A bleak and dreary Shrove Tuesday in Manchester saw my debut appearance in the Small Claims Court, an experience I found fascinating and infuriating in equal measure.
The issue was in relation to the processing of my personal data by internet
Koi’s formal defence to my claim was that
My claim was therefore on the basis that Koi had been unlawfully processing my data and sent marketing in contravention of Regulation 22 of PECR. Their marketing had included, amongst others, spam on behalf of a gambling firm, along with companies called Property Rescue, 1ClickHomeLoans and some low grade credit providers.
In the hearing itself, it soon became apparent that there were some procedural errors with some of my evidential submissions, which immediately put me on the back foot, although we soon got down to business about whether they had valid consent. My argument was essentially twofold, a) I hadn’t completed the form and b) even if I had, it didn’t constitute valid consent, as required by Regulation 22 of PECR.
The Judge firstly found on the balance of probabilities that I had completed the survey. She essentially said it was for me to prove that I didn’t and asked what evidence I was relying upon to support my position. I pointed out it was difficult, if not impossible, to prove such a negative, which she offered some sympathy towards but ultimately stressed it fell on me as the complainant to prove my case.
She then turned to whether the consent was valid. One of the documents I’d submitted was the ICO’s Direct Marketing guidance, which of course makes it very clear that indirect consent is almost impossible to achieve for electronic marketing. It also explains quite clearly that things like pre ticked boxes are a no no, consent doesn’t last forever and can’t be onward shared, all of which I thought were against Koi here. I also highlighted the definition of consent in this context was related to the European Directive 95/46/EC. The Judge said she wasn’t bound by that but would use the definition nevertheless. However, she also referenced that consent had a natural meaning through contractual law and I felt like I struggled to distance her from the more everyday meaning of the word. After some debate around these points she essentially concluded the wording was sufficient for an organisation like Koi to send me a range of marketing so long as it was for the sectors listed. I pointed out that the statement made no reference to Koi and that Interactive’s partners essentially could amount to any organisation, at anytime. She basically nodded that yes that was what I’d agreed to and therefore found the consent was valid. The claim was therefore dismissed.
It seemed to me that the Judge didn’t appear to be particularly knowledgeable about the rules around Direct Marketing and I definitely erred by not making enough explicit references to the legislation within my case. At one point there was a suggestion that I might have been seeking dual remedy as I’d already asked the ICO for an assessment as to whether there had been a breach. Obviously I was quick to highlight that the ICO specifically direct individuals seeking redress to the Court, but I was somewhat surprised to be having to explain that at all.
Whilst I wasn’t at all confident of being awarded damages, I hadn’t expected to lose the decision on the basis of consent, especially where such a conclusion appears to contradict both the ICO’s extensive guidance, and more worryingly, the legislation itself.
In their response to the ICO’s standard letter, Koi commented
“As an aside, we have recently held several meetings with our lawyers to discuss the implications and action points of the incoming GDPR legislation, around which there has of course been much discussion lately. We are fundamentally committed to remaining 100% compliant to both current and future legislation”.
Koi also run https://uk.jobinaclick.net/, on the surface a jobs board but one that appears little more than a data harvesting model, as the terms confirm that once you’ve given them your data “you acknowledge that we will not process any job application or submit any information on your behalf to any recruiter in respect of any job”.
It’s a compliance car crash but a model they appear keen on, as they replicate it on their travel site too http://uk.fortravellers.co.uk/index.php?module=site&method=terms
If you want a holiday or a job, it might be wise to look elsewhere.