Wednesday, May 18, 2016

UK Apollo Group (Updated)

The Claim
The Entire Defence (v1)
I don't blog about cases unless there are exceptional circumstances and this is certainly one of those. Of all my cases this is probably the most ridiculous attitude towards data protection and information assurance I've seen yet.

Over the course of 2015 I've spent a lot of time speaking to people in and around data protection and those who've been taking spammers to task. Within a group of people there are different motivations and slightly differing goals but one key factor is common: Spam fatigue and being fed-up with personal data being sold, re-sold and profited from without any kind of consent or reparation.

If you sign a EULA with Microsoft, Apple, Google and many others and read enough of the small print (yes - I'm one of them, sorry...) you'll discover that you haven't actually bought the Thing in your hand or the Thing installed on your device. You've paid for license to use that Thing on your device. Your use of that Thing can be terminated at any time by the owner - you (the licensee) have rights to use the Thing but you don't actually own it.

In legal terms personal information is not property [yet] and so this doesn't necessarily follow in the literal sense of authorised ownership / resale. However in the terms of an agreement where you license an entity to use your personal information for a given purpose you have the right to withdraw that consent at any time.

Since 2014 I've started using a mechanism which allows me to trace the path of personal data from capture to spam; there are edge cases where data traders may be between the capture point and the spammer but it's up to the spammer whether or not to "'fess up" and disclose those sources. Incidentally, disclose of source is a statutory duty under the Data Protection Act if requested to do so under SAR.

I agreed / licensed the use of my information (arguably a product in itself) to Monster.co.uk for the purposes of finding a job. I'm a contractor and am "client cycling" on a semi-regular basis so use jobsites fairly often. However Monster's own T's and C's - as well as the consent conditions I agreed to - do not allow anyone to acquire this jobseeker profile information for anything other than recruitment for a live job role.

That means you cannot acquire this data arbitrarily on the promise of a future job role being created nor can you scrape this data and monetise it via offering products or services - whether they are relevant or not.

When I started getting spam which used email addresses only added to Monster profiles from Taylor CVs advertising their CV writing & design services it was pretty clear that it wasn't by mutual consent. I spoke to Monster's abuse team and they agreed with me.

After one of the most insane SAR-based email exchanges with them I've ever borne witness too I raised a claim in the courts for their blatant breaches of statutory duty, the DPA and the PECR. It didn't take long to find some really extreme examples of Apollo's persistent offences. In one case one of their representatives posted a very personal email from a complainant to attempt to belittle their criticism of Apollo - not only an abhorrent breach of data protection but a galling breach of privacy.

I wouldn't have considered this course of action (normally some polite emails to ask them to adjust their policies and perhaps a blog post or two to help others dealing with the same situation) but the attitude of some organisations really hacks me off. Had they put their hands up and said "Ok, we did something we shouldn't and we're sorry" I would probably have left it at that and added a note for future reference.

By they didn't - they actually tried to tell me I'd consented and that I'd subscribed via their Executive Partnership brand (since shut down). They tried to weasel out of it and I suspect they know exactly what they're doing wrong.

What's worse I know from other witnesses that they have no way of tracking which sources they compile their central lists from as they don't have the infrastructure to manage it - even if they did care.

In this case I applied to the court to force the Apollo to re-write their defence so that it was coherent and actually answered the claim - as you can see from the photos at the top of this article the defence looks like it was written with the same attitude that Apollo spoke to me directly with: through arrogance and ignorance.

TL;DR - Re-write the defence. Another CM hearing to see if it's worth an actual hearing
Apollo have until 4pm today (15 mins from the scheduled publish time of this post) to file a proper defence and the court then has a case management hearing to determine whether or not Defence v2 will actually answer the case or not. I've already raised the issue with ICO and the ASA as Apollo have spammed me more than eight times since "deleting my data from their systems".

ICO's response was essentially: "Yes, they're very wrong and need to improve their data compliance but we're not going to do anything about it". Considering they know I'm taking action directly I think that's reasonable but I think a decision notice would be applicable as it's not a first offence.

It's beyond a joke and as no-one else - especially the regulators - seem interested in doing something about it much outside of the public sector...but why should it be up to people like me to force these companies into compliance with the law? Surely that's not the way it should be?

If you have views or concerns please feel free to get in touch directly (secure contact details open in new window).

Update 25th July

There was a mishap at the Birmingham County Courts resulting in being sent to the court rooms on the wrong floor. Because there was no usher that day there was no way of easily finding out how to correct the mistake until 10 mins into the hearing. Case dismissed as the claimant (yours truly) didn't attend - despite being less than 10 metres away the ushers in the district court area didn't use the tannoy.

Application submitted to have the dismissal set aside, hearing fee paid and awaiting a date for the hearing. Apollo have also spammed me since the original post - four times.