One of the great myths and misunderstandings of the modern era is the idea that the Data Protection Act exists to protect your personal privacy - it doesn’t.
The purpose of the Data Protection Act is to ensure that personal data is processed according to a number of key principles, these being that personal data must be:
1. fairly and lawfully processed
2. processed for limited purposes
3. adequate, relevant and not excessive
4. accurate and up to date
5. not kept longer than necessary
6. processed in accordance with the individual’s rights
7. secure, and
8. not transferred to countries outside European Economic area unless country has adequate protection for the individual.
Note, the 7th Principle states that personal data must be processed securely and in Data Protection Law securely does not automatically mean privately.
How do I know this? Because in my last job I was the registered data controller for employer and therefore the personal most directly responsible for compliance with the Data Protection Act - and this is also why I note, with the usual mixture of amusement and frustration I experience on such occasions, that the erstwhile Guido Fawkes and others, including rather surprisingly Tim Ireland of Bloggerheads etc., are current barking up entirely the wrong tree in trying to chase down Zack Exley over the inclusion of tracking links in a number of Labour Party e-mails during the election campaign.
I must admit to wondering quite where Tim was going with making subject access requests to the Labour Party during the election campaign - now I understand.
Now, ok, I’m not going to lay into Guido quite as heavily as I might on other occasions for getting things so badly wrong. The Data Protection Act is a horridly complex and arcane piece of legislation when you actually understand it, let alone when you don’t - which is why its so often misunderstood, but lets try as best I can - without getting too far into the intricacies of the Act and the Privacy and Electronic Communications Regulations, also cited by Guido - to explain why he’s wrong in asserting that the Labour Party broke the current ‘e-laws’.
The first thing to understand is the matter of ‘consent’ in Data Protection.
When you consent to your personal data being processed, as everyone receiving these e-mail will have done as they were sent only to party members and others registering through Labour’s website, what you are actually consenting to is the processing of your personal data in accordance with the various purposes registered by the Labour Party in the Data Protection Register - Labour’s main entry is actually here.
Data controllers are not required to seek your express consent in order to process your personal data in a particular manner, if that manner is specified in their register entry and, equally, they are not required to seek your express consent for disclosure of your personal data to a third party if the nature and purpose of that disclosure is specified in the register - the practice adopted by many websites of seeking express consent for third party disclosure is part convention forced upon them by privacy conscious netizens but mainly because such disclosures are generally made to third parties who will use that data for their own purposes and not for a purpose covered by the registration of the company collecting the data in the first place.
So when Guido complains about data being passed to a private company - Email Reaction - he does so incorrectly as the Labour Party’s own registration permits such a disclosure to an employee or agent working for the party for the purposes specified on the register and such a disclosure is not, of itself, a breach of privacy as this would only occur were Email Reaction to sell on or use the data for another third party of whom you were not aware at the time of giving consent. Guido has, therefore, no cause for complaint so long as the data passed to Email Reaction is used only for the purpose of their work on behalf of the Labour Party and is not made available to any other third party.
Why were you not told this? Because the Labour Party is under no legal obligation to tell you. Consent in Data Protection is a simple matter of caveat emptor - if you want to know what your data is go to be used for and how it may legally be processed before giving consent then its up to you to consult the Data Protection Register and find out for yourself.
As regards the spyware and link tracking issue highlighted by Guido, again he is rather mistaken in his interpretation of the regulations, particularly in trying to assert that this somehow contravenes the regulations as they relate to obtaining information via misrepresentation.
This particular offence relates specifically to the practice of phishing in which the recipient of an e-mail believes themselves to be responding to one party only for their personal data to actually be sent to another, unrelated, party - this is commonly used by fraudsters as a means of illegally obtaining bank account details and other information for the purpose of committing a financial fraud.
In the case of the Labour Party e-mails, while you may not be aware that tracking information is being sent back to Email Reaction rather than the Labour Party, or even sent back at all - unless you examine the source code of the e-mail as I invariably do - this does not mean that the information is being obtained by misrepresentation. Email Reaction were clearly acting as an agent of the Labour Party and therefore entitled to collect data on their behalf - the practice of using hidden tracking links may be ethically questionable and therefore certain to cause annoyance, especially to experienced and generally very privacy conscious netizens, but it is not intrinsically unlawful.
Nor, indeed, can anything be read into the removal of tracking links following Guido’s exchange of e-mails with Zack Exley other than the simple fact that Exley has been around long enough to know exactly the kind of reaction that news of these links would provoke amongst seasoned netizens and that this would be far more damaging to the campaign than any possible threat of litigation over their presence - never, ever, underestimate the power of a good old fashioned slashdotting when dealing with someone who makes his living from his knowledge of the Internet and Internet technology, especially when, as in Zack’s case, your reputation already precedes you and you have a knack of making a fair few online enemies.
Once you under stand this you understand, in addition, how thin Guido’s argument is.
From what I can see he has but two arguable points in his piece and one of those, for the moment, only because I’m blogging from the office and therefore unable to double check my own e-mails for the presence of an opt-out link.
The absence of an opt-out link or other cancellation information would breach clause 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003, although it should be noted that the regulations state only that recipients must be given a ’simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing’ and that this need not, necessarily be an opt out link but simply instructions on how to opt out - the usual send a blank e-mail to opt-out address used by many listservs is equally valid under the regulations.
That just leaves the ‘charge’ of failing to provide information under a subject access request within the specified time of 40 days.
Well - and on this occasion I’ll not be holding back so much - Guido needs first to check his facts a little more carefully as in claiming that:
Melanie Onn, the Constitutional and Legal Officer for the Legal and Financial Compliance Taskforce for the Labour Party stonewalled on giving answers to all questions and requests prior to May 5.
… he neglects to mention that Tim Ireland’s subject access request was actually fulfilled on April 29th - although admittedly only after a fair bit of badgering and some 10 days late - Sorry Guido, but if you’re going to make allegations then you need to remember the trouble Andrew Gilligan got into over the matter of a simple lack of equivocation.
Even then, whether Guido, Tim or anyone else, for that matter, could make a complaint of non-compliance stick is open to question, particularly if the subject access request made specific reference to data being collected/held by Email Reaction and not, directly by the Labour Party and not, therefore, necessarily in the Party’s possession at the time the subject access request was made.
Any such claim must also take into account the ruling of Appeal Count in Durant vs Financial Service Authority which considerably tightens the legal definition of what constitutes personal data for the purposes of the Act in a manner calculated to prevent it from being used to conduct a ‘fishing expedition’ - much as one might well argue was conducted by Tim if one were a lawyer acting for the Labour Party. Just because information is collected it does not necessarily follow that it is either processed or stored immediately in what would now be considered a relevant filing system or that it is subject to disclosure under a subject access request.
In other words, and with the qualification that I’ve not had chance to check for opt-out links in any of the e-mails I personally received, its looks very much like Guido’s blowing smoke for the time being and needs to come back with something rather more substantial if he’s to make a worthwhile case.
UPDATE - 6:35pm
Just got home from work and checked through every single e-mail I’ve received from the Labour Party since around November of last year - so this includes a number that I get as a member of the Party and I can find only three in total which do not have a unsubscribe link in them - and none of these are the disputed e-mails which have the tracking links in them.
Actually, in the interests of precision, of the three that don’t have an unsubscribe link one is a newsletter for party members and the other two are what I would consider more personal as the come directly from a local constituency office, even if they are advertising a trip to Brussels for a meet and greet with an MEP.
With that in mind I’m now inclined to challenge Guido directly to produce one of the e-mails that he claims did not contain an opt-out link and I will then check it against my own copies to verify this.
The comments section is open Guido…