2018-08-06

GDPR: Secret black lists

I think I have this right, but it seems rather concerning to me with the way GDPR has tightened things up so much there looks to be a concerning loophole.

I say loophole, it is there for good reason, but even so.

The GDPR is an EU-level document — a regulation — and regulations apply automatically in Member States, without the need for national implementation. The GDPR is a bit of an odd regulation though, as it contains a reasonably large number of areas where Member States are permitted to implement national derogations.

The UK’s new data protection act — the Data Protection Act 2018 — came in with the GDPR, repealing the previous Data Protection Act 1998. The Data Protection Act 2018 does various things, and one of them is to set out certain exemptions to some of the provisions of the GDPR.

For example, the Act exempts a data controller from complying with some aspects of the GDPR where they are processing personal data for "prevention and detection of crime", and where applying the GDPR’s provisions would be likely to prejudice that. This includes provisions dealing with subject access, as well as the right of rectification. This is, in principle a good idea, but I think I can see a problem - "black lists".

I know someone that recently tried to buy an item on-line and the order was cancelled as their email/number is, according to the retailer, on a "fraud list". The obvious answer (on basis that they have not committed any fraud) is Subject Access Request and a demand to have the data corrected.

However Data Protection Act 2018 SCHEDULE 2 part 2 says otherwise. Most of the rights you have, like Subject Access Request and rights to correction of the data simply do not apply where the data is for the purpose of preventing and detecting crime - which could be argued here.

There is a caveat "to the extent that the application of those provisions would be likely to prejudice any of the matters" but I am not sure that helps.

Even arguing it is wrong to be on the list is not clear, what if the list was "the following email address or phone numbers have demonstrated behaviour which is consistent with the behaviour demonstrated by fraudsters" - it could be correct to be on the list. i.e. being on the list may not mean you have committed fraud or are being investigated for doing so, simply that it could be a list useful for preventing and detecting crime.

But as you may not even know of the list (though in this case the retailer said so), let alone its purpose, or what of your data is on it, why and how, then there is no way you can know or do anything about it!

So it looks a lot like secret blacklists of people are completely allowed by GDPR. Am I wrong? Is this morally wrong?

[Some paras courtesy of Neil, thanks for the explanation of how GDPR applies to UK]

3 comments:

  1. I think you are being a bit pessimistic about the way judges will interpret the act (Neil will no doubt correct me if I'm completely wrong).

    I see the exemption quoted as being heavily restricted by the caveat - you have to demonstrate that the application of those provisions would prejudice criminal investigation, and thus have to be careful relying on the exemption. If you lean on the exemption too far, there's nothing stopping the court from saying "you were not reasonable in relying on the exemption, so you broke the rules, and not just for this case but for any cases where you relied on the exemption".

    Thus, taking the fraud list - I can't see how you could say being unable to find out that you were on the list was a matter of "detecting and preventing crime" unless the police are actively investigating the list member who asked; further, correcting the list should be possible, as there's no crime prevention benefit from falsely blacklisting a law-abiding citizen.

    Once you get into "behaviour consistent with fraudsters", you're on even weaker grounds - you don't have a direct crime prevention reason, you're just saying that there's a correlation here, and I would expect that you can't lean on the crime prevention exemptions in this case; after all, I could claim that being diabetic is correlated with crime (as people who've gone hypo- or hyperglycemic are likely to misbehave), and thus I'm exempt from the GDPR in as far as I use my list of diabetics to allow me to refuse service to people who might have a hypoglycemic moment in my store.

    ReplyDelete
  2. I’m more sceptical - and the mainstay of your comment is mostly predicated on it getting before a judge, which must be the tiniest fraction of all data protection issues.

    (But bear in mind there’s nothing new here; this exemption is the same as under the DPA1998, and that didn’t spark any litigation that I can think of.)

    ReplyDelete
  3. It seems to me that this is much like credit checks - being refused credit because you have been deemed a high risk doesn't have to mean that any database has directly said you've previously defaulted on a debt. It could simply mean that a database has contains (possibly accurate) information that can be used to infer that you're a risk.

    e.g. a credit record that says you have never had any credit may be completely accurate (so nothing to correct), but can still be used to infer that you're a high risk compared to someone with a proven record of repaying debt.

    I can think of numerous other examples where accurate data can be used to infer risk: "fraudlike" bank transactions don't mean you have committed fraud, but infer a risk that you may have; "spamlike" emails don't mean that you're a spammer, but they infer a risk that you might be. In all of these cases, the information itself may be completely accurate, but the way it is analysed may have generated a false positive.

    That said, GDPR does provide some recourse where automated decisions are being made to your detriment... I'm not sure those provisions will actually help much in real cases though.

    ReplyDelete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.