Is the SRA's clickable logo an illegal gimmick?

The new digital badge is a secure clickable logo, which the Solicitors Regulation Authority (SRA) has required every regulated firm to display since 25 November 2019. However, I believe it is illegal because it fails to ensure that website visitors can provide prior explicit informed consent to the processing of their personal data. It also fails the privacy by design requirement. It would seem that someone at the SRA thought this would be a good idea, and now having committed itself publicly to this scheme, cannot or will not back down. The regulator has said that if the digital badge was not implemented by 25 November 2019, enforcement action could be taken. I am aware of one firm which having identified the consent issue, dealt with it by displaying an explicit “proceed at your own risk” warning before the digital badge is invoked.

HOW IT WORKS

Essentially, the digital badge is a large logo. A link to the SRA’s development partner yoshki.com is automatically established when a website visitor lands on the webpage displaying the badge, without the visitor having any choice. Personal data about that visitor is then shared with yoshki.com by virtue of the URL linking, and Yoshki’s implementation of the digital badge. Due to the requirement for firms to display the badge prominently, most likely on their homepages, most traffic to their sites will be unwittingly sharing data via the badge and Yoshki’s link. If a visitor clicks on the logo, they are taken via yoshki.com’s intermediate processing to the SRA’s website directory page for the particular firm. The SRA cannot expect members of the public to know if this is a genuine implementation of a largely unknown technology, let alone what it’s supposed to do. If the SRA wishes to place its faith in one technological solution it needs to be certain it cannot be subverted – and, if it is, how would we know? It is unclear to me what steps are being taken by the SRA to ensure it is not being subverted and misapplied.

ILLEGALITY

The SRA has given three grounds for the digital logo’s implementation: confirmation of a firm’s regulated status; assisting the SRA in its compliance function; and preventing fraud. However, none of those appears to provide a legitimate interest overriding the “interests or fundament rights and freedoms of the data subject” (Article 6(1)(f)) of the GDPR). The data subject will not be able to provide consent, nor would it be informed consent as we are unable to verify the extent of the processing by Yoshki and or Google – so the Article 6(1)(a) grounds fail. There is no contractual relationship of note so the Article 6(1)(b) grounds do not apply. The SRA may argue that firms must implement the digital badge because it imposes a legal obligation on firms to do so. However, the SRA’s Standards and Regulations are subordinate to the Data Protection Act 2018 and the GDPR. They must therefore comply with that primary legislation. The Article 6(1)(d) grounds must also fail. It would be ambitious for the SRA to claim the digital badge will protect the vital interests of a data subject – so the Article 6(1)(d) grounds do not apply. Similarly, it isn’t core to the SRA’s activities, therefore the regulator cannot argue this is a task carried out in the public interest; or that it is an intended exercise of official authority vested in the controller. Therefore, the Article 6(1)(e) grounds ought not to apply. The SRA has maintained the view that personal data is not being processed, either because it is subsequently anonymised or is not used. That is an interesting argument but as far as I can tell it is not supported by the GDPR’s definition of processing. The SRA recently released a statement that, to allay concerns around the digital badge, it has instructed Yoshki to temporarily disable the use of Google Analytics. The SRA is aware this does not address the core issue, which is that the data still transfers whether it is used or not. It does now in fact confirm that it agrees it is, or was, processing personal data. If the purpose of the digital badge is to reduce fraud and enhance client protection, the SRA has to demonstrate the existence of a significant problem which digital badge is aiming to address. Otherwise it solves a problem which does not exist, or does not solve a problem that may exist.

IMPACT ASSESSMENT

It feels as though the SRA has not conducted a thorough data protection impact assessment of the scheme as a whole. It may be that it just does not understand how this technology works – in which case it should not be using it. The SRA is not prepared to release details of its contractual relationship with Yoshki (governing data protection issues), which demonstrates a surprising lack of transparency. Some of the concerns raised could have been avoided if the SRA had assumed the role of data controller for the entire scheme, with individual firms acting as data processors. This would have shifted responsibility for compliance to the SRA. But the SRA refused to do so. It has also refused to provide an indemnity for damages or loss suffered (to the extent recoverable) as a result of any breaches of data protection laws arising out of its implementation. In other words, the SRA lacks sufficient confidence in its own scheme to warrant its legality.

JOINT CONTROLLER STATUS

It is beyond the reach of this article to analyse Yoshki’s website privacy policy (for that is all we can rely on), suffice to say that I have identified fundamental and significant issues, which have been communicated to the SRA. It is now finally accepted that consent is a hard opt-in requirement so consent cannot be inferred (see the ruling of the European Court of Justice (ECJ) in the Planet49 case in C-674/17). The SRA may wish to note the recent ECJ decision in the Fashion ID GmbH case (C40/17) where an online retailer was found to be jointly liable with Facebook for the use of Facebook’s ‘like’ button. Both the ‘like’ button and the digital badge operate in similar ways, by using a third-party to track website traffic. If this ECJ judgment is to be applied to the digital badge – which it should – then each firm and Yoshki are joint data controllers; with each firm effectively being liable for Yoshki’s actions and then, further down the line, probably Google itself (depending on how much personal data it obtains). If there are multiple means of achieving an objective, then one must select the least invasive means. The SRA could have achieved its objective by simply allowing a direct link from a firm’s website to the SRA’s record held for each firm, thereby confirming its status and identity. This would achieve the same result – without requiring additional and therefore unnecessary processing of personal data by third parties. As to the fraud concerns, there are already widely established, used, tested and publicised methods for authenticating and securing websites in the form of SSL certificates and https encryption. Using these would also have the benefit of providing a degree of confidentiality for website visitors. So why is the SRA forcing relatively unknown proprietary technology on firms which achieves little compared to existing accepted industry-wide solutions?

CONFIDENTIALITY

The SRA has not addressed a potential concern that Google, which supplies the technology, may see this as another means of profiling website visitors. Will we be in the position where a subsequent visit to a social media platform will result in ‘have you been injured recently in an accident’ adverts popping up? Given the high standards of confidentiality that apply to the legal profession (let alone rule 6.3 of the Solicitors’ Code of Conduct) one would consider permitting any form of monitoring or analysis of clients or potential clients by third parties to be unlawful. Yet the SRA is monitoring our clients and potential clients (and also enabling others to do so). Where firms enable https encryption to ensure confidentiality, the digital badge would then provide a back door, subverting and defeating the purposes of that encryption. The duty of confidentiality is owed to the client – not to the client, the SRA and its service providers. Since writing this article, the author has lodged a formal complaint with the Information Commissioner’s Office.