Background and implementation
In November 2018 the Solicitors Regulation Authority announced a new “digital badge”, a “secure clickable logo” which every law firm must implement by 25 November 2019. It is described thus:
“Provided via software which will make sure only regulated firms can display it, the logo will show online visitors that you are regulated and provide them with a link to information on the protections this provides. Displaying the logo will help you differentiate yourself from unregulated providers.”
The SRA has confirmed that if the digital badge is not implemented by 25 November 2019 then disciplinary action will be taken.
This firm has spent the past 9 months explaining to the SRA why this is nothing more than an illegal gimmick. The objective could be achieved without relying on a dedicated supplier of the infrastructure (ultimately Google) by simply requiring a link to a firm’s directory page held and updated by the SRA.
It would seem that somebody at the SRA “thought this would be a good idea” and, now having committed itself publicly to this scheme, cannot back out.
The SRA has varingly said that the purpose of the digital badge is:
"[s]o that we can address any improper use of the logo, and understand which firms have adopted the service, we can see which websites have implemented the logo. We can also see how many times the logo has been clicked – this is to help manage system performance and to gain insight into usage."
"the Digital Badge is designed to reduce fraud and enhance client protection".
Which of the two is it? If it is to determine whether or not law firms have complied with Rule 4.1, which is to implement the digital badge itself, then surely that questions the intention of the SRA. Is this just to punish firms for non-comppliance? Surely there are far more important compliance issues to oversee than the use of this marketing tool, the purpose of which is pretty limited and unimportant.
If it is to reduce fraud and enhance client protecton then the SRA has to demonstrate the existence of a significant problem which this digital badge will address; otherwise it "solves" a problem which does not exist or does not solve a problem that may exist.
It is entirely unreaslitic of the SRA to expect members of the public to be able to determine whether this is a genuine or let alone what it is supposed to do. If the SRA wishes to place its faith in one technological device then it needs to be absolutely certain that it cannot be subverted and if it is how would we know? What steps is the SRA taking to ensure that it is not being subverted and misapplied?
Basis for illegality opinion
As to why it is illegal, well there are a multitude of reasons for this; largely to do with failure to comply with data protections laws (the GDPR) and possibly issues around confidentiality. The SRA has entered into a contract with Yoshki Ltd which it is not disclosing but as a data controller to Yoshki’s presumed data processor role one assumes that the SRA is satisfied with that relationship and the legality of the processing undertaken by Yoshki (but see comment below about joint controller liability).
However, each subscribing law firm is being required to implement the digital badge (SRA Transparency Rules, 4.1):
“An authorised body must display in a prominent place on its website … its SRA number and the SRA’s digital badge”.
The SRA has confirmed that, in relation to this digital badge:
“[i]n terms of a failure to display the badge once mandatory, our enforcement strategy and our transparency topic guide [apply]. Both outline the mitigating and aggravating factors we take into account where we identify noncompliance with our rules”.
Law firms can therefore expect the SRA to take enforcement action against non-compliant firms, even though the digital badge serves no more function or purpose than a static link to each firm’s details held by the SRA.
The SRA has faced a great deal of criticism in the past for its overbearing attitude towards the profession. It now requires an outcome based approach where the manner of compliance is for each firm to assess and implement. How then can the SRA justify forcing firms to adopt a digital badge which, ultimately, achieves very little when there are so many other far more important things to worry about.
A very detailed analysis was sent by letter to the SRA at the end of January 2019, providing a very simple solution to the significant legal issues identified by this firm. We recommended that the SRA assume full responsibility on behalf of the profession for the operation and functioning of the digital badge, though it would then be required to ensure that the scheme complied with data protection laws in when implemented by firms. There remains the issue of consent (see below) and the location of the digital badge (which determines when personal data is transferred to Yoshki and possibly Google).
It refused to do so and has refused to indemnify this firm for damages or loss suffered as a result of any breaches of data protection laws arising out of its implementation. In other words, the SRA lacks sufficient confidence in its scheme to warrant its legality.
The problem the SRA has is that it only considered its own interests, rights and obligations. It fhas ailed to not only conduct a proper due diligence exercise over a supplier, namely Yoshki Ltd’s public operations and terms, but, more importantly, has assumed that its compliance will make all law firms compliant. Unfortunately, it does not.
As the data controller responsible for our firm’s website we have to ensure that all processing of personal data is lawful, which includes taking responsibility for all links to third party websites and technologies.
As the SRA will have nothing to do with this, it is up to each firm to assess the legality of this digital badge’s data collection and processing. In doing so we have come the conclusion that Yoshki is either a joint data controller with this firm or it a data processor (or sub-processor) to this firm. We are therefore responsible for all aspects of Yoshki’s processing of any personal data collected and processed as a result of the data transferred as part of the functioning of the digital badge. This may also extend to Google's use of that data, but that is an unknown quantity and therefore would need further clarity.
There seems to be a distinct lack of transparency here.
Processing of personal data by Yoshki
The next step was to review Yoshki’s stated privacy terms, which was undertaken in January 2019 and reviewed again in October 2019.
As stated above, as a joint data controller with Yoshki this firm is liable for whatever Yoshki does. However, if it is a data processor to this this firm then we need to ensure that there is an appropriate contract between this firm and Yoshki regulating this (as per the GDPR, our standard light version of this running to 3 pages and a further schedule).
Either way, this is not a simple implementation; yet the SRA refused to accept any of these arguments and continues to insist that there are no problems in implementing this digital badge.
Consent and joint controller status
Yoshki’s website (www.yoshki.com) has a footer banner which states:
This is in breach of the explicit consent requirement and the requirement to have all check boxes unticked by default (see the ECJ in C-674/17 – the Planet49 case). Strike 1 for Yoshki.
If the SRA still wishes to argue that the digital badge is lawful then it may wish to take note of an analogy in the form of the Facebook “like” button in the recent judgement of the ECJ in Fashion ID, a German online clothing retailer, which was held to be a joint data controller with Facebook and therefore jointly liable with Facebook for the means and purposes of the operation of the “like” button (see the ECJ in C-40/17 – the Fashion ID GmbH case).
If this approach is to be applied to the digital badge then each law firm and Yoshki are joint data controllers with each law firm being, in effect, liable for Yoshki’s actions and then, further down the line, Google itself.
As to the consent point, the way the SRA is implementing this scheme it is impossible for the website visitor to provide prior consent to any processing by Yoshki; let alone reading and understanding Yoshki’s privacy terms or those on our website. The reason being is that the digital badge is loaded as part of a firm’s home page, therefore the personal data transfer is made to Yoshki automatically and immediately.
Not only does Yoshki have to fully disclose the extent of its processing and onward disclosure but our firm has to do the same for both Yoshki's, the SRA's and Google's processing; all of which have to be consented to in advance.
Therefore the SRA’s mandated method of implementation is in breach of the explicit informed consent requirement, as is Yoshki’s processing because again there is no opportunity to understand and then grant or withhold consent. The SRA cannot argue that Yoshki does not collect personal data when in fact that is what it does. We note that Yoshki states it does not store IP addresses but that is only part of the processing undertaken. That does not legitimise its prior processing. The subsequent use made or subsequent retention thereof is irrelevant because the website user has to provide consent prior to the transfer.
Data harvesting by Yoshki
"At no point, does Yoshki access, record or store any additional data such as IP addresses, page navigation behaviour, etc."
Our understanding is that this information is made available as part of the URL link to Yoshki and therefore personal data is processed.
Yoshki states as one of its legitimate interests is to gain insight into the badge’s use. Saying this does not make it lawful, for there needs to be a balance against the data subjects interests and rights.
It would seem that Yoshki is reselling and implementing software provided by Google under its Analytics brand. The SRA, when challenged about this, was of the view that Google as a company processes personal data lawfully. The SRA has been provided with a recent sample of reports detailing actions, fines and judgements granted against Google for breaches of privacy and data protection laws.
The SRA has also sought to rely on the fact that information provided to Google is anonymised or pseudonymised; but ignores the very clear warnings about reliance on this given that it is very hard to do this properly. Given the huge wealth of personal data harvested by Google one must assume that Google is able to piece together independent data elements to identify an individual.
The SRA can therefore have no justification in claiming that Yoshki will not harvest personal data when it clearly states that it will and must do so in order to provide information to the SRA. As we do not know what information Yoshki is providing to the SRA, as joint data controller, we are liable and responsible for determining the legality of that disclosure. The SRA is not being transparent in this regard - unless the SRA is prepared to assume full responsibility for the digital badge's implementation we cannot rely on any assurances it gives.
The SRA has been asked to comment on what is stopping Google, which is in the advertising business, of tracking a visitor to a law firm’s website and then serving targeted advertising to that user elsewhere. The capability exists. Will we be in the position where a subsequent visit to a social media platform will result in a “have you been injured recently in an accident” adverts suddenly appearing?
This firm has a policy of not tracking visitors and we believe that allowing third parties to record client and potential client visits to our website is a breach of confidentiality. The SRA has yet to comment on this.
Conflict between the Rules
The SRA has also been asked, in light of the above, to explain how Rule 4.1 is intended to co-exist with the following mandatory Principles 2, 3, 4 and 7 in which we are required to:
2. act with integrity;
3. not allow your independence to be compromised;
4. act in the best interests of each client; and
7. comply with your legal and regulatory obligations and deal with your regulators and ombudsmen in an open, timely and co-operative manner.
With the deadline of 25 November 2019 looming for implementation the digital badge and the failure of the SRA to answer our concerns we do not believe that the digital badge as implemented is lawful. This will lead us to the position where the SRA will no doubt commence disciplinary proceedings against this firm for its failure to implement it.
As the principal of this firm I have always sought to apply my own independent judgement which has served me well over many years. I thoroughly reviewed the SRA’s digital badge scheme as an experienced technology and privacy lawyer and found it to be beset with problems, as it remains.