I have what a lot of people would call a blacklist.
I call it a blocklist because I can’t shake off the sense that ‘blacklist’ is a racist term. Our language is often coded in ugly ways, and ‘blocklist’ does the job. I maintain a list of people and organisations I will not work with. It is very short, and the qualification for entry is very simple: they didn’t pay me last time. Nearly everyone pays me quickly without chasing, a few need a nudge but then they cough up, and only occasionally does someone slip through the net. I will not deal with them again. I am not an activist or a charity – what I do is primarily a job, and the basic principle of any work is that you are paid for your labour.
A few days ago, the BBC reported the problems experienced by restaurant owners in Wales when booked customers don’t show up or cancel last minute. One solution that many are using is the automatic deposit. The alternative is some form of banned list – fail to show up and next time, your booking will be refused. Of course, this involves the processing of personal data, so what are the implications?
“Blacklists” are often run for discriminatory or other illegitimate reasons – in the DP world, the most obvious example is the construction industry’s shameful secret blacklists that denied work to scores of innocent people for no more than being involved in unions or raising health and safety concerns. Careers were blighted and lives were ruined. Those lists were unethical and plainly unlawful, hence the Information Commissioner’s enforcement against the ‘Consulting Association’ (i.e. the late Ian Kerr) who ran it and the construction outfits who used them. If you haven’t read “Blacklisted”, the gripping book about the scandal by Dave Smith and Phil Chamberlain, I cannot recommend it highly enough.
However, deciding for *legitimate* reasons that there are people you don’t want to do business with and wanting to remember who they are isn’t inherently a GDPR breach. The biggest problem with using personal data to exclude customers is transparency. If you’re on my blocklist, you’ll know because I told you. A secret blacklist is likely to be unlawful automatically as there aren’t any exemptions that would allow for the lack of transparency.
A business that intends to refuse future service to no-shows in the future has to say so as part of the booking process and inform a person when they are banned. This is useful for me because when I contacted two weirdly silent organisations to say their employees couldn’t book my courses anymore, they instantly paid their debts. In both cases, I think I was being ignored by a specific person; the finance / senior people knew nothing about it and immediately wanted to put it right. They’re not blocked any more.
I can see two possible lawful bases for processing data in these circumstances – either a ban is necessary for the performance of a contract, or maintaining it is in the legitimate interests of the controller. I think you could argue the case for either depending on the nature of the booking but my preference is for legitimate interests. If restaurants don’t fill their seats (and artisan trainers don’t get paid), they go out of business. It would be unfortunate if a person had good reason to cancel and was then banned, but ultimately, even if you were banned from booking at an entire chain of restaurants, it wouldn’t be a significant infringement of your rights. Other places to eat / data protection trainers exist. It would be different if the information was shared and the impact was wider, but we’ll come back to that.
I say the above confidently on the basis that a) the reason that a person is banned is objective and b) it’s transparent. I think I’m on safe ground because my criterion is so basic. If I expanded the reasons (e.g. the person is annoying), I would have to consider both fairness and accuracy. The moment opinions come into it, the risk that the processing becomes unfair increases. Here again, restaurants and other small businesses who operate a transparent process where they refuse to serve people who cancel at the last minute without good reason or (especially) don’t show up are likely to be able to justify it. Behaviour-based bans or blocks need to be much more nuanced and well-judged.
UK GDPR gives people rights, of course – a person can ask for their data to rectified or erased, and they can object to processing based on legitimate interests. Once again, in these specific circumstances, I think a list of banned customers can survive. If a business sticks to a simple, factual criterion – you booked and didn’t show – then there’s nothing to rectify if that is true. Even if you didn’t show for a very good reason, it’s up to the business to decide whether that makes a difference – the data is correct.
Objection / erasure is more dicey. Article 21 objections can be based on the subject’s “particular situation”, and the organisation needs “compelling legitimate grounds” to overcome such an objection. So if the individual can lay out a good reason why they didn’t show up, should the objection to the processing be upheld? This is a subjective question. I think think wanting only to deal with people who show up and then pay the bill is a compelling legitimate ground for a business to rely on. If you don’t get paid, you go out of business. For a micro-business like mine, the tide would quickly fill the hole I left behind, but a restaurant has staff and suppliers, all of whom need that business to stay afloat. I don’t think refusing the request would be unreasonable.
The last issue to think about is arguably the riskiest of them all. My case in favour of banning no-shows and non-payers is based on a simple and I think fair proposition – if you let me down, I don’t want to deal with you again. The challenge comes with disclosure and data pooling. I will never share the few names on my list and I won’t refuse to deal with someone based on what someone else has told me. I might have heard about one or two nightmare-sounding clients where I will be mysteriously busy if they ever approach me, but I’m not recording that anywhere.
Even if businesses only share facts like no-shows, the risk of processing received data unfairly is significant. How do you know the data is true? If you refuse to take a booking from someone because someone else said they didn’t show, is that fair on its own terms? More importantly, what if the data is false? To process such data would be a double whammy of unfairness and inaccuracy.
If the data being pooled is anything more than easily provable fact, the problems are magnified. The discrimination and unfairness that underpinned the spreading tentacles of the Consulting Association could never be lawful, but even if a business is sharing information about abusive customers or those who cause damage, any lack of objectivity or difficulty verifying the data would be significant hurdles.
For some readers, the idea of refusing people service because of an innocent mistake or last-minute problem may seem unjustified or unfair. I have no hesitation in agreeing that using personal data to ban or block people in any context beyond social media is a tricky business. Fairness and data quality are obvious hurdles. I believe it is impossible to create a secret blocklist for commercial purposes. Shared blocklists – even if transparent – present huge, possibly insurmountable problems.
But these are hard times for everyone – not just for individuals, but for businesses. Restaurants need to pay for premises, staff and the food and drink that they serve. They need to fill as many seats as they can to stay afloat. I’ve eaten in government-run establishments and my word, they made me value the vibrancy of private sector hospitality. It’s an essential part of any civilised society. So with all the above caveats (especially transparency), I think a properly-run blocklist is a legitimate approach.