...carrying on from Part 2:
After a fair amount of digging and acquisition of evidence via SAR, I now had enough to make an informed decision on whether or not to take legal action.
To me this was a serious and significant breach far in excess of a normal situation. It was above and beyond the usual spam scenario as I had been subscribed to services I had not consented, and been forced into subscription policies I had not reviewed (or even known about). Essentially as a self-employed worker my resume is my sales pitch - if my competition gets a hold of it they could refactor parts of my resume approach into their own and I would potentially lose my competitive edge (my unique selling points) and therefore lose revenue. Having some unknowns in Pakistan scraping these details from jobs boards for free, then selling them on to the highest bidder beggars belief.
What really pushed the decision for me was when another person with whom I'd had contact reported that another flurry of negative Twitter-verse activity had occurred that week - for exactly the same reason as in December and January. Even after all the correspondence and negative feedback they were still doing it. Someone had to do something.
If you find yourself in a similar situation and decide to press for damages in the courts take the following points into consideration:
So the chain of events was a breach of the DPA and PECR, confirmed with evidence in writing from the defendant. I also maintained a list of damages covering the initial damage claim (£500, plus £35 costs) which was in excess of £1000. The aim were was to provide the courts with a list of items and the courts would decided which of these was recoverable. After no response for four weeks to a Notice-Before-Action (NBA) notification I raised papers via MCOL - which took less than 10 minutes.
I claimed nominal damages from My Job Matcher and we settled for £400 (plus court costs). Most of the time the defendant will try and get you to sign a gag order - it'll have some covenants such as deleting tweets, blog posts or publications, and a form of no-contact directive.
I negotiated the settlement with MJMs legal team (Birketts) without the gag order - One thing I should make clear in the interests of fairness is that they settled without admitting liability to the claim. Whilst I was fully prepared for the day in court it was a relief to settle.
My Job Matchers Twitter profile no longer seems to be under heavy fire from complainants but still sees the occasional "WTF?" sent to it, after a few weeks the SEO team at MJM just stopped replying to them all anyway. I know I'm not the only person to litigate against MJM so perhaps our objective was achieved (update: apparently not).
It's just a shame people have to resort to this to stop the illegal re-use of their personal details; however taking a more aggressive approach is having a substantial effect on my inbox. I'm not going to suggest that direct legal action should be your first approach - in fact it should be your last resort. ICO is almost entirely ineffective from what I've seen so far but the ASA appears to be able to apply some more pressure. I've even involved trading standards in one case.
I got the following email from MJM shortly after the settlement cheque cleared (others got a "How did we do?" support service email), and after the no-contact agreement was exchanged. The irony again here wasn't the email recipient wasn't the account they'd stolen from 2007, nor was it the one from the support email chain.
After a fair amount of digging and acquisition of evidence via SAR, I now had enough to make an informed decision on whether or not to take legal action.
To me this was a serious and significant breach far in excess of a normal situation. It was above and beyond the usual spam scenario as I had been subscribed to services I had not consented, and been forced into subscription policies I had not reviewed (or even known about). Essentially as a self-employed worker my resume is my sales pitch - if my competition gets a hold of it they could refactor parts of my resume approach into their own and I would potentially lose my competitive edge (my unique selling points) and therefore lose revenue. Having some unknowns in Pakistan scraping these details from jobs boards for free, then selling them on to the highest bidder beggars belief.
What really pushed the decision for me was when another person with whom I'd had contact reported that another flurry of negative Twitter-verse activity had occurred that week - for exactly the same reason as in December and January. Even after all the correspondence and negative feedback they were still doing it. Someone had to do something.
If you find yourself in a similar situation and decide to press for damages in the courts take the following points into consideration:
- Have a list of items for damages, each with supporting evidence
- Make sure you can explain each item on this list to the courts - who may not necessarily share your understanding of data, it's management or ownership
- Be prepared for legal aggression from the outset. A standard trick across all specialisms of law seems to be an initial threat of return action
- If there is a clear and describable breach of the DPA and / or PECR with evidence the defendant is still breaking the law, so do not take the defendants legal representatives threats as fact
- A number of people I know in law - including relatives - have reminded me that there are guidelines for dealing with aggression. The Law Society has this LiP page, of particular interest is section 3.1
- Get a copy of the consent form you signed for the organisation in question to hold your data. They won't be able to provide this of course, because you never gave your consent
So the chain of events was a breach of the DPA and PECR, confirmed with evidence in writing from the defendant. I also maintained a list of damages covering the initial damage claim (£500, plus £35 costs) which was in excess of £1000. The aim were was to provide the courts with a list of items and the courts would decided which of these was recoverable. After no response for four weeks to a Notice-Before-Action (NBA) notification I raised papers via MCOL - which took less than 10 minutes.
I claimed nominal damages from My Job Matcher and we settled for £400 (plus court costs). Most of the time the defendant will try and get you to sign a gag order - it'll have some covenants such as deleting tweets, blog posts or publications, and a form of no-contact directive.
I negotiated the settlement with MJMs legal team (Birketts) without the gag order - One thing I should make clear in the interests of fairness is that they settled without admitting liability to the claim. Whilst I was fully prepared for the day in court it was a relief to settle.
My Job Matchers Twitter profile no longer seems to be under heavy fire from complainants but still sees the occasional "WTF?" sent to it, after a few weeks the SEO team at MJM just stopped replying to them all anyway. I know I'm not the only person to litigate against MJM so perhaps our objective was achieved (update: apparently not).
It's just a shame people have to resort to this to stop the illegal re-use of their personal details; however taking a more aggressive approach is having a substantial effect on my inbox. I'm not going to suggest that direct legal action should be your first approach - in fact it should be your last resort. ICO is almost entirely ineffective from what I've seen so far but the ASA appears to be able to apply some more pressure. I've even involved trading standards in one case.
I got the following email from MJM shortly after the settlement cheque cleared (others got a "How did we do?" support service email), and after the no-contact agreement was exchanged. The irony again here wasn't the email recipient wasn't the account they'd stolen from 2007, nor was it the one from the support email chain.
