GDPR is a regulation meant to protect the privacy rights of an individual. Principally it is meant to protect the right of a citizen of EU and tries to exercise control over the personal data collection activities in the jurisdictional boundaries of EU. UK as a faithful servant of the EU and reeling under the repentance of Brexit wants to be more loyal than the King and has pursued the UP Data Protection Act 2018 to extend GDPR to its jurisdiction.
The objectives of GDPR are laudable and extends the concern the EU legislators always had on the protection of human rights.
Having dealt with dictators like Hitler, Mussolini and Napoleon and lived a life of pirates and conquerors for generations, (of which we the Indians have centuries of experience), the population of EU has developed a culture which appear to have made them suspicious with every body else and over sensitive to some issues related to Privacy.
This is indicative in an interesting case reported below, details of which are available here.
This article “My GDPR Complaint Against Tinder (MTCH Technology Services)” is an interesting case study of how one person has painstakingly pursued his complaint with the company over a long period using the good intentions of GDPR to his advantage and in the process consuming days of effort and money of the company.
This is a typical indication of how the law can be misused by some persons for their own reasons.
To briefly explain the incident, immediately after the GDPR came into operation on 25th May 2018, on 2nd June 2018, a website PersonalData.IO submitted a request on behalf of a customer requesting the company MTCH Technology Services Ltd, to provide “all of the information collected on me”. Since then, the complainant is pursuing the complaint expressing his dis-satisfaction about the information that has been provided. The complaint has been originated with ICO in UK and later transferred to the supervisory authority in Ireland. The matter appears to be resting with the detailed reply given by the company on 29th May 2019 but the complainant is still not satisfied and is following up.
During this entire exercise, the company has patiently been replying to the complainant and it is evident that it has spent enormous corporate time with its technical team, compliance team, the legal advisors etc to draft a satisfactory reply.
We must pause at this stage and reflect whether the cost forced by the complainant on the company has been productive and whether the complainant has been inflicting unjustified losses on the shareholders of the company who are also individuals like the complainant himself.
GDPR has provided a “Right” to the data subject to request for information from a company whether personal data of himself is being processed and if so how is it being processed. The purpose of Articles 13 and related Articles of GDPR is to enable a data subject to ensure that the company adheres to the principle of collecting an informed consent and using the data only as agreed upon and not make a fraudulent or unethical and dishonest use of the personal data.
The complainant in this case on the other hand appears to have pursued his complaint dishonestly with the sole purpose of harassing the company through a series of e-mails and making a “Disproportionate request”. There is no “Data Breach” reported in this instance and the request is a fishing exercise of the complainant to find out a cause for further harassment of the company.
This complaint reflects a sadistic tendency on the part of the complaint who seem to have lot of time at his disposal to keep sending request after request and not be satisfied with any reply received.
There is a need to put an end to the development of such trend which will be detrimental to the industry. If this goes unchecked, any body and everybody may keep sending out e-mails just to make the life of the companies difficult. It may provide a sense of satisfaction to the complainant that he has achieved something great in his life by dragging the company into an endless conversation.
The responsibility to put an end to such an attempt lies with the supervisory authority which has to exercise a judicial discretion to separate a real complaint from a complaint designed as a fishing exercise where the complainant has no prima facie case of having been adversely affected.
The supervisory authorities in such cases should politely refuse the complaint and close the case so that the company can go ahead and attend it its other activities. This requires a sense of maturity for the officers who have the responsibility to uphold the real values reflected by GDPR.
Unfortunately the drafting of GDPR and more so the UK Data Protection Act 2018 is not good enough to avoid dishonest complaints being made against companies without valid and prima facie reasons. It is also not possible to avoid all inconsistencies when a law is drafted and it is the duty of the judiciary and other authorities implementing the law to read down the different provisions and ensure that the real spirit of the law is upheld.
If the supervisory authorities fail to respond properly to prevent such harassment, the Companies will also start disrespecting the authorities and we will end up with litigations all round. This will impose an unreasonable cost on the society and render the regulation an unproductive burden.
I therefore advise the complainant to be satisfied with whatever information has been provided. She has made not only this company but many others realize how GDPR can be make the life of the DPO miserable and tighten up their compliance. I suppose her genuine purpose of making Companies more responsible has been served.
She deserves a pat on the back.
But if the complainant pursues the complaint further, her intentions would be suspect and it would be proper for the Company to demand payment of costs for providing the information. Let this incident not be a lesson on how people can harass a company using the provisions of GDPR.
According to Article 12(5),
...Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
It appears that this is a fit case to test the provisions of this Article and how the supervisory authority of Ireland interprets this complaint.