A solicitor who is publicly refusing to implement the Solicitors Regulation Authority’s mandatory website logo has today formally asked the data watchdog to rule the scheme unlawful. In a letter to the Information Commissioner’s Office (ICO), George Gardiner, of London business firm Gardiner & Co, states that the digital badge contravenes data protection laws.
The complaint asks the ICO to order the SRA to stop mandating the badge and for each law firm that has implemented the badge to immediately cease doing so.
Gardiner’s complaint alleges that the digital badge:
- Fails to ensure that website visitors can provide explicit informed consent prior to the processing of their personal data by each law firm, the system’s supplier Yoshki, the SRA and Google, on whose technology the scheme is based;
- Fails to satisfy the ‘privacy by design’ requirement of the Data Protection Act and General Data Protection Regulation;
- Subverts any encryption and therefore any assumption of confidentiality of website visitors relying on the https website security function and;
- Forces law firms to become joint data controllers with the SRA’s sub-contractor and third parties, including Google, without being in a position to understand what processing the other data controllers are undertaking.
Gardiner notes that the SRA has, ‘as a result of this firm’s public opposition to the digital badge, instructed Yoshki to temporarily suspend the use of Google’s Analytics’. However ‘once the dust has settled we expect the SRA to instruct Yoshki to re-enable it. The use of Google’s analytics is an entirely separate and unrelated issue to the use of the digital badge, though it raises equally significant concerns outside the scope of this complaint and one therefore ought not to be distracted by this “concession”. It is, though, a tacit admission by the SRA that it has been profiling data subjects.’
A notice on Gardiner & Co’s website states: ‘Until such time as the SRA can ensure that its digital badge complies with data protection laws this firm will not be implementing it, aside from thinking it is a complete waste of time.’
The ICO’s powers over organisations and individuals that collect, use and keep personal information include criminal prosecution, non-criminal enforcement and audit. It can also impose monetary penalties.
The SRA says that the scheme, which sets up a live link between anyone clicking on the logo and its database of regulated firms, does not collect personal data.
A Law Society spokesperson said: ‘As our members would expect, the Law Society of England and Wales is in regular contact with the SRA so we can fully understand what is being done to address the concerns raised about the digital badge.’