Unsolicited electronic marketing by default may prove costly for UK companies as the ICO tells Halfords to offer its customers a simple means of refusing the use of their information for electronic marketing purposes when signing up to services. Could claims for compensation by individuals who fall victim of such abuse become the new PPI?
I was in a Halfords store last year and while checking out, I noticed that they offered the option to have an e-Receipt instead of a paper receipt if the order is £10 or over. To obtain an e-Receipt, we have to give Halfords our e-mail address so I suspected that this was just an excuse to target their customers with marketing. However, as I’d already started the check-out process, I didn’t bother to ask for an e-Receipt.
Upon returning home, I contacted Halfords to get a bit more information about their e-Receipt service. I said:
I was in one of your stores this morning and made a purchased. At the till I noticed that, for orders over £10 I could request a digital receipt and have it sent to my In-box. It’s not clear though what information you collect from me for this purpose or how you will process that information. Please will you clarify and clarify when I can expect to see this information added to your privacy policy? I need to know what you’re going to do with my e-mail address before I’m willing to provide it. Thanks!
A customer service person from Halfords replied as follows:
Halfords will send customers details of our latest offers after they have received an e-receipt for their purchase. However, there is an option to opt out of receiving these emails at the time of arranging your e-receipt in store. If you do not opt out at this time there is another option to do so once your e-receipt is received.
I sought further clarification about the process and I received the following response from the same customer service person:
The material we use in store promoting our eReceipt service makes clear that – as a default – that service is provided in conjunction with our sending marketing emails. A customer may decide not to provide an e-mail address at all on the basis that they would prefer not to receive a combination of the eReceipt service and marketing e-mails. Equally, it is open to any customer to provide their e-mail address in store and specifically request at that time that they would only like to receive the eReceipt service/would not like to receive marketing e-mails. Again, and for completeness, all marketing e-mails sent by Halfords contain clear “unsubscribe” options as well as links to our privacy policy.
Okay, well, in her first response, she indicated that there’s an option to opt-out of marketing when we ask for an e-Receipt, which sounded encouraging. Yet in her subsequent response she seemed to suggest that we are actually opted in to marketing e-mails by default. Not good! Furthermore, she seemed to suggest that it’s our obligation to tell Halfords that we don’t want to receive such marketing? I don’t think so! It’s Halfords that has the obligation to comply with Regulation 22 of the PECR, not us!
here’s the promotional material that Halfords use in-store to promote their e-Receipt service to its customers but will this be enough to satisfy Regulation 22 of the PECR? Methinks not! They reaonably need to make customers aware that they will be further processing their information for the purpose of direct marketing. Alternative, they could provide a copy of their privay notice and ask the customer to read it before proceeding. To ensure that further processing is compatible with the purpose for which the information was obtained, the controller needs to inform the data subject.
Regulation 22 of the PECR
We should all understand Regulation 22 of the PECR because we can now claim compensation in the small claims court if a data controller for our information fails to comply. This is because the Court of Appeal has disapplied Section 13(2) of the DPA so we no longer need to incur actual monetary damages to claim compensation in the small claims court. I’ll go into more detail later in the article.
Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR) places an obligation on a data controller for our information to obtain our “approval” prior to targeting us with marketing by electronic mail (e-mail and text). Regulation 22(2) states:
(2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
Consent is not defined by the DPA but is defined by European Directive 95/46/EC (the data protection directive on which the DPA is based) as: “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed“. The same definition of consent is used for the PECR – as clarified at Recital 17 of European Directive 2002/58/EC (the e-privacy directive on which PECR are based). Thus, an organisation that fails to obtain consent – PECR, will also likely fail to satisfy a condition for processing – DPA, and that’s the basis of your claim for compensation under Section 13 of the DPA.
Having submitted many complaints to the ICO over many years, my understanding is that the ICO expects organisations to give us a genuine choice when seeking our consent to target us with unsolicited electronic marketing. This is to ensure that consent is “freely given”.
Here’s what the ICO says about obtaining consent in their direct marketing guidance:
73. The crucial consideration is that the individual must fully understand that their action will be taken as consent, and must fully understand exactly what they are consenting to. There must be a clear and prominent statement explaining that the action indicates consent to receive marketing messages from that organisation (including what method of communication it will use). Text hidden in a dense privacy policy or in ‘small print’ which is easy to miss would not be enough. Organisations should also provide a simple method of refusing consent (eg an opt-out box), to ensure that the consent is freely given.
Note that the ICO requires organisations to provide a simple method of refusing consent to ensure that consent was freely given. Refusing consent means that we do not give our consent. This should not be confused with an unsubscribe link which is a requirement of Regulation 23 PECR. The need to provide a mechanism to refuse giving our consent is consistent with Regulation 22(3), the soft opt-in, which also requires us to be given a simple mechanism for refusing the use of our information for marketing by electronic mail at the point they obtain our information.
It’s clear that the Information Commissioner expects data controllers to give us a genuine choice if they wish to further process our information to target us with marketing by electronic mail.
A little bit about implied consent
There are some situations however, where consent can be freely given without us being given a genuine choice. In which case, the consent will likely be implied. Consent will likely be implied where the data controller is unable to give us a genuine choice because to do so would impact on the service being offered. For example, if we were to subscribe to a service that sends us special officers by e-mail, then the data controller cannot possibly provide this service without targeting us with electronic marketing by e-mail. If they gave us a genuine choice not to receive the marketing e-mails, then they couldn’t provide the service because the service is reliant on them targeting us with unsolicited electronic marketing.
As a general rule therefore, if you receive unsolicited marketing by electronic mail as a result of subscribing to a service operated by a UK data controller: signing-up with a utility company, obtaining a quote for insurance, opening a bank account etc., then if you can unsubscribe from any electronic marketing that you receive as part of that service without impacting on the service, it’s likely that the data controller should have given you a genuine choice when they obtained your information. Also, if you purchase an item that results in you receiving unsolicited marketing by electronic mail then it’s likely too that you should have been given a genuine choice. In both situations you can claim compensation in the small claims court if the data controller failed to give you a genuine choice. The ICO should update their “taking a case to court” guidance because it’s woefully out of date.
Here’s what the ICO says about implied consent in their direct marketing guidance:
66. The ICO recommends that organisations do not make consent to marketing a condition of subscribing to a service unless they can clearly demonstrate how consent to marketing is necessary for the service and why consent cannot be sought separately. It is also relevant to consider whether there is a choice of other services and how fair it is to couple consent to marketing with subscribing to the service. It will also be important to assess whether this approach creates an imbalance between the individual and organisation (see the UCAS example above).
As you can see, the ICO’s guidance reflects what I’ve just said… that if the marketing by electronic mail is necessary for the service to operate then consent can likely be implied. However, the data controller would have to demonstrate that the marketing is a necessary aspect of the service and not an add-on to the service. If it’s an add-on, then, according my understanding of the ICO’s guidance, they would need to give us a genuine choice. And let’s face it; most of the marketing that we receive by electronic mail is an add-on to a service that we’ve subscribed to. The marketing will either promote the benefits of the service that we’ve subscribed to or promote the benefits of other services offered by the data controller.
By the way, a genuine service message is non-promotional. If the main focus of a communication is to promote a product or service to you, then it will likely constitute direct marketing – regardless of what the data controller claims. My MP got the ICO’s Paul Arnold to confirm this in 2015. There’s no such thing as a promotional service message that bypasses the definition of direct marketing.
Coming back to Halfords’ e-Receipt service… can we receive the e-Receipt without the marketing e-mails? Of course we can! As such, according my understanding of the ICO’s guidance, Halfords will need to give us a genuine choice when relying on Regulation 22(2) of the PECR. Data controllers should also record how and when we were given a genuine choice – according to the ICO’s guidance.
To recap…
Halfords’ customer service person informed me that we can opt-out of marketing at the check-out. Thus, when we request an e-Receipt we can ask to opt-out of marketing. She said:
Equally, it is open to any customer to provide their e-mail address in store and specifically request at that time that they would only like to receive the eReceipt service/would not like to receive marketing e-mails.
But why do we have to tell the person at the check-out that we want to opt-out when it’s a data controller’s obligation to satisfy Regulation 22? I pushed Halfords’ customer service person for clarification, I said:
Okay, thanks, I’m going to try it out this week. You’re telling me that the person at the till will ask me if I want my e-mail address to be used for marketing purposes right? I’m going to record that conversation. If they fail to make it clear to me – that by entering my e-mail address I will receive marketing, and ask me if I want to opt-out of this marketing, will you accept your organisation would have failed to obtain my consent to send me electronic marketing? And you’ve still not explained why I can’t find anything at all about e-receipts in your privacy policy. Please will you clarify so that I can put it to the test.
Before I received a response however, I realised that I had not asked how Halfords record the opt-out at the check-out. Do they have an electronic device with a tick-box? Do they use a scrap of paper or a Post-it note? It wasn’t clear so I followed-up:
As a follow-up, how would the sales staff record the decision not to use the customer’s information for marketing as outlined at section 95 of the ICO’s direct marketing guidance: [I quoted from the ICO’s direct marketing guidance]
Answers to these questions are essential to determine whether or not the e-Receipt process is compatible with Regulation 22 of the PECR. Halfords’ customer service person did get back to me but only to bring the matter to a close. She said:
Many thanks for your further e-mails, we appreciate your interest in our processes. In terms of your specific questions, I refer you back to my last e-mail, which does describe customer options around sign up to our eReceipts process. Moving forwards, and given that it sounds like you chose not to take advantage of the opportunity in store, we would of course be very happy to include your e-mail in Halfords’ marketing list, to hear details of our great offers (naturally unless and until such time as you might choose to opt out!). If you’d like to receive marketing e-mails from Halfords, please do let me know and I can arrange for this. Otherwise, we’ll consider this matter closed.
So, there you go! I’d asked specific questions about Halfords’ e-Receipt service and how it complies with my data protection rights. It seems to me that she endeavoured to brush off my enquiry but once she realised that I knew what I’m talking about, she refused to answer any further questions. I wonder how many times she’s successfully brushed off similar enquiries? Great customer service Halfords!
At this point, I still didn’t know why the customer had to specificallyrequest the opt-out, and I still didn’t know how Halfords records that opt-out at the till. And rather than answer these questions, the customer service person informed me that the matter was closed unless I wanted her to sign me up to receive marketing. Sign me up to marketing e-mails – is she having a laugh? Why on earth would she think that I want to sign-up for marketing e-mails when she’s well aware that I’ve raised concerns that Halfords’ might be failing to comply with Regulation 22 of the PECR? Methinks that Halfords was mocking my genuine concerns.
Obviously, I refused to accept that the matter was closed and continued to seek answers. I pointed out that Halfords is obligated to answer questions about their data processing under Schedule 1, Part 2, 2(3) of the DPA. At this point, without providing any further clarification about the e-Receipt process, Halfords’ customer service person passed my enquiry to Halfords’ legal team. Halfords’ solicitor contacted me and said:
Thank you for your email to [customer service person] in our Customer Services Team which has been forwarded to the Legal Department to review and to respond to. I note from your email that you have intimated that you intend to escalate this issue to our CEO. Please note that this email is sent on behalf of the business, including our CEO.
We note and appreciate your interest in our processes relating to the capture and use of personal data. I can see from [customer service person] previous responses that we have already flagged to you the link between our eReceipts service and the receipt of marketing e-mails – as is made clear in the promotional material relating to eReceipts displayed at our till points in store.
Full details about how we use and process personal data is set out in our privacy policy, which is available at www.halfords.com. However, for ease, I also attach a copy of the privacy policy to this email.
We believe that we have now fully addressed the queries that you have raised in your correspondence and therefore, no further action is required on behalf of Halfords.
As far as I was concerned, Halfords had not fully addressed my queries. I replied and pointed out the issues to Halfords’ solicitor, in some depth, but she clearly wasn’t interested, she said:
We note and appreciate the contents of your email. However, we believe we have fully addressed the queries that you have raised in your correspondence and therefore, no further action is required on behalf of Halfords.
As far as I was concerned, Halfords had not fully addressed my queries. I still didn’t know why the customer has to specificallyrequest the opt-out, and I still didn’t know how Halfords records that opt-out at the till.
In an effort to get answers to these two questions, I had obtained clarification from the ICO’s Head of Customer and Business Services – Paul Arnold, that organisations are expected to answer questions related to the fair processing if the question has not already been answered in their privacy notice. Mr Arnold said (ENQ0618374):
Consider making a subject access request if finding out what personal information is held about you is an important part of your concerns (for example, if you are concerned about the accuracy of your personal information). Ask questions of any organisation if you want to know more about how they are processing your personal information or personal information more generally, particularly if this is not clear from the information they routinely publish’.
Paul Arnold responded because I had been told previously by the ICO that I needed to submit a Subject Access Request (SAR) to get an answer to a data processing question. When I pointed out that this was nonsense – why should I have to pay the £10 SAR fee if the data controller is obligated to answer the question, Paul Arnold clarified.
However, Halfords’ solicitor seemed to ignore Paul Arnold’s view as she remained unwilling to clarify the points that I had raised. In light of this, I wrote two letters to Halfords’ CEO – Jill McDonald, but I’m not sure if she ever received them as all further responses from Halfords came from their solicitor.
Finally, I sent Jill McDonald a pre-action conduct letter to outline my case before going to court but that too was ignored by Halfords. The pre-action conduct process is the final chance for the two parties to resolve an issue before going to court and Halfords ignored it. It gives an insight into the kind of people that I’m dealing with. From customer service to CEO… my questions remain unanswered.
As Halfords didn’t respond to my pre-action conduct letter, I took them to court under Section 13 of the DPA.
My court case against Halfords
In court, Halfords’s barrister subjectively interpreted the law to support his client and I lost the case. To clarify, Halfords’ barrister was also acting independently on matters of fact, so although he was defending Halfords, he objectively clarified the law for the judge without prejudice.
On the electronic marketing issue, the judge accepted that Section 13(2) of the DPA had been disapplied by the Court of Appeal, so I no longer had to incur a financial loss to bring a claim under Section 13 of the DPA. Result! The judge was also willing to accept that a marketing e-mail could constitute actual damages. Result! However, Halfords’ barrister was keen to point out that I had not actually subscribed to Halfords’ e-Receipt service so I had not actually received a marketing e-mail and therefore had not incurred actual damages. Fair point!
On the need for organisations to answer questions related to the fair processing of personal information, again, Halfords’ barrister pointed out that there was no evidence that Paul Arnold’s view applied to all data controllers. If I remember rightly, he argued that it was unreasonable for a data controller to be expected to answer data protection enquires from members of the public. And the judge accepted this. I was hoping that the judge would accept the cost of postage for posting the letters to Halfords’ CEO as actual damages but they were deemed to be costs, not damages. This issue is still ongoing however, and I’ll come back to it in a bit.
I have to remember in future to focus on what I argued when I submitted the claim. As so much time passed between filing the claim and appearing in court, I actually thought that the failure to answer my questions was the stronger argument and that was going to win the case for me; that I’d incurred damages because Halfords should have answered my questions and they had failed to do so. I guess I relied way too much on the ICO; thinking that the judge would accept the view of the Regulator.
As it happens, the judge was not happy at all that I kept referring to the ICO. Indeed, she made it clear that this was her courtroom, and while she recognised the authority of the ICO, it had no place in her courtroom. However, I’ve since been advised by an ex-ICO colleague that some judges will take note of the view of the Regulator in their courtroom. So I’ll continue to support future cases with the view of the ICO but I’ll be prepared to subjectively argue the DPA and PECR too.
To be fair, Halfords’ barrister was really good and he was a nice bloke too! What can I say, my case started to unravel because I expected the judge to give some weight to the ICO’s view so next time I’ll stick to my own interpretation of the law and do my homework.
You win some, lose some, it’s all the same to me
I lost my £50 but whether we win or lose in court, it doesn’t mean anything in the grand scheme of things. This is because Halfords MUST comply with the view of the Regulator. The fact that Halfords opted to argue their own interpretation in court and won that case will have no impact whatsoever on their obligations as a data controller to comply with our rights as individuals – as interpreted by the Information Commissioner. So although we may lose the claim, it’s just the first Round of a much bigger fight.
Make no mistake, I plan is to push the ICO until they threaten Halfords with prosecution. I’m going to keep going back to the court and back to the ICO until Halfords either settles my claim or until they’re prosecuted for repeatedly failing to comply with the view of the Regulator – and then settles my claim. Which brings us nicely to the ICO’s complaints process.
When the ICO carries out an Assessment under Section 42 of the DPA, they’ll be looking to see whether there’s room for improvement. Here’s the opening three paragraphs of a typical Assessment:
We want to know how organisations are doing when they are handling information rights issues. We also want to improve the way they deal with the personal information they are responsible for.
Reporting your concerns to us will help us to do that. Our role is not to investigate or formally adjudicate on individual concerns but we will consider whether there is an opportunity to improve the practice of the organisations we regulate.
We cannot look into every concern we receive. We will put most of our effort into dealing with matters we think give us the best opportunity to make a significant difference to an organisation’s information rights practices.
For many of the companies that I complain about, the ICO will often write to the data controller and tell them what they need to do to comply. For example, if a data controller for my information failed to comply with a Subject Access Request, the ICO will write to them and tell them that they need to comply. They’ll likely conclude the assessment as follows:
The issue you have raised does not suggest any wider concerns about [the data controller’s] information rights practice. We are therefore not taking any further action in relation to your concern. However, your concern will be kept on file and this will contribute to our view of [the data controller’s] information rights practices.
Notice how the ICO has brought the matter to a close. This is because they expect the data controller to act upon the view given in the assessment or to challenge the ICO’s view. I’ve been told in the past that the data controller is deemed to have accepted the view given in an Assessment after 28 days. However, more recently I’ve been told that this is not true, and this kind of confusion is par for the course at the ICO as their case officers continue to make up their own rules on the fly.
Regardless, of whether they’re deemed to have accepted the view or not, what happens when the data controller does not accept the view given in the assessment and does not bother to challenge it? What if they just carry on regardless? What if they even continue to argue their own interpretation in the small claims court? Well, we’d expect the ICO to take further action right? And if they don’t do this then the ICO must be misleading us because they can’t reasonably tell us over and over that they’re not going to take action “on this occasion” if they’re never going to take action. Let’s be clear, if there is evidence that a data controller does not accept the view of an Assessment but never bothered to challenge the view, then the ICO needs to escalate the matter for their service to be fair.
Winning or losing in court therefore, is all about getting the data controller to subjectively argue their own interpretation of the DPA or PECR in court so that you can support your case to the ICO. The ICO will then tell the data controller what they need to do to comply and following that, you submit a second claim for compensation to see whether they’re willing to defend that claim by subjectively arguing the DPA/PECR again – having been clearly advised by the ICO. If they do, then this will clearly demonstrate that the data controller does not accept the view given in the assessment and you can go back to the ICO and tell them that they need to do something about it. If the ICO doesn’t make steps towards prosecuting the data controller then you’ve got a clear case for the Ombudsman.
The ICO must ultimately prosecute data controllers that refuse to accept or challenge the view of the Information Commissioner – as given in an “Assessment”, for their service to be deemed fair. Indeed, the ICO’s Regulatory Action Division did threaten to prosecute my bank on one occasion if they didn’t comply or submit a valid legal argument. My bank argued their own interpretation of the DPA in court too!
Thus, win or lose in court, if the ICO do their job, the data controller will look to settle the second time around because they won’t want to risk being prosecuted by the ICO by subjectively arguing their own interpretation of the law in court having being told what they need to do to comply. Obviously, it relies on ICO staff doing their jobs competently.
What the ICO had to say about Halfords
Following the court case I submitted a complaint to the ICO. The Regulator carried out an Assessment under Section 42 of the DPA and they wrote to Halfords. Here’s what the ICO told Halfords’ solicitor on the 22 May 2017 as a result of their investigation into my complaint (RFA0669468):
From the information received we are satisfied that appropriate fair processing information was provided in this instance. [The data subject] however remains concerned that Halfords response suggests they rely on their customers to state their preference to opt-out of marketing emails and that Halfords do not offer customers a clear chance to opt-out at the time the e-receipt is offered.
In this case [The data subject] did not sign up to the e-receipt service and so there is no evidence provided to demonstrate that customers are not offered a clear opportunity to opt-out of marketing emails. However following [The data subject]’s concern we would remind Halfords to ensure their procedures for arranging e-receipts include offering customers a simple means of refusing the use of their details for marketing purposes at the time the e-receipt service is offered.
[The data subject] also suggests that by signing up to Halford’s wifi service customers automatically receive marketing emails without their consent. While there is no evidence provided to demonstrate that marketing emails have been sent following a customer signing up to wifi services we would take this opportunity to remind Halfords to ensure that marketing emails only be provided where they have consent to do so.
This response by the ICO is a tad frustrating. Under Section 43 of the DPA a case officer can require a data controller to explain their data processing. Bearing in mind that the case officer was well aware that Halfords had argued their case in court, I would have expected her to seek answers from Halfords. In other words, instead of saying that there’s no evidence, the case officer should reasonably have sought evidence by obtaining the answers from Halfords. Case officers don’t want to do this though and this is is why the assessment process tends to be one-sided in favour of the data controller.
What the ICO’s assessment confirms however, is that anyone who has received marketing e-mails as a result to signing-up to Halfords’ e-receipt service, will likely have a valid claim for compensation under Section 13 of the DPA. Here’s what I’d do. I’d write to Halfords and ask them to clarify how they gave you a simple means of refusing the marketing e-mails at the point you signed-up to their e-Receipt service. I’d then report the matter to the ICO and wait for the ICO to carry out an assessment. Then I’d ask Halfords whether they want to settle otherwise you can file a claim for £300 in the small claims court for £25. It’ll cost you £25 to file the claim and another £25 if it goes to court. And if you signed-up to Halfords wifi service then you might have a valid claim too if you receive marketing texts.
Or if Halfords have not yet sent you unsolicited marketing by electronic mail, why not try out their e-Receipt service or their wifi service to see if they give you the opportunity not to give your consent.
How ICO staff manipulate the process
Although the case officer advised Halfords about their need to obtain consent fairly in her Assessment, my view is that she should have sought answers from Halfords. Besides this, the case officer also failed to deal with the issue surrounding Paul Arnold’s advice that data controllers are expected to answer questions related to the fair processing of personal information. As this issue was not addressed at all by the case officer in her assessment, I submitted a case review. In the case review application form, I concluded by specifically asking the lead case officer to deal with the Paul Arnold issue when she carries out a case review. I said:
For the purpose of a case review, if you accept that Paul Arnold has correctly advised my MP, then you must conclude that the data controller has failed to comply with the first data principle.
The ICO’s Elaine Stewart – who is a more senior case officer at the ICO, carried out a case review of the assessment and she confirmed that the view given in the Assessment – about Halfords’ need to give us a genuine choice, was correct. Ms Stewart did make a reference to the Paul Arnold issue but only with a single sentence, she said:
As you have already taken your concerns to court, then it is our view that there are no further DPA matters for us to progress at the current time.
What nonsense! Why on earth would the Information Commissioner not be concerned by the fact that Halfords ignored the view of the ICO’s Head of Customer and Business Services and opted to argue their own interpretation in court?
I asked Ms Stewart to support her view with published guidance but she didn’t. To cut a long story short, I’ve asked Ms Stewart – a Lead Case Officer at the ICO, to support her view on a number of occasions now, but she hasn’t been able to. She’s replied to me but she’s still not supported her view that the Information Commissioner is not concerned about the fact that Halfords opted to ignore Paul Arnold’s view in favour of their own interpretation.
In her last response, Ms Stewart tried to backtrack. She said that ‘We do not necessarily respond to each of the points you have raised in the course of your complaint‘. This is nonsense because she has already responded to the point that I raised; she said that the Information Commissioner is not concerned because I took the matter to court. Making a clear statement that the ICO doesn’t get involved if I’ve taken the matter to court. Furthermore, although I accept that the ICO does not have to respond to each point that I raise, they should definitely deal with points where there is a clear opportunity to improve an organisation’s information rights practices – as there is in this case. After all, this is what they keep telling us in their assessments.
If Ms Stewart cannot support her view then she’s created policy on the fly, in a case review, to avoid having to write to Halfords and make them accept Paul Arnold’s view. Why would she do this? Perhaps she lacks the confidence to take on Halford’s lawyers. Whatever the reason, it’s not the role of case officers to create policy and this is the kind of nonsense that I am often subjected to when dealing with the ICO’s case officers. It’s because the Ombudsman does not get involved in disputes over the interpretation of the law and the case officers know this so they just make it up. As long as it sounds plausible, the PHSO will not question it. The taxpayer is paying for a process that has been designed to fail.
The thing is, Paul Arnold’s view does appear to reflect the view of the Commissioner. This is outlined in the ICO’s How we deal with complaints and concerns: A guide for data controllers guidance, which states:
If a member of the public raises a concern with you about your information rights practice, you should take it seriously. In most cases, we will use the explanation you gave to them to make our decision about whether you have complied with the DPA. As such, it is important that you demonstrate to your customers (and to us as the regulator) that you understand your information rights obligations. A good explanation of how you have applied the principles of the DPA can help avoid escalating disputes unnecessarily. Rather than simply referring the issue or individual to the ICO, you should retain ownership of the concerns raised and work with the member of the public to try to resolve matters.
So it would appear that Paul Arnold’s view is correct. That if a member of the public raises concerns, that the data controller should take it seriously. Further clarification that Ms Stewart has opted to manipulate the process.
This is another issue that I have with the ICO’s case officers; they’re often not fit for purpose and this results in a lack of consistency. For example, when my bank refused to accept the view of the information Commissioner, having argued their case in court, the matter was escalated to the ICO’s Regulatory Action Division and my bank was threatened with prosecution. In contrast, Halfords has demonstrated that they don’t accept Paul Arnold’s view yet Ms Stewart is making up nonsense policies to support Halfords. What’s going on? What’s with the double standard? I’m not saying that the ICO has to threaten Halfords with prosecution at this point but I’m not letting go until, at the very minimum, Ms Stewart writes to Halfords to seek clarification as to whether they accept Paul Arnold’s view. And I’ll expect Halfords to stand their ground and tell the ICO that they do not accept Paul Arnold’s view. At which point, I expect the matter to be passed to the ICO’s Regulatory Action Division. I’m keen to see whether Halfords has any spine.
Let me give you a few examples to demonstrate how Ms Stewart is trying to manipulate the process. In case after case the ICO will conclude an Assessment by stating that they will not be taking action on this occasion and they will explain why they’re not taking action. Theses are from four separate cases:
‘The issue you have raised does not suggest any wider concerns about [the data controller’s] information rights practice. We are therefore not taking any further action in relation to your concern. However, your concern will be kept on file and this will contribute to our view of [the data controller’s] information rights practices’.
‘However, taking into account all the circumstances we do not consider that further action is required at the moment. This is because we do not consider at this stage that there is an opportunity to further improve [the data controller’s] information rights practices and that the matters that have been raised do not meet our investigatory criteria’.
‘As [the data controller] has recognised they have made an error and have taken steps to become compliant with the DPA, we will not be taking any further action on this occasion’.
‘We will now write to [the data controller] and give our view and advice, as outlined above. However, we do not consider that further action is required at the moment. This is because [the data controller] is not a data controller that is identified as a concern to us and it has now acted to put matters right’.
The ICO is clearly giving the impression that they are willing to take action but they won’t be doing so “on this occasion” because there’s no evidence to suggest a wider concern. But in this case, where there is clear evidence that Halfords does not accept the view of the Commissioner, Ms Stewart has opted to manipulate the process rather than make Halfords comply. It’s a clear and deliberate failure of process by the ICO.
As a consequence of Ms Stewart’s nonsense, I now have to ask my MP to write to the Information Commissioner to seek clarification. And if I’m not happy with the ICO’s response then I’ll ask my MP to raise the question in Parliament: To ask the Secretary of State for Culture, Media and Sport, to confirm that the Information Commissioner is not interested in data controllers that argue their own subjective views of the DPA in court against members of the public. Once we’ve confirmed that Ms Stewart is talking nonsense, I’ll submit a complaint to the Ombudsman.
All that effort just because some arsehole case officer has opted to create her own policy on the fly to avoid having to deal with the matter at hand. Welcome to the UK’s ICO! If the ICO operated a chain of burger stores, each burger would be different from the ones advertised because it’s every man (and woman) for themselves. Case officers will do what they think is right, not what the Information Commissioner says is right. They’ve been doing this for many years and I have many flawed assessments and case reviews to prove it.
So when you hear the ICO harping on about the GDPR, just remember that we’re all at the whim of the ICO’s case officers and they have no qualms about creating policy on the fly to support a data controller and then burying it once the case has concluded.
Conclusion
In conclusion, I was surprised by the way in which Halfords dealt with this issue. They’re not normally a store that I shop at but from what advertising I’ve seen, they seem to be customer friendly. I’ve now changed my opinion of course. To recap:
- Halfords’ customer service person failed to clarify why I had to specifically request the opt-out to their e-Receipt service at the till and how that opt-out was recorded. I still don’t have the answer to these questions.
- Halfords’ solicitor refused to discuss the matter at all.
- Halfords’ solicitor never bothered to clarify Paul Arnold’s view with the ICO.
- Halfords never bothered to respond to my pre-action conduct letter.
- Halfords’ CEO never bothered to reply to either of my letters.
- Halfords engaged the services of a barrister to argue in court that they’re not obligated to answer my questions. Why wouldn’t they want to answer my questions? What have they got to hide?
I’m going to be on Halfords’ case from now on. I’m going to keep pushing the ICO to write to Halfords to get them to accept Paul Arnold’s view and then I’m going to take them to court again – because they argued in their Defence that they didn’t have to answer my questions. I’m going to be testing all of their services and claiming compensation if they fail to obtain my consent fairly, and once the GDPR comes into force, I’ll be there on day-one to ensure that they are fully compliant.
Update: 07.10.2017
My MP has confirmed today that she has written to the Information Commissioner to get clarification on Ms Stewart’s view that the Commissioner is not concerned about organisations arguing their own unfounded interpretation of the DPA in a court of law to defend a claim for compensation brought under Section 13 of the DPA.
Organisations must process personal information fairly – as interpreted by the Information Commissioner, or challenge the view of the Regulator. As such, if a data controller chooses to argue their own interpretation of the DPA in court, then, as the Regulator, the Information Commissioner should be all over it. The Commissioner is not doing this though because Ms Stewart has decided to deliberately manipulate the process. If Ms Stewart had evidence to support her view then she should have provided it. She has no evidence though because she just made it up to support Halfords, because that’s what the ICO’s case officers do; they’re always looking for ways to support a data controller over an individual.
I shall keep escalating this issue until the ICO write to Halfords and tell them that they must deal with any and all enquires about their data processing from individuals; if this information has not already been provided in a privacy notice. Halfords will then have the opportunity to challenge the ICO and I fully expect them to do so. They were more than willing to argue their case against me in court so they should be willing to challenge the ICO.
It’s taking me longer than expected as I’m having to challenge the ICO’s nonsense too, but this is par for the course.
Update: 03.11.2017
We’re still waiting to hear back from the ICO as to whether or not the Regulator – whose job is to promote compliance among data controllers – 51(1) DPA, is concerned about organisations arguing their own interpretation of the DPA and PECR in a court of law. I’ve been advised by the ICO’s Rob Cole that he’s looking into answering this question and a number of other questions. The obvious cause for concern here, is that the answer to my questions do not exist. This supports my view that Ms Stewart simply made it up to support Halfords and that’s a failure of process that the Ombudsman will likely uphold.
Whether she has a vested interest in Halfords, whether she’s jealous of the fact that I’m more adept at the DPA that she is, or whether she simply doesn’t like me – I don’t care! The fact remains that Ms Stewart has made up a reason not to investigate/prosecute Halfords in a formal case review. This makes a mockery of the ICO’s case review process and it’s something that I’ve previously made the Ombudsman aware of. The PHSO is of the view that the ICO has a robust case review process in place. Yeah, right!
It clearly states in the ICO’s published guidance that organisations are expected to answer questions from the public about their information rights practices:
If a member of the public is concerned about your information rights practices, we believe that you, as the organisation responsible, should deal with it. We expect you to respond to any information rights concerns you receive, clarifying how you have processed the individual’s personal information in that case and explaining how you will put right anything that’s gone wrong.
The guidance goes on to state that one of the factors in deciding whether or not to take action, is how the data controller has dealt with any related concern raised. Halfords failed to answer my questions and argued in court that they’re not obligated to answer them. THIS SHOULD BE A CAUSE FOR CONCERN BY THE REGUALTOR!
This kind of abuse is nothing new to me however. The ICO’s case officers have been manipulating their case review process for as long as I’ve been submitting complaints, and there’s no evidence to suggest that the abuse won’t continue with the GDPR. And it’s highly likely that senior members of staff at the ICO are complicit in the abuse. It’s the main reason why I’ve started taking companies to court. I’d rather go to court and lose because I wasn’t good enough to compete aganst a barrister than to lose because some arsehole at the ICO thinks that they’re a law unto themselves. Where’s the oversight?
Update: 02.08.2020
The ICO took no further action. However, I’ve been busy, and since my case against Halfords, I’ve successfully argued multiple data protection cases in court and I’ve settled many more. In each court hearing, a judge accepted that direct marketing received as a direct result of a failure to comply with R22 PECR, constitutes annoyance and annoyance constitutes distress.
Have a read of the following cases. The Go Outdoors case is particularly relevant to this case because they too were relying on their till staff to inform the customer that they would be targeted with direct marketing and give them an opportunity to refuse.
An exceedingly good case: King v Premier Foods PLC
Go Outdoors agrees to settle out of court
Reliance on till staff and verbal compliance with R22, is a seriously flawed system in my view, because busy till staff don’t want to do this, or they forget to do it when they’re busy, and that’s why it’s an easy win in court.
Indeed, the only evidence that the controller will have is a witness statement from the till staff, if they’re lucky. The problem with this is, if the till staff states in a witness statement that they never make a mistake – that they always tell the customer that they will be targeted with direct marketing and they always give them the opportunity to refuse, it’s likely to be a falsehood. The till staff will reasonably have to admit that they make an effort to follow the process but it doesn’t always happen, and there goes the case. The Defendant simply cannot demonstrate that they complied with R22 PECR when compliance with R22 PECR is done verbally.
I recommended in the Go Outdoors case, that they should always seek consent – R22(2) PECR, so that if the till staff makes a mistake, the customer will not receive direct marketing as a result of requesting an e-receipt. E-receipts and abandonded basket emails need very careful consideration. Look how Currys PC World changed their abandoned basket process when they lost that case in court.
David King v DSG Retail Limited (Currys PC World)
I believe that most of the controllers that were doing e-receipts have now stopped or have drastically changed the process because it’s an easy win in court. I’m probably going to move away from claiming distress however, in favour of loss of control of personal information. Since the Court of Appeal ruling on this, I’ve yet to argue it in court. The advantage, is that I don’t have to demonstrate that I suffered distress, I just need to demonstrate that the controller failed to comply, so I can rely on loss of control of personal information to bring a claim for any unlawful data processing. Obtain my information without providing me with a privacy notice – loss of control of my data. Fail to identify your legitimate interests in your privacy notice – loss of control of my data.
I have two cases on the go at the moment, and I settled one last week. I donated the bulk of that settlement to a good cause via the Just Giving website. I currently have about 30 cases in the pipeline. I’m preparing to argue that a residential postal address – on its own, and a residential phone number – on its own, should be treated as personal information by controllers, unless they know otherwise.