Is the SRA's clickable logo an illegal gimmick?
George Gardiner, who has complained to the information watchdog, believes use of the SRA's digital badge is illegal and firms implementing it do so unlawfully
The new digital badge is a secure clickable logo, which the Solicitors Regulation Authority (SRA) has required every regulated firm to display since 25 November 2019. However, I believe it is illegal because it fails to ensure that website visitors can provide prior explicit informed consent to the processing of their personal data. It also fails the privacy by design requirement. It would seem that someone at the SRA thought this would be a good idea, and now having committed itself publicly to this scheme, cannot or will not back down. The regulator has said that if the digital badge was not implemented by 25 November 2019, enforcement action could be taken. I am aware of one firm which having identified the consent issue, dealt with it by displaying an explicit “proceed at your own risk” warning before the digital badge is invoked.
HOW IT WORKS
Essentially, the digital badge is a large logo. A link to the SRA’s development partner yoshki.com is automatically established when a website visitor lands on the webpage displaying the badge, without the visitor having any choice. Personal data about that visitor is then shared with yoshki.com by virtue of the URL linking, and Yoshki’s implementation of the digital badge. Due to the requirement for firms to display the badge prominently, most likely on their homepages, most traffic to their sites will be unwittingly sharing data via the badge and Yoshki’s link. If a visitor clicks on the logo, they are taken via yoshki.com’s intermediate processing to the SRA’s website directory page for the particular firm. The SRA cannot expect members of the public to know if this is a genuine implementation of a largely unknown technology, let alone what it’s supposed to do. If the SRA wishes to place its faith in one technological solution it needs to be certain it cannot be subverted – and, if it is, how would we know? It is unclear to me what steps are being taken by the SRA to ensure it is not being subverted and misapplied.
ILLEGALITY
The SRA has given three grounds for the digital logo’s implementation: confirmation of a firm’s regulated status; assisting the SRA in its compliance function; and preventing fraud. However, none of those appears to provide a legitimate interest overriding the “interests or fundament rights and freedoms of the data subject” (Article 6(1)(f)) of the GDPR). The data subject will not be able to provide consent, nor would it be informed consent as we are unable to verify the extent of the processing by Yoshki and or Google – so the Article 6(1)(a) grounds fail. There is no contractual relationship of note so the Article 6(1)(b) grounds do not apply. The SRA may argue that firms must implement the digital badge because it imposes a legal obligation on firms to do so. However, the SRA’s Standards and Regulations are subordinate to the Data Protection Act 2018 and the GDPR. They must therefore comply with that primary legislation. The Article 6(1)(d) grounds must also fail. It would be ambitious for the SRA to claim the digital badge will protect the vital interests of a data subject – so the Article 6(1)(d) grounds do not apply. Similarly, it isn’t core to the SRA’s activities, therefore the regulator cannot argue this is a task carried out in the public interest; or that it is an intended exercise of official authority vested in the controller. Therefore, the Article 6(1)(e) grounds ought not to apply. The SRA has maintained the view that personal data is not being processed, either because it is subsequently anonymised or is not used. That is an interesting argument but as far as I can tell it is not supported by the GDPR’s definition of processing. The SRA recently released a statement that, to allay concerns around the digital badge, it has instructed Yoshki to temporarily disable the use of Google Analytics. The SRA is aware this does not address the core issue, which is that the data still transfers whether it is used or not. It does now in fact confirm that it agrees it is, or was, processing personal data. If the purpose of the digital badge is to reduce fraud and enhance client protection, the SRA has to demonstrate the existence of a significant problem which digital badge is aiming to address. Otherwise it solves a problem which does not exist, or does not solve a problem that may exist.









