Home > News
Mind my data Click to visit the homepage
The ICO is manipulating the process again
The basics
Plausible deniability
Employment agencies
Useful links
Open in a new window/tab
The Information Commissioner
Mailing Preference Service
Telephone Preference Service
Royal Mail junk mail opt-out
Register of data controllers
Analysis
My response to the ICO's tweet about policy
Are data controllers 'officially' lying to us?
Why do we need to accept a Privacy Policy?
Can I opt-out of a renewal quote under section 11 of the DPA?
Who's texting me about PPI?
Marketing corporate employees by e-mail

"Nuts!" to Squirrelsave online back up.

I finally found a UK data controller that offers an encrypted online personal back up service only to discover that it wasn't worth the bother.

I already back-up my important files to a portable encrypted hard drive on a regular basis and to complement this process of back-up, I've been looking for an encrypted online back up service too! There are lots to choose from but they're nearly all operated by non-UK data controllers. What concerns me about using a non-UK based data controller though, is not the level of security used for the back-ups, or the fact that I'm paying an overseas company, or indeed the level of trust; it's whether or not this overseas data controller is going to bombard me with direct marketing.

Signing-up with non-UK data controllers is something that I tend to avoid whenever possible. I much prefer to sign-up with a UK data controller because they need to obtain my consent before sending me electronic marketing and because I can opt-out of all direct marketing under section 11 of the DPA. This includes electronic marketing, marketing by post, and even some online marketing. Indeed, if you don't like marketing then whenever possible, you should endeavour to buy your products or services from a UK data controller and opt-out under section 11 as soon as possible.

AVG is one of the non-UK data controllers that springs to mind. I pay for their Internet Security software yet they still make advertising pop-ups appear on my screen from time to time telling me that my computer is running slow and that I need to buy some other software. If AVG were a UK data controller I'd opt-out under section 11 and I'd expect them to stop targeting me with adverts. As it is, I'm going to switch to Kaspersky in September and give them a try.

Anyway, so I was looking for a UK data controller that offered an online encrypted back-up service and I eventually signed-up with SquirrelsaveNew window. However, because they didn't have a privacy policy on the Squirrelsave website, I submitted the following polite enquiry:

Please will you clarify who the data controller is? Also, if the data controller is Memset, then I’m concerned that you’re treating all your customers as a business. You need to obtain an informed indication of consent prior to targeting individuals with electronic marketing. I didn't see any consent statements on the Squirrelsave registration form so it’s not clear to me how you’re obtaining consent. Yet in the Memset privacy policy it states that you will use my information to target me with direct marketing and to sell to their party companies.

I received the following response from Squirrelsave:

Our privacy policy is the same as Memset's (the company which operates and owns SquirrelSave):

https://www.memset.com/about-us/privacy-policy/

If you disagree with it, I suggest cancelling your account straight away.  The above link also includes a contact section should you have any further inquiries regarding our privacy policy.

Nice customer service!

I replied...

Cancel it then! It's interesting to note that you would rather I cancel my account than ensure that you're processing personal data in accordance with the rights of your data subjects. Can I quote you for an article on my data protection website?

Squirrelsave responded as follows:

Dave, where did I ever say we didn't care?

What I was trying to say (perhaps rather badly - this isn't really a support request and I'm technical rather than policy setter - if you have concerns, the best place to address this would be complaints@memset.com) is that if you do not agree with our policies, then the way forward would be to terminate the account as soon as possible. 

Okay, so what are they saying... that they're not interested in addressing the concerns of their customers/data subjects?

To be fair, if I were questioning their terms and conditions then I could understand them saying that I should cancel my account if I'm not happy with the service that they offer. But this isn't about their service or their terms and conditions; it's about their legal obligation to process MY personal data in accordance with MY rights as THEIR data subject. They MUST be fully compliant with the DPA so telling me that I should cancel my account in response to a data protection enquiry doesn't make sense at all to me - unless they couldn't care less about my rights as their data subject. What they should be doing is thanking me for bringing this to their attention and assuring me that they will review the situation and seek advice from the ICO.

At the end of the day, it wasn't clear to me that Memset is the data controller for Squirrelsave. On the Squirrelsave website it states that Squirrelsave is hosted by Memset - it does not state that Memset is the data controller... or if it does then it's not obvious to me. Fair enough, there's a link to Memset's privacy policy but again, there's no reference to Squirrelsave in the Memset privacy policy. So how am I supposed to know who the data controller is - I sign-up to Squirrelsave not Memset?

I wasn't trying to be awkward; I'd spent some time reviewing the market, I'd ruled out Mozy because they weren't UK-based, and I was keen to use the Squirrelsave service.

He went on to say:

We have very strict internal policies with regards to how we use customer data (and we're ISO audited to ensure that data remains secure - not quite the same thing as what you've quoted, but we audit *everything* that goes on with our systems, including accessing customer data).

As it is, I have  made a change to your account which states that we will NOT contact you regarding any marketing materials (such as newsletters, etc.).  Any emails that we may send will inform you of service disruptions, new versions of the email clients, important service changes and so on.

I can still process your cancellation and refund if you'd like, but I will say this with regards to your quote request: if anything you post about our company is incorrect or false, company solicitors will be in touch.

Squirrelsave might have strict internal policies but in my view, at least one of those policies is likely to be flawed. This is their policy of targeting non-commercial customers with electronic marketing by default; without giving them a choice:

We may e-mail you from time to time regarding the services you have purchased or for marketing / promotional purposes.

They also seem to opt individuals (non-commercial) in to third party marketing by default:

We will give you the chance to refuse any marketing email from us or from another trader in the future.

However, if Squirrelsave or Memset wish to target an individual with electronic marketing then, the Commissioner is of the view that they need to obtain that individual's consent beforehand; and for that consent to be valid, the individual must be given a choice - not to give their consent. This is outlined at section 53 of the Commissioner's direct marketing guidance, which states:

for consent to be valid, it must be freely given – the individual must have a genuine choice over whether or not to consent to marketing. Organisations should not coerce or unduly incentivise people to consent, or penalise anyone who refuses. Consent cannot be a condition of subscribing to a service or completing a transaction. What this means is that you cannot obtain consent by burying a consent statement in your privacy policy or terms and conditions.

It appears that Squirrelsave/Memset are obtaining consent as a condition of subscribing to their service.

Although not statutorily mandated, the Commissioner's published guidance tells us how he expects data controllers to process personal information. And bearing in mind that failure to comply with the PECR is also likely to be a failure to comply with the DPA - because it will likely prejudice the rights, freedoms and legitimate interests of the data subject, then data controllers should act accordingly to avoid unwarranted and thus unfair data processing.

I responded as follows:

Let's get the facts right... I submitted my e-mail to sales@ not to support. I suspect you chose to reply because you wanted to make it absolutely clear to me that I MUST accept your data processing - regardless, if I want to do business with you. If you're now claiming that it wasn't your job to answer sales enquiries then why did you answer it?

Squirrelsave concluded as follows:

I generally tend to deal with most enquiries (sales and support for the most part) and everything comes into a single queue and I tend to deal with things as quickly as possible - I apologise for not noticing the initial email address your query came into.  We'll be improving the process soon enough.

Yeah, right - let's hope so!

This happened in autumn 2013 and I signed-up with MozyHomeNew window shortly after and surprisingly, I've had no problems whatsoever with marketing. I would definitely recommend MozyHome. The thing is, I'm not really that surprised. I've noticed a number of UK data controllers recently - like Mozy, taking a far more robust position on direct marketing. I'm wondering whether they've realised that unwanted direct marketing is a major issue with UK data subjects so they've opted to comply fully with UK data protection laws and regulations as far as direct marketing is concerned. If so, then it appears to be working because Squirrelsave's loss is Mozy's gain. It's ironic that overseas companies seem to be expanding their customer base into the UK by respecting UK law/regulations on direct marketing yet many, many UK companies that have an obligation to comply fully with the DPA/PECR don't seem to care.

Just to clarify then, if Squirrelsave want to target their non-commercial customers with electronic marketing then they have to obtain our consent prior to targeting us with the marketing. And for that consent to be valid the Commissioner is of the opinion that they need to give us a choice not to give consent - again, prior to targeting us with the marketing. Furthermore, if Squirrelsave want to target their non-commercial customers with electronic marketing from third parties then the Commissioner is of the opinion that they should identify those companies or the types of company that will contact us, and obtain our consent prior to targeting us with the marketing.

Finally, as Squirrelsave threatened to sue me, I let them review the article before I published it. They responded as follows:

Thank you for message. In the intervening time since you last contacted us we have undertaken a review of our direct marketing policy and are in the process of implementing a compliant process on our website.

Further, we have updated our customer contact procedures and questions from customers regarding data protection and other legislative and regulatory matters are now forwarded to the appropriately experienced and empowered team for review and response.

Our apologies for any inconvenience this has caused.

That's good to know. With these changes Squirrelsave would probably still be my second choice if Mozy suddenly decided to start sending me marketing.

If you're not happy receiving direct marketing and the marketing has come from a UK-based data controller then you can opt out under section 11 of the DPA.

How to opt-out under section 11

Added: 24.08.2014