they host), but they do not own the domain.  In fact, there's no way for the Defendant to know who actually owns the domain since the whois data for that domain is not published.

However, the judge mostly seemed to ignore their arguments and instead questioned whether it was reasonable for the Defendant to have contacted me through that email address if they were doing so in my capacity as director of that limited company.

I treat the limited company and unincorporated business as separate entities, so it has always made sense to me that the unincorporated business's website would only list its email addresses, and the limited company's website would only list email addresses belonging to the limited company.

It doesn't seem to have made any difference to the judge's final decision, but it seems things would have been more straight forward if the unincorporated business's website had specifically said not to use that email address for matters relating to the limited company (and I've now fixed the website to do that).

The ICO had previously ruled that the Defendant had not broken PECR because there was no evidence that they knew that my address belonged to an individual subscriber.  This is a ridiculous position to take, that something you do is only unlawful if you knew it was unlawful.  The Defendant had also argued that there was no way for them to know whether the address belonged to an individual subscriber - they are probably right, but that doesn't mean that you just plough on with a potentially unlawful course of action simply because you don't know whether it's lawful or not.

In any case, the judge again disagreed with the ICO and found in my favour - the Defendant had not complied with PECR, and had sent marketing to an "individual subscriber" without consent, therefore making them liable to pay compensation.

Honey-trap

The Defendant also made various other spurious claims about me, such as accusing me of operating a "honey-trap".  I was questioned about this claim, and to my mind, since I had no previous interactions with the Defendant and did not encourage them into their unlawful course of action, I cannot see how a situation into which the Defendant has entered of their own volition can be described as a "honey-trap".

The Defendant also suggested that if I were genuinely concerned about people misusing my data, I would not release it at all.  My email address was published for legitimate purposes, not to receive unlawful marketing, and it seems to me that saying essentially "you mustn't do anything legitimate if I could use it to break the law" is a pretty bonkers way to think!  I mean, this is surely why we have laws - to ensure that people can go about their lives without being too concerned that people will use things against them.

Quantum

No, not half-dead cats in boxes.  This is how much is due in compensation.

The small claims court is all about recovering losses, not imposing fines or punishment.  This is where things seem to vary significantly, depending on which judge is hearing your claim.  Recital 85 of the UK GDPR cites "loss of control of personal data" as a type of non-material damage, and Article 82 gives individuals the right to claim compensation for non-material damage.  In my experience, some judges say "that sounds like a reasonable figure" when you present a figure for the non-material damage, and others want to have hard evidence showing that you have lost that amount of money.  So, despite the law saying that you can claim for "non-material damage", you might be called upon to provide evidence that you have actually materially lost that amount, which is obviously pretty hard (probably impossible) to do.

In this case, the judge was the latter type, and therefore rejected my figure for damages.  It is possible for the case to be lost on this point - it doesn't matter what laws the Defendant has broken, or how they have behaved, if the judge decides that you're not due any money then you've automatically lost the claim.  Today, although the judge did not support the figure that I had claiming, he did come up with his own figures, so the ruling was in my favour.

Despite being awarded less than I had hoped, the Defendant has to pay both the awarded damages, and court fees which they could have avoided by engaging with me at an earlier stage instead of letting it proceed to a court hearing.

Last thoughts

Although today's proceedings were not a complete success for me, and were somewhat time consuming, I did find it pretty interesting.  I was rather nervous going into it arguing that the ICO was just plain wrong in their interpretations of the legislation, and am reassured that the judge agreed with me.