Ignorantia legis non excusat – and how to order them to stop
Jon Baines, an information rights practitioner and commentator, told El Reg: “European data protection law grew up in large part from concerns about the state and organisations being able to use computer processing power to perform operations on data – even apparently innocuous data – way beyond what was humanly capable.”
“This app monitors tweets,” continued Baines, “processes them with an automated algorithm, which selects tweets if they contain the right keywords, pushes this information to a third party, and then retains the tweet and may match it with others from the same person. All without the subject of this being aware. Under European law this is a potential interference with people’s rights.”
And we're minded to agree, with an eye on domestic UK law. Section 12 of the Data Protection Act 1998 allows anyone to serve a notice on a data controller requiring them “to ensure that no decision [is] taken by or on behalf of the data controller which significantly affects that individual”. Even though section 12 was enacted to protect employees from the automated initiation of disciplinary processes, for example by triggering a gross misconduct hearing if an employee clocked in late too many times, it can be applied here.
Clearly an automated alert telling world+dog that you're seemingly about to kill yourself is going to significantly affect you, in reputational terms if nothing else.
So, with that in mind, your correspondent served a section 12 notice on the Samaritans:
This is a notice served under the terms of section 12(1) of the Data Protection Act 1998. Please ensure that no decision is taken by you or on your behalf (in particular by, but not limited to, the “Samaritans Radar” app) based solely on the processing by automatic means of my personal data for the purpose of evaluating my conduct.
I remind you that section 12 obliges you to respond to this notice setting out the ways in which you will comply with it. To assist you in that, my Twitter handle is @gazthejourno.
I further remind you that section 12 also obliges you to notify me of any such automated processing that may have already taken place.
It's as easy as sending an email to email@example.com, which seems to be the administrative contact address on their website.
A reply dropped in some hours later – part of which is quoted on page 1 of this column – and we interpreted it to mean that the Samaritans thought the Data Protection Act didn't apply to them. It did invite us to follow the Samaritans on Twitter and direct message them our username, in order to opt out. This does not comply with the terms of the section 12 notice, which requires the data controller – not the subject – to actively stop processing personal data upon which a decision is made.
So your correspondent wrote back. Click once to get to the Twitter page, and then click again on the image to embiggen it:
At the time of writing we had received no response to this, although we did contact the Samaritans via their press email address asking them a series of related questions.
We did get a partial response, which indicated that 2,900 people had subscribed to it in its second day of operation, which enabled it to monitor 1,625,820 Twitter accounts. Subscriptions increased by 50 per cent between day one and day two of operation. Out of 2,563 Radar alerts through the app, just 103 - four per cent - were validated by users as being genuine. 48 Twitter users were reported to have opted out, although one Twitter user shed light on a possible reason for this:
@GazTheJourno I opted out. But in order to feedback why I did so I have to use email, webform, telephone... anything but Twitter. 1/2— La Vie d'Horreur (@lavieordinaire) October 31, 2014
@GazTheJourno The flaky opt out system & that they don't process feedback by DM goes a long way to explain to low lvl of complaints 2/2— La Vie d'Horreur (@lavieordinaire) October 31, 2014
A Samaritans spokesperson told The Register: “Prior to launch, we undertook an impact assessment based on our existing framework for assessing data processing and compliance with the principles of the Data Protection Act.
"We are looking into the details of the data protection and privacy concerns raised in more detail, including working with the relevant regulatory authorities, and will continue to take action as needed to address these concerns appropriately going forward."
Then, mindful of the huge public response to the app, we asked what you thought of the Radar app.