Holding Data Protection Officers to account

I settled this claim out of court by holding the DPO to account.

I can reasonably say that all of the DPOs that I’ve dealt with over the years, are either incompetent, or they have deliberately lied to me. My new tactic is to hold DPOs to account. To this end, under Part 34 of the court rules (CPR), the court has the power to order a witness to attend court to give evidence on a particular date; I can make an application to the court and force a DPO to attend the court hearing and answer my questions. Lying under oath or in a statement of truth is subject to perjury law, so we’re going to get to the truth eventually.

For a communication to be deemed an administration-only service message, it must be devoid of advertising or marketing material. The definition of direct marketing is so broad, that no one is ever going to win the argument that some marketing material is acceptable. Thus, as soon as a controller adds advertising or marketing material to the message, it will cause it to fall under the statutory definition of direct marketing. An exception to the rule would likely be corporate branding, which tends to be template based and thus not specific to the message. As a rule, I reasonably don’t object to corporate branding.

In this case, I opted out of unsolicited electronic marketing from my insurance provider but they still sent me an email that promoted their mobile phone app to me. They used COVID-19 and the lockdown as reasons why I should use the app, but whatever the reason, this communication is promoting a service to me, so it constitutes direct marketing. They can’t target me with unsolicited electronic marketing if I have opted out.

I contacted them and said:

‘This communication will constitute direct marketing because it contains advertising and marketing material. As far as I’m aware, I did not opt-in to receive direct marketing emails from you. If you believe otherwise, please will you confirm? At what point did you give me the opportunity to withdraw my consent when you obtained my information? Thanks!’

I received a reply from the controller’s Data Protection Executive (DPE), and this seems to be a growing trend; that rather than have a DPO deal with my enquiry, controllers are getting a more junior member of staff to respond initially. My view is that this is a scam designed to frustrate complaints but with a level of deniability. In other words, the DPE will do what is necessary to frustrate the compliant, but if the complainant sees though this scam, then the DPE can pass the matter to a DPO. The aim though, it to frustrate as many complaints as possible. Let’s see what happens.

The DPE said:

This email is not a marketing email, this is classified as a service email and is informing you of the ways [The controller] may be able to assist you with your policy. We apologise if you have felt that this is not relevant to you at this time but is purely for information purposes and not with the view to sell you anything. You have opted out of marketing emails which is noted within your account file.

Why is it not obvious to a DPO that this communication constitutes direct marketing?

 I replied as follows:

‘Thanks for getting back to me, but a service email is not defined by law. So, you’ve either targeted me with direct marketing or you’ve not. You can’t lawfully target me with direct marketing and then claim that it’s a “service message” because that’s just nonsense, and misleading.

Do you want to try again? The email promoted your app to me. Please will you clarify; are you saying that the communication that you sent to me is devoid of advertising or marketing material, pursuant to Section 122(5) DPA? Thanks!’

The DPE replied:

Section 122(5) of the DPA merely states that direct marketing is marketing which is directed at individuals, which unfortunately is not terribly helpful. [The controller] considers the email in question as a service email because it informs you about features of our mobile app which many of our policy holders find very beneficial. It is not something that we are trying to sell to you because you are already a customer and there is no cost to you, it’s more like a feature of our policy. It is for these reasons that we do not believe it contains advertising or marketing material. Our lawfulness to send these service emails is based on GDPR Article 6(1)f which is our legitimate interest.

Having said that, your objection to receiving these types of emails is duly noted and I will be sure to pass it on to the team responsible for their consideration.

This response says it all, and it’s the same kind of response that I often receive. They’re not referring to the statutory definition of direct marketing – they’re working to their own subjective and unfounded interpretation of the law. They may consider the email to be a service message but the law clearly defines it as direct marketing.

I followed up to explain why the DPE had got it wrong and he passed me to their DPO. See, what I mean, the DPE hasn’t been able to frustrate my complaint so he passed it to a DPO. I wonder how many people accept the DPE’s nonsense view and give up?

The DPO said:

I note your debate with interest. The discussions over service v marketing have surfaced many times across the UK. As you are aware the Information Commissioner’s Office (ICO) is the supervisory authority in these matters and they offer guidance on this subject, in part I suspect to it arising in investigations undertaken by them (e.g. EE Limited 24 June 2019). It is this guidance that has been the subject of my conversations with the corresponding team in [The controller]. You made a comment in your earlier email to the fact that service emails are not defined in law, I agree and it would be helpful if it were, however the ICO have detailed;

Routine customer service messages do not count as direct marketing – in other words, correspondence with customers to provide information they need about a current contract or past purchase (eg information about service interruptions, delivery arrangements, product safety, changes to terms and conditions, or tariffs). General branding, logos or straplines in these messages do not count as marketing. However, if the message includes any significant promotional material aimed at getting customers to buy extra products or services or to renew contracts that are coming to an end, that message includes marketing material and the rules apply.

Having discussed this with the team in [The controller], the content of the email is to inform customers of a simpler way to interact with the product purchased and to allow for your easy access to policy details. The email does contain branding and logos as permitted by the ICO but does not push the sale of further products or services. I have advised them of their responsibilities under the Privacy and Electronic Communications Regulations 2003 section 22 (in particular subsection 3) if the emails or the application were to do this.

I’m sorry you feel the way you do, [The controller] have been receptive to my conversations on this matter and have been proactive in not doing as you suggest.  It is your right to complain to the ICO if you feel aggrieved in this matter, but I hope I have offered clarity in the thinking of [The controller] when sending out this particular email.

I have taken steps to check that your marketing preferences have been logged and acknowledge that you do not wish [The controller] to contact you via email in the future and would prefer postal correspondence. I will ask one of the Data Protection team to ensure this is passed on to the relevant section in [The controller].

I’ve told the ICO twice about their misleading definition of direct marketing but they’ve yet to update it.

I replied as follow:

‘Thanks for getting in touch. However, there is no debate as far as I’m concerned because you’ve already lost the argument. Once I’ve filed the claim, at some point, be it in your Defence or at the hearing, your organisation is going to have to accept that the communication constitutes direct marketing because it contains advertising or marketing material. To argue that it does not is just silly. You do know that the view of the ICO has no bearing in a court case, right? Actually, I endeavoured to argue the ICO’s guidance at my first court hearing, but the judge made it absolutely clear, that the view of the Information Commissioner had no place in her courtroom. She basically told me off for quoting the ICO’s guidance.

To clarify therefore, this matter has nothing to do with the ICO. I suggest you take a good look at the statutory definition of direct marketing and admit that you’ve unlawfully targeted me with direct marketing by email, because you’ve failed to satisfy R22 PECR. You’ve sent me direct marketing by email when I had opted out. You also failed to include an unsubscribe link pursuant to R23 PECR. And of course, a failure to satisfy the PECR is a failure to satisfy a condition for processing’.

I didn’t receive a reply so I followed-up a few days later:

‘Please will you confirm that you honestly believe that the email does not, in your view, contain advertising or marketing material? That it does not promote the benefits of the app or the service to me? That it contains no promotional messages?

I need to determine the nature of your expertise because I shall be asking you to submit a witness statement. If you agreed to submit a witness statement, you would have to confirm that you honestly believe that the communication is devoid of advertising or marketing material. If you don’t agree, then I shall point out to the judge that you’ve not submitted a witness statement because you know that the communication contains advertising or marketing material, and this will likely impact on your Defence. Why would the judge believe your Defence when the Defendant’s DPO is unwilling to clarify their position with a statement of truth?’

The next response that I received was from the controller’s Legal Council who made me an offer to settle the claim without going to court.

And that’s how you do that. These DPOs think they’re untouchable because they can hide behind their employer. At the end of the day though, someone has to put their name to a statement of truth or appear in court, and if they tell lies, it’s a serious matter.