Open Rights Group

Home Data: a new direction Consultation Guidance RESTRICTING THE RIGHT TO COMPLAIN

RESTRICTING THE RIGHT TO COMPLAIN

5.6 Complaints

The Government is proposing to require that victims of abuses attempt to resolve their complaint directly with the offender before lodging a complaint to the ICO.

In our answer to Q5.6.1, we explain how:

  • Contrary to what the Government states, there is no reliable evidence that complaints are “low-value outcomes for data subjects”.
  • The Government misunderstand the role of a watchdog. Complaints are meant to protect individuals, not the irresponsible or malicious organisations that individuals complain about.

In our answer to Q5.6.2, we explain how:

  • There is no reliable evidence that vexatious complaints are being lodged.
  • Individuals may not be able to identify an organisation to complain against, or may fear retaliation from the offender. Complainants are in the best position to judge what’s the best approach to pursue their complaint.

The government proposes introducing a requirement for the complainant to attempt to resolve their complaint directly with the relevant data controller before lodging a complaint with the ICO. To complement this new obligation on data subjects, the government is also proposing a requirement on data controllers to have a simple and transparent complaints-handling process in place to deal with data subject complaints. To further reduce the burden on the ICO, the government is also exploring whether to introduce criteria by which the ICO can decide not to investigate a given complaint.

Q5.6.1. To what extent do you agree that the ICO would benefit from a more proportionate regulatory approach to data protection complaints?

We strongly disagree that “the ICO would benefit from a more proportionate regulatory approach to data protection complaints” (Q5.6.1). The Government present false evidence to support their views, and they do not seem to understand the function of an “independent watchdog”. Further, it is inappropriate to reduce the duty of the ICO to protect individuals against offenders.

Q5.6.1a. Please explain your answer, and provide supporting evidence where possible.

The Government define proportionality in terms of the value being delivered to data protection fee payers (see §381). The Government also attributes this statement to the ICO “Annual Report and Financial Statement 2019-20”. However, this statement is false: the ICO never characterised the complaints they received as “low-value outcomes for data subjects and poor value-for-money for data protection fee payers”. On the contrary, the ICO defines the rising number of complaints as follows:

This is positive, and demonstrates the impact of our efforts to raise awareness of individual rights and shift in our position from an ombudsman to an enforcer of the law”

Further to that, we remind the Government that the ICO is a Regulator whose duty is to monitor the organisations paying the data protection fee. The functioning of a watchdog cannot be measured on the “value” that it restitutes to the entities it is supposed to hold to account. Instead:

  • Complaints are meant to protect individuals by giving them an avenue to redress.
  • Complaints are not meant to protect irresponsible or malicious organisations from the complaints of their victims.
  • Regulators should act upon complaints rather than scrutinising the procedure that complainants adopted to lodge their complaints.

Finally, the Government could reduce pressure on the ICO to handle individuals’ complaints by implementing article 80(2) of the UK GDPR, and allow public interest organisations to rely on private enforcement to uphold the interests of categories of individuals whose data rights were violated.

Q5.6.2. To what extent do you agree with the proposal to introduce a requirement for the complainant to attempt to resolve their complaint directly with the relevant data controller prior to lodging a complaint with the ICO (with guidance and exemptions)?

We strongly disagree with “the proposal to introduce a requirement for the complainant to attempt to resolve their complaint directly with the relevant data controller prior to lodging a complaint with the ICO” (Q5.6.2). This would benefit offenders, while further complicate or hamper complainants’ avenues for redress. It could also expose victims to further harm or risk by requiring them to interact with the offender.

Q5.6.2a. Please explain your answer, and provide supporting evidence where possible.

It is worth stressing that there is no reliable evidence about complaints being lodged in a vexatious manner or for reasons that could have easily been resolved by contacting the organisation subject to complaint. On the contrary, the ICO stress in their annual report that complainants usually contact the ICO only after having received unclear or untrustworthy information from the organisation they complain about.

when data controllers fail to fully explain to complainants how they have arrived at a decision, understandably the public turns to the regulator. […]

In around half of the cases that we looked at in 2019, we found that there was more the data controller could have done to either improve their information rights practices, or explain in a more comprehensive way how they are complying with their legal obligations. Consequently, this year we have asked data controllers to revisit concerns and do more to assure themselves and complainants that they are complying with their obligations under the law.”1

While there is little evidence that it would bring any benefit to the ICO, it is rather clear that imposing a legal duty to attempt to resolve complaints directly with an organisation would constitute a serious hindrance to the right to complain. Ultimately, victims are in the best position to judge whether contacting the offender before complaining to the Authority is the best course of action.

Indeed, there are instances where the complexity and opaqueness of digital ecosystems make it difficult, if not impossible, to identify an organisation to complain against. For instance, this is the case of adtech, whose surveillance advertising practices are the result of a vast network of intermediaries that share personal data of individuals without any security or privacy consideration.

However, complainants must be able to rely on the ICO even if they cannot identify or contact an organisation, as doing otherwise would effectively deny them redress.

Finally, we cannot but stress the irrationality of obliging the victim of an offence to negotiate with the offender. There is no reason why we shouldn’t expect that an irresponsible or malicious organisation may not leverage on the duty of the individual to contact them first to:

  • Sway and manipulate complainants, or otherwise adopt delaying tactics to undermine complaints at their origin.
  • Bully, intimidate or threaten complainants to persuade them not to lodge a complaint.
  • Use their interaction with complainants as a warning to shred evidence of malpractice or otherwise prepare to avoid accountability.

Ultimately, in real the real world victims do not have a legal duty to resolve their issues with the offenders, are there is no reason why data protection abuses should be treated differently.

1ICO, Annual Report 2019-20. Available at: https://ico.org.uk/media/about-the-ico/documents/2618021/annual-report-2019-20-v83-certified.pdf