I just wanted to share with you some personal experience along with that of a couple of clients of mine for whom I advise on marketing and data compliance, in the hope that it might be helpful to others.
Two of my clients have had spurious claims for data breaches both recently and previously. In one case the gentleman in question claimed £500 which they paid him previously. Of course, like any ‘blackmailer’, which is what he is, he then came back a couple of years later for more. I am not allowed to share his details. I discussed that with the ICO recently, as they have been plagued by him too, and it is tricky for anybody to share his personal information formally because, of course, he has requested to be opted out of any data processing or data sharing. It was by coincidence that I was asked to help on two different client cases, and I recognised the name and address of this same person.
In one case, the letter he had sent and the claims he made were about another 3rd business which initially confused us, until we realised that he hadn’t even properly edited his claim letter and was clearly copying and pasting claims and had mistakenly left in the name of another business he was claiming against too. One of my clients decided therefore to contact that company as they had been mentioned, to further investigate. When we contacted that company they were already being taken to court by the gentleman in question, a threat that he had made to my clients along with many other associated claims for damage related to mental health. I’m happy to report that the company won the case largely because one of my clients provided a witness statement saying that they had been contacted with the same claim including the defendant’s name, hence the connection.
I am sure that this fraudster will have tried the same approach to many other mail-order and retail businesses, firstly registering and then unsubscribing by letter or on the phone rather than using the unsubscribe links in their emails. He quickly then submits a claim and threat to go to court or alert the ICO, claiming that the businesses have failed in their compliance duties and can expect at least a fine.
Many businesses don’t realise they have 30 days to comply with any such request and because they feel on the back foot and because he portrays a case of severe mental anxiety and damage, that they think it is easier just to pay him to go away, which is of course his intention.
I have spoken to a data lawyer about this as well as to the ICO themselves and this is nothing short of extortion. The lawyer felt they should involve the police but neither wanted to because of the risk that the mental state of this person was perhaps genuine, and because they didn’t feel they should for something which, to them, was relatively minor.
There are a couple of things that DCA members and businesses, in general, should know:
- There is provision in the law for organisations not to respond to Data Subject Access Requests:
- If Manifestly unfounded – the suggestion that there is a claim that would go away if there was payment of money, means quite simply it is unfounded.
- If Manifestly excessive – the person making multiple requests or targeting one person repeatedly and becoming a nuisance.
When I spoke with the ICO about these incidents. They were very helpful and advised that they would ‘call the bluff’ of the person and let them bring a complaint, but this is tricky to do especially in a corporate environment where the next level complaint involves the MD and often a question as to why it wasn’t previously dealt with internally. The ICO also added though, that to refuse a DSAR request requires a robust argument that either of the above 2 reasons clearly apply, but they accepted that it is likely that this person if making multiple claims, would provide exactly that.
- Whilst article 82 of the GDPR says that a Data Controller can be held responsible to pay compensation for damages caused by processing personal data – the reality is that a case was thrown out in the English courts in 2021 and has set a ‘De Minimis’ principle that says that unless you can prove actual loss or damages as a result of processing there can’t be a compensation claim as in most cases there isn’t loss. That clause still applies in Europe though!
I have since spoken to a claims management company which had thought that data-related compensation claims would be the next PPI. They have though acknowledged that in the UK, the court ruling has meant that they have dropped most of their cases, only persisting with the ones where there are very clear damages caused as a result of the data processing or data sharing. In that respect, I suspect that Nat West Group will not have heard the last of the incident with Nigel Farage and many others treated in the same way.
Armed with the information about rejecting the aforementioned claims, my clients have refused to play the game with this particular character. A huge factor is the aggravation and time wasted in dealing with him. I’m sure my clients have invested a far greater resource value in rebuffing the claims than to have ‘paid the guy to go away’- but there is a principle and all have agreed that by sharing this knowledge others may be stronger too and stop people like this from trying it on.
Having discussed this more recently with the ICO, we concluded that perhaps the best thing is simply to alert member businesses to this issue or risk and prompt them to get in touch if they have been or are being plagued by this or other fraudsters. We can potentially share non-personal information such as postcodes, but they were clear that we’d ‘be on thin ice’ if we shared any more than that!
Worst case, at least knowing that others are being targeted and that there is time to respond legally within the GDPR, and also case law to uphold, it might be helpful to some of you.