Summary

The use of the SRA’s digital badge as implemented is illegal under data protection law, primarily because of a consent issue. 

Its adoption by the SRA demonstrates a failure to conduct a proper and thorough data protection impact assessment.  Law firms which have implemented the digital badge at the SRA’s direction are nevertheless accountable as data controllers for the unlawful processing of personal data. 

Compliance with the SRA Standards and Regulations is no defence.  If the analysis and conclusions of this note are agreed with then every law firm would have to immediately cease using the digital badge.

The SRA could have achieved its objective by mandating the use of SSL certificates and https encryption, in the process ensuring greater security and accountability than the digital badge would and at a much lower cost.

This note has been updated as follows:  new sections added - this summary and the privacy by design argument.

Background and implementation

In November 2018 the Solicitors Regulation Authority announced a new “digital badge”, a “secure clickable logo” which every law firm had to implement by 25 November 2019.  It is described thus:

“Provided via software which will make sure only regulated firms can display it, the logo will show online visitors that you are regulated and provide them with a link to information on the protections this provides. Displaying the logo will help you differentiate yourself from unregulated providers.”

The SRA has confirmed that if the digital badge is not implemented by 25 November 2019 then disciplinary action will be taken.

This firm has spent the past 10 months explaining to the SRA why this is nothing more than an illegal gimmick.  The objective could be achieved without relying on proprietary technology ultimately supplied by Google by simply requiring a link to a firm’s directory page held and updated by the SRA.

It would seem that somebody at the SRA “thought this would be a good idea” and, now having committed itself publicly to this scheme, cannot back out.

How the digital badge works

Essentially it is a large logo with a link to yoshki.com. When clicked on one is taken via Yoshki to an SRA website page which confirms that the website belongs to a regulated law firm.  There is utility in this but nothing more than a simple URL link to the firm’s SRA database details would achieve.  However, it does not verify that the contents of the website are compliant or that the information on the website is authentic, accurate or complete.

As there appears to be no inherent verification and accountability in that series of links it would seem a relatively simple matter to create a spoofed or invalid website without the public being any the wiser. 

We now have a duplication of information – the badge itself which states “Regulated by the Solicitors Regulation Authority” with the current date displayed and “learn more”.  Firms are still required to state “authorised and regulated by the Solicitors Regulation Authority, registration no. [  ]”.

Stated purpose

The SRA has varyingly said that the purpose of the digital badge is:

"[s]o that we can address any improper use of the logo, and understand which firms have adopted the service, we can see which websites have implemented the logo. We can also see how many times the logo has been clicked – this is to help manage system performance and to gain insight into usage."

and that:

"the Digital Badge is designed to reduce fraud and enhance client protection".

Which of the two is it?  If it is to determine whether or not law firms have complied with Rule 4.1, which is to implement the digital badge itself, then surely that questions the intention of the SRA.  Is this just to punish firms for non-compliance?  Surely there are far more important compliance issues to oversee than the use of this marketing tool, the purpose of which is pretty limited and unimportant. 

If it is to reduce fraud and enhance client protection then the SRA has to demonstrate the existence of a significant problem which this digital badge will address; otherwise it "solves" a problem which does not exist or does not solve a problem that may exist. 

It is entirely unrealistic of the SRA to expect members of the public to be able to determine whether this is a genuine implementation of relatively unknown technology (the digital badge) let alone what it is supposed to do.   If the SRA wishes to place its faith in one technological device then it needs to be absolutely certain that it cannot be subverted and if it is how would we know?  What steps is the SRA taking to ensure that it is not being subverted and misapplied?

Basis for the illegality opinion

As to why it is illegal, well there are a multitude of reasons for this; largely to do with failure to comply with data protections laws (the GDPR) and possibly issues around confidentiality. 

The SRA has clearly not conducted a thorough data protection impact assessment (”DPIA”), nor for that matter has any law firm that has implemented the digital badge.  For smaller firms without a dedicated data protection team one could understand how it would be reasonable to rely on one’s regulator’s pronouncements, but for larger firms one would always expect that firm to undertake a DPIA, as did this firm. 

In doing so the consent issue ought to have been flagged as an absolute bar to its implementation and one would also expect many of the other issues raised in this note to have been identified as well.  Many firms will therefore have demonstrated a failure to not act independently, to question instructions and to have processed personal data unlawfully.  That will be between them and the ICO.

The SRA has entered into a contract with Yoshki Ltd which it is not disclosing but as a data controller to Yoshki’s presumed data processor role one assumes that the SRA is satisfied with that relationship and the legality of the processing undertaken by Yoshki (but see comment below about joint controller liability).

However, each subscribing law firm is being required to implement the digital badge (SRA Transparency Rules, 4.1): 

“An authorised body must display in a prominent place on its website … its SRA number and the SRA’s digital badge”. 

The SRA has confirmed that, in relation to this digital badge:

[i]n terms of a failure to display the badge once mandatory, our enforcement strategy and our transparency topic guide [apply]. Both outline the mitigating and aggravating factors we take into account where we identify noncompliance with our rules”.

Law firms can therefore expect the SRA to take enforcement action against non-compliant firms, even though the digital badge serves no more function or purpose than a static link to each firm’s details held by the SRA. 

The SRA has faced a great deal of criticism in the past for its overbearing attitude towards the profession.  It now requires an outcome based approach where the manner of compliance is for each firm to assess and implement.  How then can the SRA justify forcing firms to adopt a digital badge which, ultimately, achieves very little when there are so many other far more important things to worry about?

A very detailed analysis was sent by letter to the SRA at the end of January 2019, providing a very simple solution to the significant legal issues identified by this firm.  We recommended that the SRA assume full responsibility on behalf of the profession for the operation and functioning of the digital badge, though it would then be required to ensure that the scheme complied with data protection laws when implemented by firms.  There remains the issue of consent (see below) and the homepage location of the digital badge enabling code (which determines when personal data is transferred to Yoshki and possibly Google).

It refused to do so and has refused to indemnify this firm for damages or loss suffered as a result of any breaches of data protection laws arising out of its implementation.  In other words, the SRA lacks sufficient confidence in its own scheme to warrant its legality.

The problem the SRA has is that it only considered its own interests, rights and obligations.  It has failed to not only conduct a proper data protection impact assessment but also to properly assess a key supplier, namely Yoshki Ltd’s public operations and terms, but, more importantly, has assumed that its compliance will make all law firms compliant.  Unfortunately, it does not. 

As the data controller responsible for our firm’s website we have to ensure that all processing of personal data is lawful, which includes taking responsibility for all links to third party websites and technologies. 

As the SRA will have nothing to do with this, it is up to each firm to assess the legality of this digital badge’s data collection and processing.  In doing so we have come the conclusion that Yoshki is either a joint data controller with this firm or it a data processor (or sub-processor) to this firm.  We are therefore responsible for all aspects of Yoshki’s processing of any personal data collected and processed as a result of the data transferred as part of the functioning of the digital badge.  This may also extend to Google's use of that data, but that is an unknown quantity and therefore would need further clarity.

There seems to be a distinct lack of transparency here on the part of the SRA.

Processing of personal data by Yoshki

The next step was to review Yoshki’s stated privacy terms, which was undertaken in January 2019 and reviewed again in October 2019.  

As stated above, as a joint data controller with Yoshki this firm is liable for whatever Yoshki does.  However, if it is a data processor to this this firm then we need to ensure that there is an appropriate contract between this firm and Yoshki regulating this (as per the GDPR, our standard light version of this running to 3 pages and a further schedule).

Either way, this is not a simple implementation; yet the SRA refused to accept any of these arguments and continues to insist that there are no problems in implementing this digital badge.

One hopes that Yoshki has or will now revise its privacy policy and terms but that will not solve the consent issue.

Consent and joint controller status

Yoshki’s website (www.yoshki.com) has a footer banner which states: 

“This site use cookies for analytics, personalised content and live chat.  By continuing to browse this site, you agree to this use. [OK]”. 

This is in breach of the explicit consent requirement and the requirement to have all check boxes unticked by default (see the ECJ in C-674/17 – the Planet49 case).  Strike 1 for Yoshki.

If the SRA still wishes to argue that the digital badge is lawful then it may wish to take note of an analogy in the form of the Facebook “like” button in the recent judgement of the ECJ in Fashion ID, a German online clothing retailer, which  was held to be a joint data controller with Facebook and therefore jointly liable with Facebook for the means and purposes of the operation of the “like” button (see the ECJ in C-40/17 – the Fashion ID GmbH case). 

If this approach is to be applied to the digital badge then each law firm and Yoshki are joint data controllers with each law firm being, in effect, liable for Yoshki’s actions and then, further down the line, Google itself.

As to the consent point, the way the SRA is implementing this scheme it is impossible for the website visitor to provide prior consent to any processing by Yoshki; let alone reading and understanding Yoshki’s privacy terms or those on our website.  The reason being is that the digital badge is loaded as part of a firm’s home page, therefore the personal data transfer is made to Yoshki automatically and immediately. 

Without consent the SRA's legitimate interests, being purely marketing/compliance, cannot take precedence over a data subejct's rights; therefore the digital badge, as implemented, is unlawful.

Not only does Yoshki have to fully disclose the extent of its processing and onward disclosure but our firm has to do the same for both Yoshki's, the SRA's and Google's processing; all of which have to be consented to in advance.

Therefore the SRA’s mandated method of implementation is in breach of the explicit informed consent requirement, as is Yoshki’s processing because again there is no opportunity to understand and then grant or withhold consent.  The SRA cannot argue that Yoshki does not collect personal data when in fact that is what it does.  We note that Yoshki states it does not store IP addresses but that is only part of the processing undertaken.  That does not legitimise its prior processing.  The subsequent use made or subsequent retention thereof is irrelevant because the website user has to provide consent prior to the transfer. The method of implementation ensures that personal data is transmitted to Yoshki therefore it satisfy the processing requirements of the GDPR.

Data harvesting by Yoshki

Yoshki is in breach of company law by not fully disclosing its registration details and contact information on its home or contact pages, but this information does appear in its “Data and Privacy Policy”.  It took a while to find this information.

However, of real concern is the extremely broad scope of its data harvesting:  see its Data & Privacy Policy.  The extent of the data harvesting includes sharing the data with Google Analytics, exporting personal data to the US and giving itself the right to use personal data for categories of processing relating to tracking and profiling of users.  Yoshki does state that:

"At no point, does Yoshki access, record or store any additional data such as IP addresses, page navigation behaviour, etc."

Our understanding is that this information is made available as part of the URL link to Yoshki and therefore personal data is processed under the GDPR.  What it does after the event is irrelevant.

Yoshki states as one of its legitimate interests is to gain insight into the badge’s use.  Saying this does not make it lawful, for there needs to be a balance against the data subject’s interests and rights.

It would seem that Yoshki is reselling and implementing software provided by Google under its Analytics brand.  The SRA, when challenged about this, was of the view that Google as a company processes personal data lawfully.  The SRA has been provided with a recent sample of reports detailing actions, fines and judgements granted against Google for breaches of privacy and data protection laws. 

The SRA has also sought to rely on the fact that information provided to Google is anonymised or pseudonymised; but ignores the very clear warnings about reliance on this given that it is very hard to do this properly.  Given the huge wealth of personal data harvested by Google one must assume that Google is able to piece together independent data elements to identify an individual.

The SRA has assured this firm that Yoshki will not process any personal data outside of the SRA’s digital badge scheme, though the SRA will be obtaining various information about its usage from Yoshki.  Unfortunately, the SRA’s assurances do not reflect the very clear and unlawful processing of personal data which Yoshki permits itself, as outlined in its privacy policy.  This is all we can rely on and the conflicting position adopted by Yoshki is not encouraging. 

The SRA can therefore have no justification in claiming that Yoshki will not harvest personal data when it clearly states that it will and must do so in order to provide information to the SRA.  As we do not know what information Yoshki is providing to the SRA, as joint data controller, we are liable and responsible for determining the legality of that disclosure.  The SRA is not being transparent in this regard - unless the SRA is prepared to assume full responsibility for the digital badge's implementation we cannot rely on any assurances it gives.

That the SRA has now stated it has instructed Yoshki to disable Google Analytics is confirmation that the SRA now agrees that personal data is being processed by Yoshki, despite having maintained (and still maintains in correspondence with this firm) that there is no processing of personal data. 

Privacy by design

When there are multiple means of achieving an objective then one must select the means which is least invasive in terms of privacy.  The SRA could have achieved its objective by simply allowing a direct link from a firm’s website to the SRA’s record of that law firm.  This is essentially what the digital badge does.  Instead it selected proprietary third party technology and service providers which intercede a level of unnecessary processing of personal data.

By failing to do so the SRA has not complied with the the privacy by design requirement under the GDPR.  That is a second ground for unlawful behaviour.

The SRA has identified security and verification as reasons for the digital badge.  Why then has the SRA not sought to achieve this by mandating the use of https encryption and SSL certificates?  These are widely used and understood technologies that can not only verify the identity of the website itself but also protect the confidentiality of visitors by encrypting traffic.

A website verified by an appropriate SSL certificate with encryption enabled will do more to achieve the SRA’s stated aims than the digital badge would and at significantly less cost for the industry.

If 80% of the 10,400 or so law firms the SRA regulates have websites and it costs say £2,500 for each firm to implement then the industry will have to spend well over £20m implementing the digital badge.  (These figures are guesses and could quite easily be lower or higher.)  An SSL certificate cost in the region of £50-100 per annum.

Confidentiality

The SRA has been asked to comment on what is stopping Google, which is in the advertising business, of tracking a visitor to a law firm’s website and then serving targeted advertising to that user elsewhere.  The capability exists.  Will we be in the position where a subsequent visit to a social media platform will result in a “have you been injured recently in an accident” adverts suddenly appearing?

This firm has a policy of not tracking visitors and we believe that allowing third parties to record client and potential client visits to our website is a breach of confidentiality.  The SRA has yet to comment on this.

Conflict between the Rules

The SRA has also been asked, in light of the above, to explain how Rule 4.1 is intended to co-exist with the following mandatory Principles 2, 3, 4 and 7 in which we are required to:

2.   act with integrity;

3.   not allow your independence to be compromised;

4.   act in the best interests of each client; and

7.   comply with your legal and regulatory obligations and deal with your regulators and ombudsmen in an open, timely and co-operative manner.

With the deadline of 25 November 2019 now passed this firm is at risk of the SRA commencing enforcement action against it.  Fortunately the SRA’s Rules are subordinate to primary legislation, in this case the Data Protection Act and the GDPR.

SRA's response

The only public response the SRA has given was on 14 November 2019 in which it stated, inter alia, that:

"we have agreed that Yoshki will turn off the Google Analytics at the moment to make sure that no firms have any residual concerns that would get in the way of implementing the logo".

This appears to be a temporary solution which does not confirm that Google Analytics will be permanently disabled.  That aside, the SRA is being disingenuous in suggesting that the concerns raised are limited to the use of Google Analytics.   This firm and the SRA have been communicating about this since January 2019 and the SRA has seen this note prior to publication.   It is misleading the profession by not acknowledging the extent of the issue.

In light of the SRA's refusal to deal properly with this issue we will be lodging a formal complaint with the ICO's office, requesting that every law firm which has implemented the digital badge as currently mandated be ordered to remove it.

In light of the above, the only real benefit of the digital badge for the SRA is compliance.  In other words, penalising law firms for an not implementing an illegal gimmick.