Lawful data processing: there’s no such thing as public domain

It would appear that some organisations, particularly employment agencies and event organisers, operate a business model that has unlawful data processing at its heart.

Having recently settled out of court with the same employment agency for the second time, I find it increasingly frustrating that so many organisations appear to harbour the notion that just because someone’s personal information appears on a website or in a publication, that this information is in the public domain. It’s nonsense!

The employment agency that I’ve settled twice with, uses LinkedIn like it’s their very own contact database. They don’t pay LinkedIn to obtain my personal data, because I’ve opted out. They don’t use LinkedIn’s tools to target me with marketing, because I’ve opted out. And when they attempt to connect to me, I block their requests. So, what do they do? They scrape my LinkedIn profile information and use it to contact me directly at work.

To clarify, this organisation likely crawls through LinkedIn profiles incessantly, to extract names of employees, names of employers, job titles etc., and import this information into their own database. They then proceed to create a likely corporate email address for each individual – based on the information that they extracted from LinkedIn. If they cannot contact some of these individuals via LinkedIn, then they’ll simply target them with direct marketing – directly to their place of work, using the email address that they created.

So, what’s wrong with scraping profile information from LinkedIn? Surely an employer will expect third-party organisations to use corporate email addresses to contact its employees? Well, yeah, but this has nothing to do with employers. A corporate email address that contains a name, will, more often than not, constitute personal data. As such, any organisation that obtains, creates or stores a name-bearing corporate email address without the knowledge of the data subject, will need to notify that individual within a month, pursuant to Article 14(2)(f) GDPR:

Article 14: Information to be provided where personal data have not been obtained from the data subject. (2)(f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources.

Under the DPA98, I once had to submit a number of Subject Access Requests to identify a chain of data controllers that had obtained and stored my personal data, without my knowledge, for many months. Under the GDPR, they’d all be in breach and I’d likely have a claim against each of them for failing to provide the information that I’m entitled to.

How does a corporate email address constitute personal data?

Data controllers need to understand that besides being a corporate email address, a name-bearing email address that has the format: firstname.surname@organisation, or similar, will likely constitute personal data. This is because the e-mail address alone, contains enough information to identify a specific individual who works for a specific organisation.

A name bearing corporate email address alone, will often be enough to constitute personal data as it relates to an identifiable natural person. Fair enough, there will be situations where more than one person with the same name works for the same organisation but the data controller is unlikely to know this. Furthermore, even when an organisation does have more than one employee with the same name, by previewing profiles on LinkedIn, the data controller is likely to have obtained other snippets of data that they can use to identify a specific individual: job title, photo, profile URL etc. And of course the other employee may not have a LinkedIn account.

Hence the rule, that all name-bearing corporate email addresses should be treated as personal data. In some cases, even firstname@organisation will constitute personal data. For example, if the organisation only had a small number of staff. However, generic emails such as enquiries@organisation, do not constitute personal data.

The solicitors Beswicks Legal, have an article about name-bearing email addresses on their website.

Satisfying a condition for processing

To process personal data lawfully, an organisation must satisfy a condition for processing for each processing purpose. To obtain the data – condition for processing; to store the data – condition for processing; to target the data subject with direct marketing – condition for processing.

There are 6 available conditions for processing given at Article 6 GDPR. However, for commercial organisations, it’s likely that they will be limited to the following three:

a) Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

b) Fulfilment of a contract: the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps.

c) Legitimate interests: the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

We can rule out consent and the fulfilment of a contract conditions because there’s no relationship between the organisation and the individual, and individuals cannot give consent to an unknown data controller. Which leaves the Legitimate interests (LI) condition. We can pretty much rule this out too where no prior relationship exists. Let’s analyse the LI condition further.

Relying on legitimate interests to process personal data found in the public domain.

The last paragraph of Recital 47 GDPR states:

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

I wonder whether some organisations are simply jumping on this last paragraph to justify their data processing, while ignoring the rest of Recital 47. Yes, data controllers can use the LI condition to target individuals with direct marketing, but only under certain conditions. These conditions are outlined in the first paragraph of Recital 47:

The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.

Paragraph 2 further defines the relationship: ‘where there is a relevant and appropriate relationship between the data subject and the controller’.

From Recital 47, we can determine three key requirements for the LI condition:

  • It has to be necessary to process the individual’s personal data for the legitimate interests of the data controller. If the data controller obtained personal data related to children and used this to target them with PPI direct marketing, then that’s pointless.  

  • The data controller and the data subject need to have a relationship, and based on that relationship, the data subject should reasonably expect the data controller to process their personal data. A data controller couldn’t rely on the LI condition to target the data subject with direct marketing emails for example, if the data subject had previously unsubscribed.

  • That the data processing should not override the interests or the fundamental rights and freedoms of the data subject

Any data controller that claims to obtain personal data from the public domain, will likely fail to satisfy all of these key requirements. So, yeah, the LI condition can be used to target individuals with direct marketing, providing that the data controller obtained the personal data fairly.

When I receive direct marketing emails at work, I contact the sender and ask them to clarify how they obtained my personal data. I say that they can either treat my request as an enquiry or as a subject access request. If they cannot identify a genuine source then I put them on my list. If you don’t want to file a claim for compensation, you can still submit a complaint to the ICO.

Scaping profiles from LinkedIn is potentially a criminal offence

LinkedIn is a data controller for the individual’s personal data and knowingly obtaining/storing personal data without the consent of the data controller is potentially a criminal offence. Based on LinkedIn’s terms and conditions, it’s clear that they do not want anyone to take personal data away from LinkedIn:

You agree that you will not:

(b) Develop, support or use software, devices, scripts, robots, or any other means or processes (including crawlers, browser plugins and add-ons, or any other technology) to scrape the Services or otherwise copy profiles and other data from the Services;

(d) ‘Copy, use, disclose or distribute any information obtained from the Services, whether directly or through third parties (such as search engines), without the consent of LinkedIn’.

Conclusion

Having settled out of court again for failing to satisfy a condition for processing, I’m thinking that they got off lightly. When you think about it, they’re using what personal data is publicly available in a LinkedIn profile to figure out what personal data might be securely stored by LinkedIn. For me, this should impact on the tort of Misuse of personal information. This tort came into force following the phone hacking scandal, where the celebrities were awarded hundreds of thousands of pounds for having their personal phone calls hacked.

This tort deals with the loss of control of personal and confidential information and there is plenty of case law to quote in the small claims court. Damages awarded are substantial – £15,500 in a recent case, so the next time an organisation guesses at my LinkedIn e-mail address, although it might not be sensitive personal data, I’m going to file a substantial claim for unlawful data processing and misuse of personal information. This is because, these organisations are not entitled to process my personal information beyond the LinkedIn platform. They’re not entitled to guess at what email address might be stored in my LinkedIn account.

My last data protection case was in August 2018. The judge said that my case was well prepared, and I went on to win that case. I’m seeing a gradual rise of the no-win, no-fee data protection lawyers so it’s only a matter of time before claiming compensation for breach of data protection rights will be as common place as PPI. And individuals have up to six years to claim.

I currently have an ongoing claim against an event organiser.