Regular readers of Commsrisk know that I consider the enforcement of data protection laws to be little better than a theatrical display that persuades the public they are more protected from harm than they really are. The act of enforcing data protection law serves the same purpose as the occasional investigation of a billionaire’s overseas assets or inspecting the bags of one in every thousand passengers that land at London Heathrow Airport; it will catch a few crooks and deter some obvious infractions but it will not discourage a determined tax evader or smuggler. People who really want to break the law will calculate that the risk of being caught and punished is so low that if they take sensible steps to hide illegal activities then they will never suffer any consequences. The gap between the scale of crime and the resources allocated to enforcement also helps to explain why the ‘war on drugs’ was a failure, and why the police do not bother to investigate most frauds but instead rely on banks and other businesses to compensate victims of crime. With this context in mind, let us examine a recent news story about data protection from a different angle to that adopted by most journalists.
The British Labour Party has a significant lead in opinion polls and is on course to win the next general election held in the UK. This comes after a period of infighting under its former leader, Jeremy Corbyn, some of which concerned accusations that Corbyn and his supporters were reluctant to tackle antisemitism exhibited by party members. In 2020, Corbyn said the scale of antisemitism had been “dramatically overstated for political reasons”, leading to condemnation by the new party leader, Keir Starmer (pictured). Corbyn was suspended from the party because of his comments, and he remains suspended although he continues to serve as a Member of Parliament. To determine the true extent of antisemitism, and what to do about it, necessarily requires some form of investigation, of which there have been several. Data protection is an important aspect of such investigations due to the need to interview party officials and members about the way sensitive complaints were treated. Private emails and Whatsapp messages sent by officials were examined for evidence of rule-breaking. The need to maintain confidentiality in these investigations runs contrary to Britain’s political culture, where it is normal for journalists to receive information through unauthorized disclosures or ‘leaks’.
Three prominent supporters of Corbyn that were suspected of leaking information have been investigated by the agency responsible for data protection enforcement in the UK, the Information Commissioner’s Office (ICO). The BBC recently reported that ICO has decided no prosecution will occur because there was not enough evidence that anyone had unlawfully shared or obtained personal data. However, the Labour Party is privately suing the same three individuals, plus two other Corbyn supporters, for conspiring to make confidential information public. So whilst the state agency empowered to pursue criminal proceedings has decided not to act in this case, the Labour Party is continuing to pursue civil redress for the same infractions through the courts.
The average journalist will frame this story as relating to battles over control of the Labour Party and arguments about whether the civil case should be dropped, because that is the sort of thing that interests the average journalist. If you are interested in data protection, you may instead look at this story another way. A small private organization — the Labour Party — is prepared to risk millions of pounds in the pursuit of what it considers to be a just outcome, even though a state-backed agency says the matter is not worth pursuing. A naive commentator would say ICO gave up this case because the standard of evidence required for a successful criminal prosecution is higher than that needed to win a civil case, so ICO’s more exacting standards were not met, but the Labour Party’s lawyers can still rationally believe they will win their lawsuit. A less naive commentator would think back to the reasons why so few bags arriving at Heathrow Airport are physically examined: there is a limit on the resources available to those tasked with enforcement.
The calculation made by ICO is not just whether they can obtain the evidence needed to secure a prosecution, but whether their finite resources are best deployed trying to obtain evidence to win this particular case. If you were running ICO, which would you prefer: to deploy limited resources in a way that will upset some of the country’s best-known politicians and millions of their passionate supporters, or to instead prioritize some totally different case where you expect to secure a massive headline-grabbing fine from a foreign tech business? It is pretty easy to calculate which would be the safer and the more popular option overall.
In addition to leading his party, Starmer is also one of the country’s most senior lawyers, having been the Director of Public Prosecutions for five years. Corbyn’s supporters will portray the lawsuit as a vindictive misuse of Labour’s limited funds by Starmer. Despite public perceptions to the contrary, spending limits and other aspects of law and custom means British political parties are poorly funded compared to political parties found in some other countries. The annual cost of running the Labour Party averages around GBP50mn (USD61mn) and past experience suggests they are unlikely to spend more than GBP15mn (USD18mn) on the next general election campaign. If they lose an expensive civil case and are forced to pay the legal costs of the defendants then that bill could realistically total between GBP3mn and GBP5mn (USD4mn to USD6mn), placing considerable additional strain on the party’s finances and reducing the election war-chest.
The potential cost of this civil case can also be contrasted with the amount that ICO was likely to have spent on pursuing a criminal prosecution. ICO does not report costs on a case-by-base basis, but its total expenditure during the last financial year came to GBP66mn (USD81mn). This gives a sense of how little ICO can afford to spend on each investigation and on each prosecution it undertakes. Labour is almost certainly spending more on suing the five Corbyn supporters in their civil case than ICO was prepared to spend on pursuing a criminal conviction against three of them, even though Labour could seriously damage their chances of winning the next election if they lose in court.
A top lawyer, who spent five years as the ultimate decider of which criminal cases were worth prosecuting, is the leader of a political party that appears set to win the next general election, but which is willing to take a major financial risk pursuing a civil data protection suit against supporters of his predecessor. Many will believe this civil action is motivated by politics. The decisions being made at the top of the Labour Party also suggest they are confident of victory. They believe they can obtain justice through a private lawsuit, even though the public authorities were unable or unwilling to pursue justice to its conclusion. That does not prove a government led by Starmer would take a fresh look at the amount of public money spent on the enforcement of data protection laws. However, there will never have been an incoming government that is so conscious of the lack of redress when private citizens cannot afford to instigate a civil suit and the state enforcer has chosen not to act.
