How to complain to a Data Protection Authority – a beginner’s guide

Lock backgroundBy Simon Davies

Total strangers often come up to me on the street and ask “How do I write a letter of complaint to my local data protection authority?” This is a question that deserves attention, so the Privacy Surgeon will deal with it head-on.

Of course, as with so many such issues, there’s a “why” that precedes the “how”. Why should you send a complaint to a data protection authority? Well, because it might make a difference. And it probably takes less time to write a letter than it does to spend hours whining in the pub to your friends about a privacy issue that irritates you.

Be realistic. The odds of a DPA taking action on your complaint are slim

The odds are against you, but the gamble is worth it. I spent an hour once writing a letter of complaint about the British Airport Authority’s plan to fingerprint all passengers at Heathrow. As a result, there’s no fingerprinting at Heathrow. The victory brought the added advantage of annoying the people who run that abomination they call Terminal Five.

The first point to understand is that every person has a right to send a letter of complaint to their local data protection authority (DPA). And some data protection authorities actually read those letters.

Be realistic though. The odds of a DPA taking action on your complaint are slim. Most DPA’s are under-resourced and overwhelmed with work and such letters are, frankly, a waste of their time. DPA’s know their priorities and if your issue isn’t on that list you’re likely to receive one of the following template responses:

  • It’s not in our jurisdiction;
  • You have no standing;
  • We are unable to substantiate your complaint;
  • The complaint falls outside our mandate;
  • We have already dealt with a similar complaint.

Being aware of these five template responses will give you ammunition for an effective complaint.

You should clearly state at the beginning why you have a direct interest in the complaint. DPA’s like to deal with people who have been affected by a violation. Sending a complaint about something that you overheard on a bus is less likely to receive attention than if you were actually  hurt by an abuse of law. And some DPA’s simply won’t look into a complaint unless it’s from the person who has been aggrieved.

Unless you really know your legal stuff, don’t play amateur lawyer. You’ll just irritate the reader.

However you should add something about the broader public interest. In a sentence or two, explain why your issue is also of concern to thousands or millions of people. You might want to consider stressing the impact on vulnerable people or children. That should put your complaint further up the queue.

Unless you really know your legal stuff, don’t play amateur lawyer. You’ll just irritate the reader. You can make oblique reference to proportionality or fairness, but don’t quote specific bits of law or you might find the complaint will be handled narrowly in that context. Let the DPA do the work of figuring out the legal logistics.

Now for the body of the complaint. Write an introductory section that sets out the background, history and context. Who or what exactly are you complaining about? What happened? What was the chain events and what consequences arose? Be as specific as you can. If you can include screen shots or hard evidence, do so. Just saying “yeah, I went onto Google and is sucks coz they rob all my data” won’t cut it.

Do a quick search of the DPA’s to check whether they’ve ruled on your issue in the past. It doesn’t matter which side they ruled on, but just make sure to reference previous cases. It makes you look intelligent and committed and it nudges them in the right direction.

So there you have it! Now all you have to do is sit back and wait for a positive reply.