Morrisons bind us to their data processing for no apparent reason

Morrisons Commercial Lawyer is unable to identify a single valid benefit that either party gains from being contractually bound by the data processing outlined in their privacy policy, so what’s the point?

When I attempted to register with Morrisons’ via their website, I noticed that they require me to “accept” their terms and conditions AND their privacy notice. While I don’t have an issue with accepting Morrison’s terms and conditions, it isn’t clear to me why I need to accept their privacy notice, what the nature of that acceptance is, or how they would enforce that acceptance in a court of law. At the end of the day, Morrisons is legally obligated to process personal information fairly and in accordance with the rights of their data subjects so I’ll only ever agree to data processing which is fair; regardless of what it states in their privacy policy.

The purpose of providing a privacy notice therefore, is to inform us as to how an organisation intends to process our information. By making a privacy notice readily available to us when we register, it’s likely that the data controller satisfies their obligation under the first data principle to provide us with a fair processing notice. Schedule 1, Part 2, 2(3) of the DPA requires a data controller to ensure that we are informed as follows::

(3)The information referred to in sub-paragraph (1) is as follows, namely—
(a) the identity of the data controller,
(b) if he has nominated a representative for the purposes of this Act, the identity of that representative,
(c) the purpose or purposes for which the data are intended to be processed, and
(d) any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

As individuals however, we’re under no obligation to read, view, accept or agree to a privacy notice. Indeed, I refuse outright to be bound to an organisation’s privacy policy unless they’re able to demonstrate to me how I will benefit from that agreement. In other words; is the data controller able to stipulate what I will gain from a contract that binds me to their privacy notice, that I don’t already gain as a statutory right? If I don’t benefit in some way from a contract that binds me to Morrison’s privacy notice, then I have to reasonably conclude that such an agreement serves no purpose other than to mislead. What do I gain from that contract?

According to The Unfair Terms in Consumer Contracts Regulations 1999, a standard term is unfair if it creates a significant imbalance in the parties’ rights and obligations under the contract, to the detriment of the consumer, contrary to the requirement of good faith. Good faith simply requires businesses to deal fairly and openly with consumers.

With this in mind, I wanted to know what Morrisons think they gain by contractually binding me to their privacy policy. I contacted Morrisons to find out why they require their customers to agree to their privacy policy, what the nature of that agreement is, and how they will go about enforcing that agreement.

Morrisons’ Commercial Lawyer replied as follows:

Where you accept our standard terms this is a binding contract between you and Morrisons. Our standard terms incorporate our privacy policy so in that respect you are correct, you are contractually bound by the terms of the policy. The policy in fact only serves to tell you what we do with your data once you have agreed to give it to us. Your statutory rights are not affected.

This answer though, doesn’t explain why we all have to contractually agree to Morrison’s privacy notice. I sought further clarification by asking Morrisons to answer some specific questions. Morrisons Commercial Lawyer replied as follows:

Great to hear from you and very happy to help. In response to your queries.

1. Does Morrisons PLC accept that it’s the ICO’s interpretation of the DPA and PECR that defines my statutory data protection rights (albeit not statutorily mandated) and that your organisation must either comply with or challenge the ICO’s interpretation?

YES, WE DO ACCEPT THE ICO’S INTERPRETATION OF THE DPA AND PECR TO DEFINE YOUR STATUTORY DATA PROTECTION RIGHTS AND WE ABSOLUTELY COMPLY WITH THE ICO’S INTERPRETATION

2. If you accept that the ICO defines my statutory data protection rights, please will you clarify what I gain from a contract that binds me to your data processing? Even if your data processing were 100% compatible with the ICO’s interpretation of the DPA/PECR, I will gain nothing from such a contract so it’s not clear to me what the bargain is. What constitutes the consideration element of a contract that binds me to your data processing?

OUR PRIVACY NOTICE IS DISPLAYED IN ORDER TO SATISFY OUR STATUTORY DATA PROTECTION OBLIGATIONS IN ACCORDANCE WITH THE INTERPRETATION BY THE IPO AS STATE ON THEIR WEBSITE: TO STATE WHO WE ARE AND THE PURPOSE OR PURPOSES FOR WHICH WE INTEND TO PROCESS THE INFORMATION PROVIDED TO US.

SO WHAT YOU GAIN IS AN UNDERSTANDING OF WHO WE ARE AND HOW WE INTEND TO USE YOUR DATA SHOULD YOU CHOOSE TO PROVIDE IT TO US EITHER BY SIGNING UP FOR ONLINE SHOPPING OR OTHER SERVICES WITH US (SUCH AS MORE CARD, VOUCHERS ETC).

On this note, Dave, i want to bring you back to your original complaint. I believe you have an objection to providing us with data as you are not convinced we are complying with our obligations. Your point is that we cannot bind you to our privacy policy. Please confirm whether or not this is your only point.

Morrisons’ Commercial Lawyer still appears to be struggling to address the issue. Let me clarify.

Morrisons’ Commercial Lawyer said:

SO WHAT YOU GAIN IS AN UNDERSTANDING OF WHO WE ARE AND HOW WE INTEND TO USE YOUR DATA SHOULD YOU CHOOSE TO PROVIDE IT TO US EITHER BY SIGNING UP FOR ONLINE SHOPPING OR OTHER SERVICES WITH US (SUCH AS MORE CARD, VOUCHERS ETC).

The problem is, as individuals WE DO NOT NEED TO ENTER INTO A FRIGGIN CONTRACT TO OBTAIN THIS INFORMATION! Morrisons has a legal obligation under the first principle to provide us with a fair processing notice anyway, so Morrisons is obliged to either make this information readily available to us or to provide it upon request. SO WHAT DO MORRISONS GAIN FROM CONTRACTUALLY BINDING US TO THEIR PRIVACY POLICY?

Morrisons’ Commercial Lawyer still hasn’t demonstrated how either of us benefit from a contract that binds me to their privacy notice. What do individuals gain from that contract that we don’t already gain as a statutory right? Where is the consideration that is essential for all contacts to be valid (excluding Deeds of Assignment)? What do I promise to do for Morrisons when I enter into that contract and, more importantly, what do they promise to do for me that they’re not already obligated to do under the law?

Let me give an example. In their privacy notice, Morrisons states:

You are perfectly within your rights to ask us whether we hold information about you and if so, for us to give you certain details about that information and/or the information itself. This right is commonly known as a ‘subject access request’. Certain exemptions and conditions apply to this right, principally that it should be in writing and that you give us reasonable details about the information you want.

This is fundamentally incorrect! Morrison’s data subjects do not necessarily have to give them details about the information they want in a Subject Access Request (SAR). Morrisons is reasonably obligated under Section 7(1)(c) of the DPA to provide the information constituting any personal data of which that individual is the data subject. Morrisons can likely do this by disclosing any personal information that is linked to the data subject’s personal file. As someone who has submitted many SARs over the years, allow me to explain.

A typical organisation uses database tables to store information. For many organisations, the key database table will often be the Personal File where personal information about individuals is stored: the Employee File, the Customer File, the Member File etc. All other tables in the database will likely link to the personal file table. For example, the Sales table will link directly to the Personal File table so that, for any given customer, the organisation can see how many orders they’ve placed. Providing information that is linked to the Personal File tends to be fairly easy. In response to my SAR, Reed, the employment agency, gave me about 60 pages worth of screen shots of my information from their personal file and related databases and I was satisfied with that. It’s likely that they simply ran a report and printed off the results.

Besides using database tables to store personal information, it’s likely that most organisations will also store personal information elsewhere. For example, they may use shared drives, cloud drives, flash drives, collaboration platforms like SharePoint, or have e-mails stored within the Outlook applications used by their employees. As this information is not linked to the Personal File, it won’t be as easy to locate. If I ask a data controller to locate personal information that is located outside of the core databases, a Word document or an e-mail for example, then the data controller can reasonably ask me to provide them with information to help them locate that file. For example, if it were an e-mail, they may ask me to tell them who it was sent to, when it was sent, what it was about etc., to help them locate it.

What I’m saying is, in response to a SAR, Section 7(1)(c) of the DPA requires the data controller to reasonably provide the information constituting any personal data of which that individual is the data subject. In my experience, unless I say otherwise, most companies will give me the all the information linked to my Personal File in response to an SAR. The data controller can ask me if there’s anything specific that I require but I’m under no obligation to stipulate. And of course, if there’s something specific that I seek, then I would be expected to reasonably help the data controller locate that information.

So let’s be clear… We DO NOT HAVE TO PROVIDE MORRISONS WITH REASONABLE DETAILS ABOUT THE INFORMATION WE WANT by default, when we submit an SAR. There may be situations where we would reasonabley need to provide Morrisons with information – to locate something specific, but of the 80+ SARs that I’ve submitted over the years, I’ve never had to stipulate anything. I simply ask the data controller to give me the information that I’m entitled to under Section 7 of the DPA. If the data controller seeks clarification about what information I want, I just tell them that I want it all. This is where Morrisons is trying to manipulate our statutory rights in my view; by contractually requiring us to define the scope of the information that we seek.

See what I mean? The only party that’ll ever benefit from a contract that binds us to a privacy notice is the data controller and they benefit by attempting to manipulate our data protection rights. This is why Morrisons’ Commercial Lawyer is unable to give me a valid answer to my questions.

So my question remain unanswered… can Morrisons’ Commercial Lawyer give me a single valid example of something that individuals gain from a contract that binds us to their privacy notice that we don’t already gain as a statutory right? Furthermore, as we both need to benefit for the contract to be valid, can Morrisons’ Commercial Lawyer give me a single valid example of something that they legitimately gain from such a contract, that doesn’t involve misleading their customers.

As it stands, Morrisons has yet to answer my question. Morrisons’ Commercial Lawyer has provided me with an answer but she’s not answered my questions. Oh, and Morrisons was fined by the ICO in June 2017 for sending out marketing e-mails without first satisfying Regulation 22 of the PECR.

Added: 09.07.2017