DVLA GDPR breaches where the PPC operates on non-relevant land

Debszzzz2

Any thoughts from the regulars and legally trained readers on whether my understanding of the following is correct and, if so, is it worth revisiting the issue with complaints to the DVLA and ICO and would it be worthwhile testing this in court?

In June 2022, the ICO gave an opinion on the lawful basis for the processing of vehicle keeper data by the Driver and Vehicle Licensing Agency (DVLA). This was as a result of complaints to the ICO and the opinion set out the reasoning behind the Commissioner’s decision that ‘public task’ was the correct lawful basis on which the DVLA should process vehicle keeper data, when sharing it with car park management companies to recover unpaid parking charges.

The opinion was primarily for the DVLA and the Department for Transport (DoT) as they are the data controllers for this processing. However, it was also of interest to people who complained to the ICO about the DVLA disclosing their personal data to private car parking companies to recover unpaid parking charges.

The ICO received a number of complaints from people, about both the application of Regulation 27(1)(e) of the Road Vehicle (Registration and Licensing) Regulations 2002 and the DVLA’s sharing of vehicle keeper data more generally.

The DVLA wanted to know the correct lawful basis under Article 6(1) of the UK GDPR for sharing the personal data of vehicle keepers with car park management companies to recover fines (the Commissioner's wording, incorrectly used IMHO).

At the time, the DVLA said they were relying on legal obligation as their lawful basis to process this data. Regulation 27(1)(e) allows the DVLA to release keeper information to anyone who can demonstrate reasonable cause for wanting this information. The DVLA mistakenly thought that Regulation 27(1)(e) provided them with a legal duty to share those details with car park management companies to recover fines. They believed this satisfied the requirement under Article 6(1)(c) of the UK GDPR that the processing was necessary for compliance with a ‘legal obligation’.

The Commissioner concluded that the DVLA’s correct lawful basis is 'public task', not legal obligation. This is because Regulation 27(1)(e) provides the DVLA with a power, rather than a legal duty, to disclose vehicle keeper information to car park management companies in these circumstances. In order to rely on legal obligation, the DVLA would need to demonstrate that the processing was necessary for compliance with a ‘legal obligation’. This would require the DVLA to have a legal duty to rely on, which Regulation 27(1)(e) does not provide.

The Commissioner regarded the DVLA's handling of vehicle keeper data as a technical infringement of the law, stemming from an unintended change in the interaction between Parking Regulations and data protection law following the 2018 reforms. Despite this, the Commissioner acknowledged the DVLA's policy of reasonable cause and its power to disclose information to car park management companies for fine recovery. His role was to determine the correct lawful basis for this action.

The Commissioner's opinion that the DVLA's handling of vehicle keeper data constituted a "technical infringement" rather than a more severe breach of the law seemed to be based on the interpretation that the DVLA's error lay primarily in misinterpreting its legal obligations rather than deliberately or negligently disregarding data protection laws.

Many of us on this forum were disappointed with the ICOs conclusions and felt it was a whitewash of the DVLA's feeble excuses when highlighting their breaches of UK GDPR against keepers in certain instances, which I will come to.

The main point of this short thesis is to garner opinion of the regulars and those with some legal training and expertise with the following argument...

The ICOs conclusions were based on a PPC being able to rely on PoFA and "reasonable cause" to request keeper data from the DVLA. However, where a PPC operates on non-relevant land such as at airports, railway stations, ports and other locations covered by bylaws, there can never be reasonable cause because the keeper can never be liable for any alleged breach of contract except where the keeper has admitted to being the driver. If the keeper has admitted to being the driver, there is no need to request the keepers details from the DVLA. (There's a Catch-22 here for the PPC)

Therefore, because the PPC cannot hold the keeper liable under any other circumstance for a charge relating to parking on non-relevant land, they do not have any reasonable cause to request the details from the DVLA and the DVLA, by releasing the data, has therefore breached the keepers UK GDPR. The DVLA tried to get around this point by claiming they had a legal obligation to release the data whereas, according to the ICO, there is no legal duty/obligation, only a "pubic task" which is discretionary.

Whether the DVLA considered they had the right or duty to release a keepers data is irrelevant. They are only allowed to release the data, by duty/obligation or by discretion, if there was reasonable cause in the first place. If a PPC is able to rely on PoFA (where they operate on private land not covered by bylaws), they could have a reasonable cause.

Where a PPC is unable to rely on PoFA, such as at locations where they operate on non-relevant land, there can never be an relevant obligation to hold a keeper liable in the first place and therefore, there can never be a reasonable cause to request the keeper data from the DVLA in the first place.  In such an instance, the DVLA has breached the keepers UK GDPR by releasing that data.

https://ico.org.uk/media/about-the-ico/documents/4020676/dvla-opinion-20220613.pdf

https://assets.publishing.service.gov.uk/media/5a81a0c7e5274a2e8ab55036/Annex_A_-_KADOE_Fee_Paying_Contract_V4.pdf

KADOE B1.1: The DVLA has the legal power, under regulation 27 of the Road Vehicles (Registration and Licensing) Regulations 2002, as amended, to: “make any particulars contained in the register available for use by any person who can show to the satisfaction of the Secretary of State that he has reasonable cause for wanting the particulars to be made available to him.”

B2.1(a): The DVLA shall provide each requested item of Data to the Customer via the KADOE Service for the Reasonable Cause of enabling the Customer to: seek recovery of unpaid Parking Charges in accordance with the Accredited Trade Association Code of Practice, and using the procedure in Schedule 4 to the Protection of Freedoms Act 2012 (where the vehicle was parked on private land in England or Wales on a particular date)

The DVLA has no power to share the data if a PPC is unable to seek recovery of unpaid Parking Charges using the procedure in Schedule 4 of PoFA.

Thoughts?

Whatever2023

Data is requested from the DVLA so that a Notice to Keeper can be issued.

The primary purpose of a NTK is to invite the Keeper to either make payment, submit an appeal or provide the drivers details; the Keeper is not being held liable at this point.

As such, the Reasonable Cause is to seek recovery of the unpaid Parking Charge from someone; it is not to hold the Keeper liable (which comes later if applicable).

Debszzzz2

Whatever2023 said:

Data is requested from the DVLA so that a Notice to Keeper can be issued.

The primary purpose of a NTK is to invite the Keeper to either make payment, submit an appeal or provide the drivers details; the Keeper is not being held liable at this point.

As such, the Reasonable Cause is to seek recovery of the unpaid Parking Charge from someone; it is not to hold the Keeper liable (which comes later if applicable).

A keeper can NEVER be liable, sooner, “later” or ever for a PCN issued on non-relevant land. Therefore, there can not be any reasonable cause in this case.

An unregulated private parking company, typically an ex-clamper, making a data request under KADOE rules when there is no legal ground to hold the keeper (the data subject) liable because the operator cannot ever rely on PoFA is a breach of KADOE B2.1(a).

Have another read of the second bit of that rule and note that it says AND using PoFA. The ex-clamper knows that when they operate on non-relevant land, they can NEVER use/rely on PoFA.

So, to put my interpretation on the flaw in the ICOs original conclusion is that the DVLA has no legal basis for breaching the keepers GDPR in cases where the ex-clamper is operating on non- relevant land such as at an airport or station.

The only reasonable cause can be when the ex-clamper IS able to rely on PoFA, ie. anywhere they operate, other than on non-relevant land.

I don’t know how much simpler I can make the point:

The KADOE rules are clear and B2.1(a) means that no one, whether approved or not to use the KADOE rules, should be applying for keeper data in cases where the alleged contractual breach occurred on land covered by bylaws.

The operator has breached the KADOE rule and the DVLA, by complying with the request, has then breached the keepers GDPR.

Whatever2023

Good luck!

Fruitcake

Debszzzz2 said:

Whatever2023 said:

Data is requested from the DVLA so that a Notice to Keeper can be issued.

The primary purpose of a NTK is to invite the Keeper to either make payment, submit an appeal or provide the drivers details; the Keeper is not being held liable at this point.

As such, the Reasonable Cause is to seek recovery of the unpaid Parking Charge from someone; it is not to hold the Keeper liable (which comes later if applicable).

A keeper can NEVER be liable, sooner, “later” or ever for a PCN issued on non-relevant land. Therefore, there can not be any reasonable cause in this case.

An unregulated private parking company, typically an ex-clamper, making a data request under KADOE rules when there is no legal ground to hold the keeper (the data subject) liable because the operator cannot ever rely on PoFA is a breach of KADOE B2.1(a).

Have another read of the second bit of that rule and note that it says AND using PoFA. The ex-clamper knows that when they operate on non-relevant land, they can NEVER use/rely on PoFA.

So, to put my interpretation on the flaw in the ICOs original conclusion is that the DVLA has no legal basis for breaching the keepers GDPR in cases where the ex-clamper is operating on non- relevant land such as at an airport or station.

The only reasonable cause can be when the ex-clamper IS able to rely on PoFA, ie. anywhere they operate, other than on non-relevant land.

I don’t know how much simpler I can make the point:

The KADOE rules are clear and B2.1(a) means that no one, whether approved or not to use the KADOE rules, should be applying for keeper data in cases where the alleged contractual breach occurred on land covered by bylaws.

The operator has breached the KADOE rule and the DVLA, by complying with the request, has then breached the keepers GDPR.

The crucial word in B2.1(a) is "and."

PPCs, and possibly (probably) the DVLA themselves will, I'm sure, argue that the term reasonable cause allows them to ask the keeper to identify the driver. and then issue a PoFA compliant NTD by post. 

But, if this were tested in court, the victim keeper could argue that the CRA 2015 Section 71 applies, where the term that favours the consumer is the one that prevails. The keeper would argue that B2.1(a) refers only to cases where the keeper can be held liable in accordance with the PoFA, not where the keeper cannot be held liable where PPC is asking the keeper to provide third party (the driver's) data.

The only way to test this would be through the county court, the appeal court, and then the Supreme Court, and only for a case where the keeper was not the driver, and the alleged event occurred on non-relevant land. It would not be cheap. The parking industry would throw more money at it than an MP could claim for expenses in a year. 

Debszzzz2

Fruity, so far, you are the only person to agree with the point that a PPC cannot rely on KADOE if they are requesting keeper details from the DVLA for an alleged breach of contract by a driver on non-relevant land they operate on. By processing the keepers data in every request from a PPC for an alleged breach of contract on non-relevant land, the DVLA is breaching the keepers GDPR.

This could mean that there could be hundreds of thousand keepers who have had their GDPR breached by the DVLA in the past and will continue to be doing so every time they process a keepers data in future if they continue to allow PPCs operating on non-relevant land such as railway stations and airports, to request that data under KADOE.

Rule B2.1(a) of KADOE requires the PPC to be able to rely on PoFA, and specifically states so. I have not heard a single dissenting voice, so far, except for Whatever2023 who I believe is a PPC provocateur and did not provide any valid reasoning why my hypothesis is wrong.

I would like to hear, if possible, an opinion from some other legally minded experts before I take this further, at least to be tested in the lower courts. @Coupon-mad, @troublemaker22, @Johnersh, @ParkingMad, @The_Slithy_Tove, @bargepole ?

I will ask for an opinion from my family member DJ but I value the opinions of advocates that have specialist knowledge of the practices of these rogue operators from their long experience of dealing with these issues on this forum. I can easily get someone to drive my car to my local airport LJLA, which is infested by VCS and have them illegally apply for my details under the KADOE rules and for the DVLA to then breach my GDPR by providing my data to VCS who will issue me with an NtK which can be defended by not revealing the drivers details.

For so long, we have seen many complaints on here about the greed of the DVLA and how they are in cahoots with the unregulated private parking industry, raking in millions of £s every year by processing keeper data. I am searching for a thread from a year or so ago where one forumite complained to the ICO and eventually led to the Commissioner’s “opinion” piece that I was reviewing, which led me to my analysis that it was flawed due to the “and” bit in KADOE B2.1(a) for all instances of PCNs issued at airports and stations.

This could spell trouble ahead for all the PPC scammers operating at stations, airports and ports, as well as the DVLA who abuse keepers and see them as cash cows.

I am currently researching the last published figures from the DVLA about who they share KADOE data with. These figures are from FY 2018/2019. Prepare to have your jaw dropped when you see how many KADOE requests they receive at £2.50 a pop. If you can open the spreadsheet linked to below (ODS format) {I will try and convert to an Excel format} and find your favourite PPC to see how many KADOE requests they make, consider whether they operate at any airport or train station, APCOA, NCP, VCS, SABA to name a few, consider how many of those KADOE requests have been made illegally and each time the DVLA has breached someone’s GDPR.

https://www.gov.uk/government/publications/who-dvla-shares-data-with#full-publication-update-history

Fruitcake

I admire your tenacity, but I suggest you redact your comments from your post where you state that you are prepared to act as an  agent provocateur. I would not want to see any attempt to bring down this unregulated industry because of the contents of a saved internet page

Debszzzz2

I respectfully disagree. I don’t think giving advanced warning that I intend to test the legality of this issue is likely to damage any outcome. I am not breaking any law. The person who drives my car will not be breaking any law. The only law being tested, at this stage, is civil law.

VCS will be breaking the law by using KADOE to request my details from the DVLA because VCS do not have reasonable cause to rely on KADOE because they are not able to satisfy rule B2.1(a) at LJLA. The DVLA will be breaking the law if they do give my data to VCS because by doing so, they will have processed my data unlawfully.

GrannyKate

I think the ICO opinion is lacking a section on non-relevant land where POFA does not apply - I am not certain that such cases can be fully excluded. The KADOE contract does, however, make an interesting read but I need to have time and child free space to consider it in detail.  Will try and come back to you on this. (PS I worked in Data protection for 30 years or so and I do have an LLM in Information Rights Law and Practice) 

Umkomaas

Perhaps a nice, polite new style NtK should be issued for such cases ... like ...

'We are writing to you as the RK of vehicle (VRM) which was involved in a possible contravention of terms at (location). We are only able to hold the driver of the vehicle potentially liable for this as (location) is deemed to be 'not relevant land' under the Protection of Freedoms Act 2012 (Schedule 4) to enable us to hold you, the RK, liable for the contravention. We would be most grateful if you could provide us with the name and address of the driver and hand this letter to them. This is entirely voluntary.  If you do not provide us with these details by (date), we will close our file.'

🤓

Castle

GrannyKate said:

I think the ICO opinion is lacking a section on non-relevant land where POFA does not apply - I am not certain that such cases can be fully excluded. The KADOE contract does, however, make an interesting read but I need to have time and child free space to consider it in detail.  Will try and come back to you on this. (PS I worked in Data protection for 30 years or so and I do have an LLM in Information Rights Law and Practice) 

It's lacking a lot of things, but you're right; there's no differential between relevant and non relevant land in their "opinion", whether that's through design or more likely, a lack of understanding. 

Para B2(1)(b) of KADOE does cover situations where the PPC can't use POFA and in my reply to the original consultation I made a suggestion that the term "Notice To Keeper"  could only be used when a PCN was issued on relevant land within the relevant deadlines.