Euro-folks: Data Protection Laws and Lulz

Hey, so something just occurred to me. I know this is long, but there is the potential for EPIC levels of win (and the complete destruction of CoS plans, to boot.)

In Europe, there is a thing called the Data Protection Registrar. Every EU country has an implementation of this- in Britain, for example, it's called the Data Protection Act (1984, 1998 ). Basically the way this works is that any organization that stores or collects personally identifying data must register with the Data Protection Registrar. At that point, any person who believes an organization is storing data about them is entitled to a full and unabridged copy of that information, or proof that no data is being stored. The organization is allowed to charge a reasonable fee for extracting this data, but the DPR sets the fee- in Britain, it's about ten quid and the fee is similar in other European countries. You give them some means of identifying you in their databank, and they have to then search for it. They don't have a choice, and they have a limited time in which to give you your copy. This, of course, costs them a lot of money.

If they decline to comply, the Data Protection Registrar then totally owns them in court, since you have a statutory right to that data. All forms of data are now included since the 1998 and 2000 amendments (it used to just be computer-based info, but now photographs, paper files and video tapes are included, as well as any other form of information that is personally identifying.)

Mark Thomas, excellent satirist and general thorn in the side of authority, used this to great effect when he encouraged people to send photos of themselves to anyone who had a CCTV system. These organizations then had thirty days or so to search through all their tapes and find any footage of those people who had submitted a request. Even the police and city governments were forced to comply, so I doubt the CoS can escape.

Obviously this doesn't work too well for people who are still anonymous, but lots of people have been named, and we have lots of ex-scns; have any of you tried submitting a Data Protection Act request? If you live in Europe and the data is used there- regardless of where it may be nominally stored- you are protected by the various Acts.

I'd love to see them try to get out of this one. Fair Game loses bigstyle to the European Court. We could massively own them, since if they refuse to comply with a properly formatted request, they lose their right to hold data of any form on anyone at all, not just the person whose request was refused. Given that they also have a limited timespan to respond, I can easily see them losing out of sheer ineptitude.

Better still, you CANNOT sign away your Data Protection Act rights in any form of contract.

There is the potential for massive win and hilarious lulz, as well as a large measure of insider info to come out here.

Who's up for it? You know you want to.

Certainly something that I've thought of a few times and wasn't sure how to pitch it. You got my thoughts down exactly :)

I'm gonna try and dig through the DP training here at work because I think there's also a clause which says that data can only be retained for the purpose that it was collected - so I'm fairly certain that Scientology would have to provide a purpose. I'm thinking that "To stalk our critic" would not go over well in a class action lawsuit defense.

You're forgetting two important points: relevance and timeliness.

The COS would have to prove why they are storing the data about a person (why it is relevant) and then justify why it is still being stored.

I would love to see their response to this, but also don't want to namefag myself.

I'm reading through the act at the moment, but I think I have just found an ace in a fight against fair game:

10 Right to prevent processing likely to cause damage or distress (1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—
(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and
(b) that damage or distress is or would be unwarranted.
(2) Subsection (1) does not apply—
(a) in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met, or
(b) in such other cases as may be prescribed by the Secretary of State by order.
(3) The data controller must within twenty-one days of receiving a notice under subsection (1) (“the data subject notice”) give the individual who gave it a written notice—
(a) stating that he has complied or intends to comply with the data subject notice, or
(b) stating his reasons for regarding the data subject notice as to any extent unjustified and the extent (if any) to which he has complied or intends to comply with it.
(4) If a court is satisfied, on the application of any person who has given a notice under subsection (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit.
(5) The failure by a data subject to exercise the right conferred by subsection (1) or section 11(1) does not affect any other right conferred on him by this Part.


Now forgive me if I've misinterpreted - but my understanding of this is that if you have reason to suspect that processing of any personal data for any purpose is likely to cause you distress or damage then you can request the company to stop. And they must. By law.

Holy shit.

XIINGEpic win for Europe. Data protection act = win.

Perhaps some Anon who is better versed in legalese can write a nice little summary of this? If it's true, we need to know how to formally start the procedure - and post it all over the place. Anyone who's been IDed needs to know.

There's lots and lots of UK information on the ICO's site, and it's all pretty readable: here

All you have to do is send their registered office a letter along these lines:

Your full address
The date


Dear Sir or Madam or Thetan lol

(Your full name and address and any other details to help
identify you and the information you want.)

Please supply the information about me I am entitled to under
the Data Protection Act 1998 relating to (give details of the
information you want). (Please would you also tell me the logic
involved in any automated decisions you have made about
me.)

If you need any more information from me, or a fee, please let
me know as soon as possible.

If you do not normally deal with these requests, please pass
this letter to your Data Protection Officer or another appropriate
officer.

Yours faithfully

Signature

Quote:

Originally Posted by Anonyunderpants

Certainly something that I've thought of a few times and wasn't sure how to pitch it. You got my thoughts down exactly :)

I'm gonna try and dig through the DP training here at work because I think there's also a clause which says that data can only be retained for the purpose that it was collected - so I'm fairly certain that Scientology would have to provide a purpose. I'm thinking that "To stalk our critic" would not go over well in a class action lawsuit defense.

Sadly, there's no such thing as a class action in most European countries, particularly Britain.

This is fantastic, I hadn't realized this included paper now too!

Pity class action doesn't exist. And as normal - make sure any requests are sent recorded delivery and keep a diary when going through the process.

As the ex-scio at our local protest said (albeit about minimum wage) "They'll have either found a loophole or flat out ignored it." If they've found a loophole then obviously by the text of the act, it is open to interpretation.

Quote:

Originally Posted by Anonyunderpants

Pity class action doesn't exist. And as normal - make sure any requests are sent recorded delivery and keep a diary when going through the process.

As the ex-scio at our local protest said (albeit about minimum wage) "They'll have either found a loophole or flat out ignored it." If they've found a loophole then obviously by the text of the act, it is open to interpretation.

Apparently they lost a Data Protection case in Denmark, and if they lost in Denmark then they can lose in the rest of Europe too. There's actually a nice article about their registration information here: bit old, but good. This says they lost a Data Protection Act case in 1991, and they were fined, so they now must comply or be heavily censured- they could lose their DPR right to hold any data at all.

The Data Protection Act is, in a sense, retrospective; it covers all data, regardless of the date on which it was collected. Records were supposed to have been destroyed prior to the date of first registration, which in the case of the CoS was in 1999. Obviously, I don't think they actually did this (it would be completely against their modus operandi) and so we can get hold of all sorts of interesting info.

Okay so here's their registration in the UK. Information Commissioners - Data Protection Register - Entry Details

THIS SAYS THEY CANNOT TRANSFER INFORMATION OUTSIDE THE EEA! that means sharing info with Flag etc., is COMPLETELY ILLEGAL.

Here's them again in the UK: Information Commissioners - Data Protection Register - Entry Details

This says they can send stuff to the USA, but again, you're entitled to know what they do and who they sent it to.

If a few dozen unmasked anons or unanimous folks make requests that include requests for CCTV footage- include a passport-sized photograph in your letter, and yes, send the letter by registered post- they will have to comb their security camera footage. Stuff collected by their investigators is also covered. Since they have this huge DPR registration, and since they've lost in the past, they must comply. If they get nailed again, it'll be much worse for them. They have no chance to survive this; their Fair Game tactics are completely illegal.

Their DPR registration expires next January, and of course they will renew it, but it's possible we can force them to add to the list of data sources they use. There doesn't seem to be a loophole here; they are simply not allowed not to respond to requests for data. Everything is covered. If they have had internal conversations about you- memos, emails, anything- then you are entitled to a copy of those, too.

Hilariously, they list credit reference agencies as a data supplier.

I can't reiterate enough. This worked for Mark Thomas against the Government. There's no way on earth (or any of the other planets they think they've been to) that this can fail. The CoS will fail because the government completely hates them. This could be an absolute goldmine of information about their internal workings; this could literally tell us exactly what they're planning to do re Fair Gaming the unmasked UK-anons.

Data extracted under the Data Protection Act is admissible in evidence, and is grounds for injunction against the Data Controller's agents, which basically means: they have to tell you what they know, they have to tell you what they're planning, and then you can go to your solicitor and have them legally prevented from executing their dirty tricks. Then if they actually do any of them, you win. Epic. They are not allowed to use data for purposes of "causing harm or distress". That means they lose.

I'm sickying this as it has great importance to UK activists, and many Europeans too. Also as it's law and they have to comply without debate.

I've had a think about this, and I think this is how it should work.

OPERATION DATA PROTECTED

Do you have knowledge of the Data Protection laws in other countries than the UK? I don't. We need people who do to come up with the info for any countries where we have people.

People? What kind of people?

We are looking for people who:

• Are ex-scio, and spent some or all of their time in the UK or other European countries, or
• Are anon, but got unmasked, or
• Are being fair gamed, or
• Just don't give a shit

Do you fit any of these categories? Then great! We need to find as many people like that as possible, so that we can file HUNDREDS of Data Protection requests. The thing is, even if they don't have data on you, it costs them a whole bunch of time and money searching. The downside is that you have to identify yourself to them, so you really need to fit into one of the four categories above.

What do you need to do to participate in Operation Data Protected?

It's really simple. You take the form letter from the post above, fill in the blanks, you add a passport-sized photograph of yourself, and you send it to both of the addresses listed on the Data Protection Register (links above). If you're not in the UK, you can help by digging up the equivalent info.

What happens next?

Epic, epic lulz. They have 21 days to respond, and that response can take the form of:

1. They run around and go absolutely apeshit trying to dig up any info on you they might have, frantically deleting as much as possible.
   
2. They send you a letter saying that they have info, but there is a copying fee. (In fact, the copying fee is limited by law, and the maximum is £10. That includes copying video evidence if they have you on CCTV.) You should respond by sending them a postal order. (I'm guessing you don't want them getting hold of your bank account details, dig?) It'll be a small price to pay for the immense lulz that will result.
   
3. They will send you a packet containing all of the info they have on you- emails sent between scitols, memos, their fair game files, CCTV tapes, investigator reports, photos taken by private dicks, anything that has your name in it. They have to do this by law.

If they take longer than 21 days, or try to claim they have no data on you when in fact you know they do (they're fair-gaming you, or have sent you a letter, or whatever), you get to complain to the Data Protection Registrar, which is a division of the Information Commissioner's Office in the UK. This is a serious crime, and carries very stiff penalties. They lost once in 1991 and if they do it again, they will probably be made an example of by the ICO, which is desperately trying to look good despite all the data loss fiascos of the last few months. The government in the UK freaking HATES the CoS and they will act.

How we proceed from that point depends on what's in the packets we get back. Whatever we do, it'll be totally awesome. We'll know their innermost secret discussions. We'll know what they plan to do. We'll know who's involved in fair gaming. We'll know more than they do, since we will then demand that all the information they return be destroyed (since the Act states clearly that keeping data for purposes of harming or frightening people is entirely forbidden). This has the potential to completely destroy the way they deal with Anon in Europe.

Then we will have caek.

If anyone has better suggestions I'd love to hear them :)

A ligit business might get their Data Protection Officer to scan thru videotape for the face matching your passport photo; Scilons will surely just say 'couldnt find anything'. What's to stop them?

I guess the Data Protection Act works best if you have hard evidence that they recently used the info that they have on you - eg. by sending a letter or leaving an answerphone message.

Evidence of them collecting info (video cameras at protest, private dic snapping licence plates) - is there anything that can be done with that? I mean if Scilon says 'it's deleted now' is that them off the hook?

Also note that data can only be retained for the purpose that it was collected. Even if you aren't being fair gamed and you write a letter in requested a DSAR (Data Subject Access Request), they CANNOT use the information in the letter to fair game you. If you do get fair gamed after writing in, then I'm sure the Data Protection Registrar would love to know that they have mis-used data...

So this is looking at the least like an affordable recourse for UK/EU anons that get Fair Gamed. Sweet.

Note that I haven't been fair gamed, but I'm willing to put my pen where my mouth is on this one. Initial draft:

Dear Sir,
I am writing to you to make a Data Subject Access Request (DSAR) as provisioned in the Data Protection Act. I hereby request a copy of all documents and personal information relating to myself, including memo's, contact cards, private investigator contracts for myself, CCTV and photographic images. Please find enclosed a postal order for the value of £10 – the maximum amount that you are allowed to charge an individual for providing this information under law.

I would like to remind you that you have 21 days to provide all the information that the Church of Scientology holds on myself and not to do so will be a second breach of the Data Protection Act committed by the Church.

I have reason to believe that the Church Of Scientology is holding personal information on me, on the basis that I was photographed by a Scientologist speaking to a police officer while expressing free speech at a peaceful protest. This was outside the York mission of Scientology on March 15th 2008 and will be verified by other peaceful protesters as well as the officer I was speaking to. If needs be, they will be called on as witnesses in a court case if you fail to produce the information on myself. I have enclosed a passport photograph of myself to help you identify which photo is of me.

I am also taking this opportunity to make a formal request for the Church Of Scientology and all of its associates to cease all processing of information about myself. Scientology has in the past conducted a policy called Fair Game where it endlessly and illegally harasses critics for simply expressing