The Competition and Markets Authority announced a proposal in March to deal with the problem of so-called ‘disengaged’ customers, those who defy the market by sticking with their energy company rather than hopping from one to another. The idea is to force the providers to identify those who don’t switch, and create a central database to which all will have access for marketing purposes. After a consultation exercise, the final shape of the proposal will be announced this month. When interviewed on the Today programme at the time, a CMA spokesman denied that those on the list would be bombarded with marketing, although he conceded that they would be bombarded with “information”.
The list will contain names and addresses (although that wasn’t the CMA’s original intention), and access to it will be supervised by OFGEM. The ICO responded to the development with an intriguingly terse statement that simultaneously acknowledged that the CMA had consulted them, while stopping short of an endorsement. I made an FOI request to both the CMA and ICO to ask for information about what was discussed. In an astounding coincidence, I received replies from both on the same day, with relatively little use of exemptions. There are two strands I’d like to pull out, neither of which is cause for celebration.
Firstly, the CMA’s approach to the customer is to treat them like fodder for the market with no appreciation for the fact that they are also human beings. CMA wanted to include phone numbers and email addresses in the dataset, which would have exposed millions of people to a torrent of spam, tacitly approved by the state. It’s not hard to imagine some of the less ethical companies pretending they can ignore TPS and previous expressions of customer wishes on the basis that the OFGEM list has state support (PREDICTION: some of them will use appending services to add phone numbers or emails to the OFGEM list, and do this anyway). Among the many questions they put to the ICO was when and how consent could be “avoided”, either for specific instances or for the proposals overall. The CMA wanted to know if consent could be ‘opt-out’ or “indirect”, especially over proposals like automatic access to half-hourly data from smart meters, or price comparison websites getting access to customer data.
It’s telling that the CMA confirmed to me that they have not carried out a privacy impact assessment of their proposals – their explanation for this was that they have “not made a final decision yet on the implementation of the database remedy (ie the database remedy is a provisional remedy)”, ignoring the fact that you do a PIA precisely at the stage when things are up in the air, rather than after you have made your final decision. It’s also surprising that the ICO does not appear to have suggested that the CMA should do a PIA: there is no record of it anywhere in the emails and notes disclosed to me.
The other problem is the ICO’s approach to big proposals like this, and in particular, their desire to maintain good relationships with big data controllers, or ‘stakeholders’ as they like to call them. I’ve asked several times for the ICO’s definition of ‘stakeholder’, but they cannot oblige. For example, a meeting was held about the GDPR in February for specially selected stakeholders, but ICO could not tell me how the attendees were chosen by the Strategic Liaison team (i.e. the ones who dealt with the CMA). On a purely selfish note, this means that other DP consultants were invited as stakeholders, but because there is no criteria for the invitation, I can’t challenge why I wasn’t. You might not care about this, but it’s not a very transparent way for a regulator to behave.
Of course, sometimes the stakeholder approach bears fruit. It was contact with the ICO in this case that made the CMA recognise that their proposal couldn’t easily be reconciled with PECR and so they dropped the idea of including phone numbers. This was merely a reflection of reality, but more positive is the fact the CMA stepped away from disclosures to price comparison websites after the ICO said that it was ‘not comfortable’ with the idea. As an internal CMA email observed: “PCWs are data traders and it would be difficult to see how they wouldn’t mix up this valuable dataset with their other data and wider work“. My only criticism of this is that I agree with the ICO that PCWs should be seen primarily as list brokers rather than organisations providing a service to the public, but where is the ICO warning to the public about this? They’re happy to discourage the CMA from a direct association with them, but there’s no advice for the public about the risks of using a price comparison website.
The most worrying aspect of the ICO’s involvement is over the issue of consent. One of the most widespread misconceptions about Data Protection is that the use of personal data always requires consent; it doesn’t, and I never miss an opportunity to point this out. Consent is one of several options – legal obligation, contractual obligation and the need to prevent life or death harm to individuals are among the others. However, there is a big difference between an organisation deciding not to rely on consent, and the ICO steering them away from it.
The CMA never wanted to use consent for this plan – the approach to consent in all of their correspondence is that it should be either opt-out or avoided altogether. What bothers me is that the ICO effectively endorsed that approach. Their own internal note of a meeting makes this explicit: “ICO confirmed that the best approach (my emphasis) was to issue an order mandating sharing and rely on condition 3, but provide a clear opportunity to opt out“. Best for who? Where is the data subject in the ICO’s thinking here? The CMA’s notes of the same meeting state that this approach “would not raise concerns under the DPA“. If you’re going to tell me about the an opt-out, let me remind you what the ICO did when HSCIC failed to respect opt-outs from a legal obligation: nothing for quite a time, then an undertaking issued only when it suited the Department of Health*.
I am one of the disengaged customers. I moved into my house in 2001 and I haven’t changed energy supplier since. Yes, this might cost me money, but it is a conscious choice. I do not want to engage with the market. I do not want to switch to an alternative provider whose prices are lower because their customer service is terrible. I do not want to give my data to price comparison websites who will then flog it to anyone who feels like buying it. The ICO themselves revealed the complex web of intermediaries that led PCW data ending up in the hands of the Better Together campaign. Of course, I only know about this because it was discussed at a Data Protection Officer conference with Data Controllers, not because the ICO did any publicity about the PCWs’ practices that might have reached data subjects.
The ICO is too close to their stakeholders. I’ve written before about the uncritical, supportive relationship between ICO and NHS England / HSCIC over Care.data. In the past few weeks, Ian Bourne, Group Manager in the ICO’s Policy Delivery team was bemoaning the future at a seminar organised by Privacy Laws and Business: “the ICO’s traditional ability to be flexible and business savvy will be under much more scrutiny from other DPAs“. In other words, the GDPR’s consistency mechanism will stop the ICO telling organisations what they want to hear, and force them to take action on principles other than the Seventh. The former Director of Data Protection, David Smith, left the ICO for a special advisory role with the law firm Allen & Overy, while Martin Hoskins revealed the current Commissioner Chris Graham has graciously announced that he will not represent any organisation to the ICO for at least a year after he leaves office, as if it would be any better then than not at all (note to the ICO’s FOI people: if the regular FOI requests I make about this in 2017 get annoying, blame Hoskins for drawing my attention to it).
I can’t say that it would be a breach of the DPA for the CMA to get a legal power to force companies to provide the personal data of disengaged customers to OFGEM. Processing based on a legal obligation is lawful. I can’t even say that the ICO should have pretended that it wasn’t an option. But when I asked above, ‘best for who?’, the answer to that is ‘best for the CMA’. In the end, the ICO gave advice that suited the stakeholder. The market-based priorities of the CMA were given precedence over the rights of millions of people to be left alone, including myself. The only appropriate position here for the ICO is neutrality. Given the power imbalance between the CMA, the energy companies who will get access to the data, and the ordinary citizen, if they were to favour any option (and I would understand if they refused to), ICO should have chosen consent. Of course, consent won’t achieve the CMA’s objectives of exposing millions of customers to the thrill of market forces, but that’s not the ICO’s problem. All ICO should be doing in this situation is telling CMA what would be a breach.
One of the many reasons to hope for a successful implementation of the GDPR in the UK is that it will shock the ICO out of its cozy relationship with stakeholders. The Regulation explicitly reserves its highest penalties for areas (fair processing, consent, subject rights) that the ICO ignores in favour of enforcing on self-reported security breaches. It also gives the Commissioner an obligation to provide advice where high risks are identified – the emphasis being on the risk to subjects, not the fact that the organisation is on some list of friendly stakeholders. I don’t think the ICO is remotely prepared for this, either in terms of resources or in terms of attitude, but it can only be a good thing. In the meantime, if you haven’t switched your energy supplier recently, your data is up for grabs.
UPDATE: Ofgem have announced that the plan is going forward, but while their announcement is strong on reassurance about security, it’s very weak on wider DP fairness and PECR to the point of not mentioning them.
Sadly, I wrote this before the Brexit vote, and so my optimism about the consistency mechanism was probably misplaced. We will still probably implement the GDPR or a close relative, but the immediate solution to the ICO’s ‘stakeholder’ blindness is much more uncertain than it was.
* I made a separate FOI request on this topic, and will blog in more detail about it on another occasion.