Digital badge: SRA and thousands of firms 'in breach' of law

A formal complaint about the solicitors’ regulator has been sent to the Information Commissioner’s Office (ICO) following its demand that all firms display the Solicitors Regulation Authority (SRA) digital badge on their websites.

Law firms are also in breach of data protection laws by displaying the digital logo and merit ICO investigation, according to the solicitor who lodged the complaint.

George Gardiner, principal of London firm Gardiner & Co said that assuming 80 per cent of law firms have a website, 8,320 firms would be in breach of the GDPR by implementing the clickable logo.

Since 25 November when the SRA Standards and Regulations come into force, all regulated firms are required to display the digital badge on their firms’ websites. Failure to do so could lead to enforcement action.

However, there have been many concerns that the digital logo means personal data is being collected and processed without the required consent in breach of the GDPR.

Gardiner’s complaint relates particularly to the nature of the processing and the implementation of the digital badge itself and alleges that the regulator does not even understand what processing means under the GDPR.

By mandating the use of the digital logo on firm websites, Gardiner – who calls it an ‘illegal gimmick” – said the SRA and every law firm who uses it are in breach of data protection law, because the digital badge:

• fails to ensure that website visitors can provide explicit informed consent prior to the processing of their personal data by each law firm, Yoshki Ltd, the SRA and Google. This means the processing is illegal.
• fails to satisfy the “privacy by design” requirement,
• subverts (via an effective ‘back door’) any encryption and therefore the assumed confidentiality of any website visitor relying on the https function, and
• forces law firms to become joint data controllers with the SRA’s sub-contractor and third parties, including Google, without being in a position to understand what processing those joint data controllers are undertaking.

He said the digital badge is based on Google technology; implemented by a third-party company on behalf of the SRA (presumably as data processor for the SRA); and the SRA has mandated its implementation as a regulatory requirement on the profession.

He said there are significant confidentiality issues around tracking clients and potential clients’ visits to law firm websites, particularly where a firm has a known specialism.

Despite being in communication with the SRA since January this year, Gardiner said the regulator “has yet to provide any empirical evidence of a security concern that this digital badge addresses and refuses to assume responsibility”.

He also said the SRA’s stated reasons for “forcing the digital badge on the legal sector” do not appear to satisfy the requirements of the GDPR and do not justify “the level of processing of personal data being undertaken”.

Gardiner asked the ICO to rule that the digital badge is unlawful as currently mandated and that all firms cease displaying it.

He also asked the watchdog to rule that the regulator may not mandate implementation of the digital badge “without full forensic analysis”.

If upheld, he says this will “ensure that businesses do not simply do as they are told even if it is by its professional regulator”.

Rather, he added, they are required always to independently ensure compliance with the GDPR.

Gardiner has refused to implement the digital logo on his firm’s site.