Small claims court
I got fed up with the ICOs incompetent so I've been suing companies for the past eighteen months for targeting me with direct marketing. I'm going to continue under the GDPR.
126 posts • joined 14 Sep 2009
The UK is full of arseholes that think that by getting a non-UK based company to send out the marketing texts/e-mails, that they're not culpable. Regulation 22(2) PECR would make the UK data controller the instigator of the marketing e-mails by commissioning a third-party. This is why the ICO's direct marketing guidance around electronic marketing mail is bollocks - you cannot pass consent to an unknown third-party for the purpose of electronic mail marketing because the data controller will remain the instigator of any marketing from the unknown third-party, unless they name the third-party.
I'm just about to file a claim against a well-known double glazing company for £750 in compensation because I receive marketing from an overseas company that promoted their services. They're basically using spammers to target me with marketing e-mails so they're instigating the marketing.
Yet the ICO won't probe the BBC for their use of leaked personal information to expose individuals who had done nothing wrong - as part of their Paradise Papers story. You had BBC reporters approaching women in the street to challenge them about their finances, when THEY'VE DONE NOTHING WRONG!
The ICO should be all over this because there's no evidence that the journalistic exemptions around data processing apply.
I've already started taking companies to court under the DPA and will continue to do so under the GDPR. My main focus in on unwanted direct marketing and it's likely that the no win, no fee solicitors will be jumping on this gravy train once the GDPR comes into force.
Organisations should stop using e-mails, texts and phone calls as a means of getting in touch with potential new customers. It doesn't really work and it will soon be fraught with danger. I've settled out of court on many occasions.
On the recruitment front, I'm about to bring a claim for compensation against Capita (Section 13 DPA) for scraping my proile from LinkedIn, creating a likely e-mail address for me at work and targeting me with direct marketing. I'm arguing that they've unfairly processed my personal information - my work's e-mail address, because they failed to satisfy a condition for processing.
The ICO is still struggling to understand the DPA, never mind the GDPR. I had to get my MP to ask a question in Parliament about the DPA because the ICO couldn't give me a straight answer. And my MP has just asked them a load of questions on my behalf and they can't answer those either. They're hopeless so how does anyone expect us to understand it?
Data controllers need to stop sending us direct marketing unless we specifically request it. Mailing list operators will have to call it a day and the companies that buy mailing lists should be prosecuted.
I only have one domain remaining with 123-Reg and they want £24 for a .co.uk for two years. Notification just came through this morning.
By the way, if anyone has been conned into paying for domain privacy for UK domains, you should claim your money back. Nominet's Legal Counsel has informed me that providing a free opt-out for individuals on the WHOIS database is a key requirement of their fair data processing. Twat's like 123-Reg have opted to bury the free opt-out in favour of their fee paying one - unfair in my opinion.
If anyone wants to take action then I'm happy to give you a copy of Nominet's response: www.mindmydata.co.uk
Organisations have a statutory obligation to process personal information fairly and in accordance with the rights of data subjects. No term in a standard form civil contract will likely negate these obligations.
Bearing in mind that it's fairly easy now to file a claim in the small claims court under Section 13 of the DPA, organisations should ensure that their terms are compatible with the view of the Regulator. I say this because although organisations can argue their own subjective interpretation in court, they can be prosecuted if they don't accept the view of the Regulator, or challenge the Regulator's view. My bank was threatened with prosecution by the ICO's Regulatory Action Division when their barristers refused to accept the ICO's view of direct marketing.
It's not about individuals... data controllers must process personal information fairly. Thus, if they disagree with the view of the Regulator, then they should seek advice from the ICO. How many of them do that? How many companies get their customer service staff to tell us that we're wrong and they're right?
If you want to get back at a company that pisses you off, then opt-out of all direct marketing with them under Section 11 of the DPA. Most companies are utterly clueless and at some point in the future, will likely send you further direct marketing. At which point, you can claim compensation under Section 13 of the DPA. I've given £1,500 to charity so far this year by settling out of court with companies that abused my data protection rights.
It's unlikely that a UK data controller will obtain consent from a non-UK data controller as consent has to be obtained fairly. As such, if any UK companies are buying personal data from the US then they'll unlikely have the consent required to target the individuals with direct marketing. And of course, when obtaining information indirectly for direct marketing, they'll need to provide you with a fair processing notice first.
My policy now is to claim £750 in compensation from any UK data controller that fails to process my information fairly or claim compensation in court. Some settle while some opt for court.
While there is no ability for a data subject to challenge the Information Commissioner’s failure to enforce the DPA against a data controller, the recent Court of Appeal ruling that disapplied Section 13(2), means that individuals can now seek compensation in the small claims court.
So I took Halfords to court in February for failing to comply with my data protection rights. Halford's lawyer subjectively argued the merits of the DPA in court and won the case. That cost me £50. I've now submitted a complaint to the ICO that Halfords argued their own unfounded interpretation of the DPA in court and the ICO will uphold my complaint. I'll then file a new claim against Halfords for £750. If they want to go to court to defend it a second time, having been advised by the ICO, then I'd expect the ICO to threaten them with prosecution. However, I'll just keep repeating the process until the ICO prosecutes Halfords. At this point they might agree to settle my claim.
The ICO once threatened my bank with prosecution when they refused to accept the ICO's definition of direct marketing.
Would this the same ICO that has been telling us for years that there's a three month cut-off for us to submit a complaint about a company's data processing under Section 42 of the DPA but has only just admitted that there is no cut-off? How many thousands of complaints have they managed to dismiss over the years with this bogus cut-off rule?
So Steve Eckersley says that "Depending on the word of another company is simply not acceptable and is not an excuse." Yet in a recent Assessment that I submitted to the ICO, the case officer was of the view that the UK company that had obtained consent from a non-UK company had obtained consent. Another example that demonstrates that the ICO's case officers are clueless.
Actually, consent only satisfies a condition for processing. Data controllers also have to satisfy the first principle so they should provide you with a fair processing notice before contacting you.
Read my latest article.
There's no need to wait for the GDPR to come into force. Since the Court of Appeal disapplied Section 13(2) of the DPA, it's now possible to claim compensation against an organisation without having to demonstrate that you've incurred a financial loss as a result.
I'm in court tomorrow against Halfords because they refused to provide me with answers about how they process personal information fairly. First their solicitor told me that she had fully answered my questions but in her defence, she argued that she did not have to answer my questions.
Keep an eye our for that unwanted marketing and submit a claim. It only costs £50. Easier still once the GDPR comes into force. Most of the companies that we do business with are likely to be sitting ducks.
According to the ICO's Legal Team, any organisation can process that information without being prosecuted because according to them, personal information found in the public domain does not require the consent of the data controller.
So if Virgin are Company A and they've accidentally disclosed this personal information to the public domain, then Company A could possibly face prosecution by the ICO. Particularly when you bear in mind that being a member of a union is sensitive personal information and a typical CV might contain this information.
Yet according to the ICO, if Company B comes along and decides to process the information that has been disclosed, Company B cannot be prosecuted. Even if they know full well that the disclosure was accidental. If Company B processes this information then the most that can happen to them is that the ICO will tell them that they've unfairly processed personal information and not to do it again.
I'm currently challenging the ICO's view that information found in the public domain does not require the consent of the data controller.
This really irks me because if Amazon.co.uk - a UK facing website, were a UK data controller, then we could just do away with nonsense like this. Under UK law we can opt out of all marketing under section 11 of the DPA. There's nothing that a UK data controller can do to negate this statutory right. In which case, Amazon wouldn't be able to make offers like this because UK organisations cannot make the receipt of direct marketing a condition of doing business with them.
I've clarified this with the ICO on a number of occasions that processing information found on LinkedIn - outside of LinkedIn's terms and conditions, is unfair data processing. I tend to find that desperate employment agencies are the worst offenders. I'm arguing that in some cases, for example, when the organisation has already been advised by the ICO that it's unfair, such process will also be unlawful. The ICO has said that it's not but as is often the case, they've failed to support their view; I'm just supposed to accept the word of their Criminal Investigation Team. Yeah, right!
If you receive e-mails from employment agencies at work out of the blue you should ask them how they obtained your information.
The ICO has recently confirmed (RFA0612308) that ANY information found in the public domain does not require consent to process it. In other words, if this breach were related to UK individuals, then any UK organisation would not be unlawfully processing personal information by processing it - even if they were well aware that it had come from a breach. They'd be unfairly processing the information sure, but not unlawfully because for it to be unlawful - section 55 of the DPA, they would have to knowingly process the information without the consent of the data controller. But according to the ICO, consent is not required for information that is found in the public domain.
I'm not happy too with the way in which Amazon only tell me that the items in my wishlist have been reduced; they don't tell me when they've gone up. I asked them about this last month and they said it was due to an error in the system so I'm keeping my eye on it.
Under section 11 of the DPA, if you ask a UK data controller to stop targeting you with adverts they would also need to remove their own advertising banners that appear in a logged-in website. I went to great lengths to clarify this with the ICO some years ago but it never found its way into their direct marketing guidance.
Direct marketing is marketing by any means and would include even generic banners appearing in a logged in page. This is because the data controller will know at all times who is logged into the account pages. I keep meaning to raise this issue with the ICO again but to be honest, they're so crap I can't be bothered
The Ombudsman is currently investigating the ICO as it's likely that many thousands of complaints made by the public over the years have been incorrectly assessed so that they support the companies that people are complaining about. The ICO's case officers have been siding with companies because they lack the skill to challenge them.
Nominet don't seem to get it that sending someone an e-mail to remind them that their domain is due for renewal is unsolicited electronic marketing. They can't legally send those e-mails without first obtaining consent and consent is only valid if the individual is given the opportunity not to give their consent at the point their information was collected.
Unless they have a legal obligation to remind their customers, Nominet need to obtain consent - tick box on the domain registration form for example, or send the reminder by post. I'm getting fed-up with setting a domain not to be renewed in the control panel provided by my hosting company but still receiving reminder e-mails from my hosting company and then from Nominet.
The number of UK companies that just don't get it is staggering. And don't get me started on the fee paying WHOIS opt-out that 123-Reg are heavily promoting to the detriment of the free WHOIS opt-out; they won't be doing that for long.
I to hate all adverts which is quite strange because as a kid I used to love them, especially near to Christmas. I guess for me adverts are no longer relevant because I'm not that materialistic anyway but also because I tend to do my own research about any products that I'm looking to buy and no amount of advertising will change that. Why on earth would I accept at face value what I'm being told in an advert when I can get other people's opinions. I often rely on the feedback on Amazon's website for example and in my experience, it tends to be fairly accurate.
Under UK law (section 11 of the DPA), one has the legal right to write to a data controller to ask them to stop promoting their products or services to you BY ANY MEANS. According to the ICO this would include generic adverts delivered while an identifiable individual is logged in to an account. Why do you think Amazon is an EU data controller and not a UK data controller? It's so that they can plaster their adverts all over their pages and on their Kindle Fire and you can't ask them to remove it. If Amazon were a UK data controller then you wouldn't have to pay the £10 to get the adverts removed from a Kindle Fire because it's a statutory right. This is why I want to see all .co.uk websites operated by a UK-based data controller because these sites are aimed at a UK audience.
I use an ad blocker regularly and my version of Amazon's website is very strange because I've blocked every possible advert. I read the Reg at work however and we don't have add blockers.
To be fair, I don't mind companies making money out of advertising providing that it's their main source of income. What irks me is when companies like National Rail have advertising banners on their website; they should be providing a service but want to make money from it too! My National Rail website at home is so heavily blocked that it's just a couple of boxes in the middle of the screen so that I can check what time my train is running each day. I love the fact that I don't have to view their advertising - it actually makes me happy.
I shop with Amazon all the time but I wish that there was an alternative UK solution. Why can't some well known UK companies come together to create an online portal to challenge Amazon. Amazon are not a UK company and they're not even a UK data controller yet at least 50% of my annual purchases are made via Amazon.
I don't want to shop with individual companies via their websites because they all tend to abuse electronic marketing regulations and they all seem to want to send me a survey. Not interested! Don't want my e-mail address being used for this purpose and that's why I go with Amazon - not the price. If we had a UK shopping platform where I can opt-out of all the marketing and surveys then I'd be up for that.
I regularly submit Subject Access Requests and in response, I am constantly being asked for photo ID as identifying information. I have argued on numerous occasions to the ICO that I'm not going to give any company a copy of my passport or driving licence because of the security risk and because it's excessive.
A data controller can validate me by phoning me and asking me a few questions about my account. Or they could send me a letter to my home address and ask me to quote the reference number on the letter. Or they could wait for the £10 fee to clear and that validates me. Or they could ask me to pay the fee by credit card as that would validate me too!
There are lots of ways that a data controller can be satisfied about my identity without me having to give them photo ID.
The ICO however is adamant that requesting a copy of a passport is not excessive. If the UK's Data Watchdog couldn't care less who sees passport information then what's the big deal? Having said that, the ICO also told me that a year on its own constitutes a date for the purpose of a Subject Access Request. This organisation is not fit for purpose.
I'm about to expose the ICO as not being fit for purpose. My MP is helping me to get to the bottom of why nearly fourteen of my case reviews - where the ICO found in favour of a company, are likely to be seriously flawed. At the moment we're struggling to find someone within the organisation to take ownership of my complaint.
Oh, look, yet another headline grabbing story for the ICO! What they don't tell you is that, for the overwhelming majority of complaints submitted to the ICO about direct marketing, most of them are a total waste of time. A combination of incompetent case officers and a policy of only taking action if they receive lots of complaints about the same company means that most companies can carry on regardless. For example, if Optical Express sent me the marketing and I complained, as long as that company stops sending me marketing the ICO will be happy. The company can carry on abusing the rights of thousands of others unless they too complain. And it's only when enough people complain that the ICO will think about doing anything.
This is a poor use of limited resources in my opinion. If I submit a complaint against a company and the ICO upholds my complaint then they should advise the company of their obligations, give them 30 days to contest the ICO's view, and warn them that any further similar complaints received after 30 days will result in criminal prosecution. Job done! And... the ICO needs to be prosecuting these companies so that we get some precedent because at the moment the Commissioner is just giving his own view. He needs to go to court and get a court ruling so that his guidance becomes law.
The fact remains that nearly every single company that I do business with will abuse my data protection rights in some way. It's an utter failure by the Commissioner.
The other month Amazon decided to send me an e-mail to promote Norton Antivirus despite the fact that I've been opted out of promotional e-mails with Amazon for years. When I questioned this they said it was because I'd spent over £30 with my last order. Since then, I've not purchased anything from Amazon that exceeds £29.99 and its' surprising what bargains you can find elsewhere. For example, I purchased a new TV in August from John Lewis for the same price as Amazon but with a free five year guarantee. Fair enough, I had to pay the postage but still, it's a far better deal.
My point being... I loath companies that think they have a God given right to promote their products and services to me and this is why I wouldn't consider Amazon Fire TV. If they're not already advertising on the TV then it can't be far off. You're much better off waiting until a product is released by a UK data controller so that you can opt out of all direct marketing - even marketing served to a TV.
I've submitted a number of complaints to the ICO over the years about companies holding on to my personal data indefinitely because they don't have a data retention policy in place. One of those complaints is currently being investigated by the PHSO. In my experience, as long as the organisation can demonstrate that they have a data retention policy in place the ICO couldn't care less. And if they don't, the ICO will just advise them to do so.
The fact that the Authorised Records Disposal Practice puts a three year data retention on MPs expenses then that's fine. However, bearing in mind the public's interest they might want to increase this to say six years.
I've just submitted a complaint to the ICO because they failed to respond to my SAR within 40 days. So here we have a new company that doesn't seem to understand their basic data protection obligations. I'm going to do a data audit on this company over the next few weeks.
I currently have a complaint being processed by the Parliamentary and Health Service Ombudsman (PHSO) where I have outlined the failings of the ICO. To support my complaint I have included a detailed analysis of seven case reviews from last year where the view of the ICO was either wrong or likely to be wrong. These are case reviews too... so for each case review to be wrong it means that two members of staff hold the incorrect opinion: the Case Officer who conducted the original Assessment and their line manager who conducted the Case Review.
In one case I argued that a data controller had failed to comply with my subject access request (SAR) because they held the actual date: day, month, year of when they obtained my information but only provided me with the year in response to my SAR. I argued that a year on its own does not constitute a date and as they held an actual date, that's what they should have provided. As they didn't they failed to comply with my SAR. Three different levels of staff at the ICO: the person who conducted the assessment, their line manager who conducted the case review, and their line manager - who got pissed off with me complaining all held the view that a year on its own constitutes a date.
The organisation works in silos so that two different case workers can give you two different responses depending on who you ask. I'm hoping that the BBC's Panorama team will do a show on it once the PHSO has concluded it's investigation.
Webmaster - www.mindmydata.co.uk.
I'm reluctant to do anything more than I have to with Amazon because it's ultimately going to mean more marketing. I've already opted out of marketing e-mails with them. Then the other week they promoted the soon to be defunct Norton Antivirus - See Reg article: Symantec: Antivirus is 'DEAD' – no longer 'a moneymaker'... must have done a deal to farm it on to unsuspecting Amazon customers. Anyway, Amazon sent me an e-mail to promote Norton AV and they said that this was because I had spent over £30.
So I'm opted out of marketing e-mails, so what do they do, just find some reason to bypass it. So I've told them that I will never place an order with them again that exceeds £27.99. And I'm submitting a complaint to the EU Commissioner's Office because I had already expressed a preference not to receive marketing e-mails and they ignored it.
Eff them! The worst thing a company can do is take its customers for granted. Just as Mr Ratner.
We don't need new laws as we have perfectly good but unused laws. Section 11 of the DPA allows an individual to opt-out of all direct marketing from a UK-based company. If parents ensure that they register on behalf of their child then all they need to do is follow that up with an e-mail to the company opting out under section 11. Once opted out, the company cannot legally target the individual with direct marketing by any means, including generic or targeted adverts that appear in a logged in website.
You then follow that up by submitting a subject access request to any company that sends your child unexpected marketing. At the end of the day, the more people complaint about these companies to the ICO the more likely it is that the ICO will take action. Buying software only hides the problem. The problem is that companies don't understand the law. www.mindmydata.co.uk.
I wouldn't trust AVG anyway as they target me with advertising even though I've purchased the full internet security product. Free version yes, full product no way. My AVG expires in September and I won't be using them again.
AVG themselves are an abuser of privacy. If I pay for a full version of their product then under UK law they cannot promote their products or services to me if I opt-out under section 11 of the DPA. But they're not a UK data controller so they don't don't recognise our rights. So despite the fact that I've paid for the full version they still target me with adverts from time to time an d try to dupe me into paying for more services.
If I were using the free version then fair enough but I'm not. My AVG licence expires in Oct and I wont' be renewing.
For example, Anyone buying Amazon's Kindle Fire will have to to pay £10 to remove the advertising. If Amazon.co.uk were bound by the DPA you could ask them to remove it by opting out of all direct marketing under section 11 of the DPA for free.
Amazon shouldn't be allowed to operate a .co.uk website either as they don't have a UK-based data controller. A .co.uk website specifically targets UK individuals so the government should require those multinational companies that operate a .co.uk website to register a UK data controller:
As someone who submits, on average, about three complaints to the ICO a month, I can confirm that they are totally useless. I currently have nine case reviews that I need to escalate to the PHSO because the caseworkers that worked on those case reviews don't know what they're talking about. So basically ICO staff are not really interested, and if they were they often get it wrong and ultimately it's an absolute waste of time.
All they need to do is allow individuals to take companies to the small claims court for contravening the DPA or the PECR. Make it a fixed claim amount for, say, £75 and watch how fast the marketing stops.
It doesn't matter what new laws are introduced, the fact remains that the ICO will only take action against a commercial organisation in extreme circumstances.
For example, through a series of subject access requests I identified the order of events that led to me receiving an unidentified PPI text on my mobile phone. The company that sent the text were told by the ICO not to hid their ID in a text - that's it! The company that provided them with my mobile phone number failed to comply with my subject access request. The ICO contacted them on my behalf and told them to comply. We waited another 40 days - no reply. The ICO wrote to the company again, we waited 40 days but still no reply. They've now contacted them for the third time and they're not going to get a reply because the company is likely to be illegally farming mobile phone numbers.
The ICO have informed me that this is the last time they're going to try and It'll then be up to me to spend a couple of thousand pounds to seek a court order under section 7(9) of the DPA to make the company comply with my Subject Access Request. So much for the ICO's big crack-down on PPI companies.
Biting the hand that feeds IT © 1998–2019