Using data from apps like Trainline as part of fare evasion prosecutions

some bloke · 7 Jul 2020

Bletchleyite said:
while TIL might fit that description (I am unconvinced

So am I. Private companies in general, or people or organisations undertaking private prosecutions would seem not to fit the part above that, which refers to statutory functions to exercise public authority or public powers.

"A competent authority means:

a person specified in Schedule 7 of the DPA 2018; or
any other person if, and to the extent that, they have statutory functions to exercise public authority or public powers for the law enforcement purposes."

https://ico.org.uk/for-organisation...rcement-processing/scope-and-key-definitions/

The definition is in section 30:

Data Protection Act 2018

www.legislation.gov.uk

RailUK Forums

Bletchleyite · 7 Jul 2020

I'm not convinced that bringing a private prosecution, which literally anybody can do if they have the money to pay for the process, would give TIL (an independent private company, not a TOC) " statutory functions to exercise public authority or public powers for the law enforcement purposes ", because if it would give it to them, it would give it to me, too.

I think they're pushing their luck in the absence of legal precedent, myself, assuming they did indeed obtain a disclosure from Trainline and weren't just making it up to see if the OP bit.

To add to that - why would the Police use a warrant to obtain that kind of thing if they didn't need to?

Starmill · 7 Jul 2020

island said:
I put it to you that the interests of a data subject in getting away with a crime he has committed do not override the interests of a train company in bringing him to justice for it.

I certainly don't agree with this, but I can see how it might be close to the line on both arguments here. If there's indeed no case law to draw on, and the most cursory search suggests that may well be true, my view of that is worth probably as much as yours: little more than nothing at all.

In particular I would like to see the question of exactly who the data controller is, and exactly what their legitimate interests for the purposes of the Act are, argued out fully and decided on by a judge. Trainline are of course not actually involved with the operation of trains or the protection of revenue of the firms who are.

221129 said:
It is definitely in the interests of the TOC that is prosecuting and in the interests of TIL who are investigating.

Yes, but are either a relevant subject or data controller for the purposes of the Act?

Bletchleyite said:
I think they're pushing their luck in the absence of legal precedent, myself, assuming they did indeed obtain a disclosure from Trainline and weren't just making it up to see if the OP bit.

Indeed. Anyone can try to use legal letters to intimidate anyone else with threats of bogus prosecution. If the threatened person capitulates out of fear it makes no matter whether the legal arguments against them were strong, weak or unproven. From TIL's point of view there's very little to lose and everything to gain.

35B said:
I can’t comment on admissibility, but have practical experience (non rail) of the bounds of “legitimate interest” being set significantly wider than has been suggested here, and in favour of the commercial interest. In the absence of case law, I’d be disinclined to say that a transfer of the kind discussed here would be barred under GDPR.

The commercial interest is one thing, and I don't deny that your experiences with it and its relevance to 'legitimate interest' for the purposes of the Act, but we should remember here that we are dealing with the question of an offence, not an unpaid debt.

Haywain · 7 Jul 2020

Bletchleyite said:
It is, but the legitimate interest test is a balance - you can't use it if it would cause significant disadvantage to the subject, and being privately prosecuted absolutely will.

I don't believe the law enforcement basis can be used by a private company, either, it would have to be by the Police/CPS.

I don’t see that the commission of an offence such as fare evasion can be regarded as a legitimate interest.

Bletchleyite · 7 Jul 2020

Haywain said:
I don’t see that the commission of an offence such as fare evasion can be regarded as a legitimate interest.

It's TIL and Trainline who would need that. The OP needs not to be unreasonably disadvantaged.

Haywain · 7 Jul 2020

Bletchleyite said:
It's TIL and Trainline who would need that. The OP needs not to be unreasonably disadvantaged.

Well, identifying a pattern of such behaviour seems legitimate to me.

Tetchytyke · 7 Jul 2020

Lots of different things here.

TIL have a legitimate interest in processing the client's data, so don't need permission to process data.

Trainline have the client's consent for processing their data, but only in certain ways.

TIL are not a competent authority as per Sch7 DPA 2018 and so cannot rely on the crime prevention exemption to force disclosure from third parties. Even if they could, s29 is not an unfettered right to go on a fishing trip.

If Trainline have handed over a person's travel history then, unless that right was set out in their privacy policy, you're looking at a pretty big breach of the DPA, as the law enforcement exemption does not apply to them or TIL.

But not an unsurprising one. Other members of this forum experienced similar unlawful behaviour from SouthEastern.

island · 7 Jul 2020

Trainline and TIL are definitely not able to benefit from the crime exemption (if we’re calling it that).

However, a privacy policy does not need to be updated infinitely often, nor does it need to be exhaustive. ”Processing data in a way not set out in your privacy policy“ is not an Offence.

island · 7 Jul 2020

Haywain said:
I don’t see that the commission of an offence such as fare evasion can be regarded as a legitimate interest.

That may be so, but the GDPR article in question only places the “legitimate” qualifier with reference to the interests of the data controller. The reference to the interests of the data subject does not have it.

Bletchleyite · 7 Jul 2020

island said:
Trainline and TIL are definitely not able to benefit from the crime exemption (if we’re calling it that).

However, a privacy policy does not need to be updated infinitely often, nor does it need to be exhaustive. ”Processing data in a way not set out in your privacy policy“ is not an Offence.

Erm, yes it is. You can only process data for the purpose(s) for which it was collected, and that purpose has to be made clear when you do (and users updated if that changes, with the opportunity to request their rights are carried out, e.g. deletion). Does Trainline's privacy policy include this sort of thing?

Tetchytyke · 7 Jul 2020

island said:
”Processing data in a way not set out in your privacy policy“ is not an Offence.

Data can only be processed for the purpose it was obtained, and that purpose has to be set out at the time the data was obtained. Data subjects must be told if their data will be processed for any other purpose, unless one of the exemptions apply, and given an opportunity to object. Permission to process data is not open-ended.

A privacy policy is part of that. Although you are correct it is not the be-all and end-all, you can't process data for purposes not set out when the data was obtained.

jumble · 8 Jul 2020

I struggle to understand why the OP does not make a complaint to the ICO if they feel minded to do so and care.
It would give a definitive answer rather than the mass of speculation that is present here.
No one here knows for sure what the ICO would rule

35B · 8 Jul 2020

Starmill said:
The commercial interest is one thing, and I don't deny that your experiences with it and its relevance to 'legitimate interest' for the purposes of the Act, but we should remember here that we are dealing with the question of an offence, not an unpaid debt.

I agree, but the scenarios I had in mind were much less clearcut even than debt recovery.

I am with those that find it perverse that GDPR would work to prevent prosecution of a criminal offence. While I defer to none in my contempt for TIL's way of working and ethics, some of the arguments being put seem to put their distaste for private prosecution of fares offences ahead of considering the wider public interest.

On the other hand, it might be interesting to look at whether the use of this data to achieve out of court settlements is in the public interest, or a commercial activity and abuse of the data.

Puffing Devil · 8 Jul 2020

jumble said:
I struggle to understand why the OP does not make a complaint to the ICO if they feel minded to do so and care.
It would give a definitive answer rather than the mass of speculation that is present here.
No one here knows for sure what the ICO would rule

It may not have been the Trainline handing over the Data - an enthusiastic RPI may have requested the OP's phone, for example. Or even scanned through when checking ticket data.

ukkid · 8 Jul 2020

No one knows how TIl came in posessesion of this data, if in fact it did.

I'd be more interested in knowing how or why RJ correctly guessed the OP would not come back (not suggesting any negative on RJs part).

Tetchytyke makes a very good concise summary of the issues in post 37 raised. However we are speculating at this stage and what we are discussing maybe purely hypothetical.

WesternLancer · 8 Jul 2020

ukkid said:
No one knows how TIl came in posessesion of this data, if in fact it did.

I'd be more interested in knowing how or why RJ correctly guessed the OP would not come back (not suggesting any negative on RJs part).

Tetchytyke makes a very good concise summary of the issues in post 37 raised. However we are speculating at this stage and what we are discussing maybe purely hypothetical.

See post #14 of the orig thread where RJ explains:

The OP changed their post to "never mind" on seeing the first few replies which is why I posted that

Someone has since reinstated their original post, the last edited marker has even disappeared. I don't think the OP will be back!

Fawkes Cat · 9 Jul 2020

If GDPR forbids sharing of data like this, why has it not yet been challenged in court? There are plenty of lawyers who are prepared to look for loopholes (there was even a solicitor known as ‘Mr Loophole’ for his challenges to motoring prosecutions) and anecdotally there are a number of high-earning fare evaders who would be in a position to employ such a lawyer. So it would follow that someone would try to get out of a prosecution by using a GDPR challenge - which even if it didn’t get far enough through the courts to set a precedent would surely make the news.

I’m with @35B on this one: unless GDPR/DPA2018 explicitly states that information can’t be shared for the purposes of investigating and prosecuting alleged offences, I can’t see that any court would read such a restriction into the law in that there’s obviously a public interest in the prevention and punishment of crime.

ForTheLoveOf · 9 Jul 2020

Fawkes Cat said:
If GDPR forbids sharing of data like this, why has it not yet been challenged in court? There are plenty of lawyers who are prepared to look for loopholes (there was even a solicitor known as ‘Mr Loophole’ for his challenges to motoring prosecutions) and anecdotally there are a number of high-earning fare evaders who would be in a position to employ such a lawyer. So it would follow that someone would try to get out of a prosecution by using a GDPR challenge - which even if it didn’t get far enough through the courts to set a precedent would surely make the news.

I’m with @35B on this one: unless GDPR/DPA2018 explicitly states that information can’t be shared for the purposes of investigating and prosecuting alleged offences, I can’t see that any court would read such a restriction into the law in that there’s obviously a public interest in the prevention and punishment of crime.

The fact that such a legal challenge hasn't happened yet doesn't in any way mean it wouldn't succeed if it did happen. Loads of defective laws and illegal practices go unchallenged for ages before being discovered.

The reality is that this hasn't yet become common-place enough to come to the attention of anyone who has the means or willingness to pursue this. The numbers are in the 4 or 5 figures a year at most. It's just not enough to cause a ruckus.

35B · 9 Jul 2020

Fawkes Cat said:
If GDPR forbids sharing of data like this, why has it not yet been challenged in court? There are plenty of lawyers who are prepared to look for loopholes (there was even a solicitor known as ‘Mr Loophole’ for his challenges to motoring prosecutions) and anecdotally there are a number of high-earning fare evaders who would be in a position to employ such a lawyer. So it would follow that someone would try to get out of a prosecution by using a GDPR challenge - which even if it didn’t get far enough through the courts to set a precedent would surely make the news.

I’m with @35B on this one: unless GDPR/DPA2018 explicitly states that information can’t be shared for the purposes of investigating and prosecuting alleged offences, I can’t see that any court would read such a restriction into the law in that there’s obviously a public interest in the prevention and punishment of crime.

I would assume that if the argument that GDPR restricts the ability to transfer data in this way held, and someone engaged a solicitor and made that argument, the likes of TIL would back down rather than risk a precedent.

However, although @Starmill has raised the question of who is the Data Controller, I've not registered anyone following that logic through. As I recall the NRCOT, the retailer is acting as an agent for the TOC(s) who will provide travel. The retailer is surely therefore acting as a Data Processor on behalf of the TOC, who would be Data Controller (though Trainline would presumably also be a Data Controller in respect of the purchaser's account history). To work effectively on behalf of the TOC, TIL would also need to have a data processing agreement with that TOC so that they could act as a Data Processor.

If I'm correct in this line of logic, the sharing of information becomes much less problematic.

Fawkes Cat · 9 Jul 2020

ForTheLoveOf said:
The fact that such a legal challenge hasn't happened yet doesn't in any way mean it wouldn't succeed if it did happen.

Similarly, neither does it mean that it would succeed.

ForTheLoveOf · 9 Jul 2020

Fawkes Cat said:
Similarly, neither does it mean that it would succeed.

Yes, it's untested so the outcome cannot be known. But the point is that you can't say it's not a valid argument just because it's never been made in Court before. There's always got to be a 'guinea pig' test case.

Starmill · 9 Jul 2020

35B said:
I would assume that if the argument that GDPR restricts the ability to transfer data in this way held, and someone engaged a solicitor and made that argument, the likes of TIL would back down rather than risk a precedent.

However, although @Starmill has raised the question of who is the Data Controller, I've not registered anyone following that logic through. As I recall the NRCOT, the retailer is acting as an agent for the TOC(s) who will provide travel. The retailer is surely therefore acting as a Data Processor on behalf of the TOC, who would be Data Controller (though Trainline would presumably also be a Data Controller in respect of the purchaser's account history). To work effectively on behalf of the TOC, TIL would also need to have a data processing agreement with that TOC so that they could act as a Data Processor.

If I'm correct in this line of logic, the sharing of information becomes much less problematic.

Yes. I think we'd need to understand much more clearly what the status of the accounts used for all of the historic transactions exactly was in order to follow this through. I don't think that information was ever provided.

Tetchytyke · 9 Jul 2020

35B said:
I am with those that find it perverse that GDPR would work to prevent prosecution of a criminal offence.

It doesn't seek to prevent statutory bodies from prosecuting criminal offences. In fact that very scenario is an exemption to GDPR!

TIL are not a statutory body, so their intention to carry out a private prosecution is irrelevant.

Fawkes Cat said:
If GDPR forbids sharing of data like this, why has it not yet been challenged in court?

Because nobody has taken it there yet, either through the ICO or as a defence to a prosecution at court.

As we all know, those who are convicted of fare evasion at court are, by and large, those who ignore the process. As you see here, the OP who raised this issue has not returned.

And as we've seen in the other thread, TIL will usually back down when they know they're on a loser.

Bletchleyite · 10 Jul 2020

35B said:
However, although @Starmill has raised the question of who is the Data Controller, I've not registered anyone following that logic through. As I recall the NRCOT, the retailer is acting as an agent for the TOC(s) who will provide travel. The retailer is surely therefore acting as a Data Processor on behalf of the TOC, who would be Data Controller (though Trainline would presumably also be a Data Controller in respect of the purchaser's account history). To work effectively on behalf of the TOC, TIL would also need to have a data processing agreement with that TOC so that they could act as a Data Processor.

If I'm correct in this line of logic, the sharing of information becomes much less problematic.

That hadn't occurred to me, but might well be the answer, assuming all the tickets investigated were for travel on the same TOC.

alistairlees · 10 Jul 2020

Bletchleyite said:
That hadn't occurred to me, but might well be the answer, assuming all the tickets investigated were for travel on the same TOC.

However, the retailer is the Data Controller; not just a Data Processor.

Tetchytyke · 10 Jul 2020

35B said:
To work effectively on behalf of the TOC, TIL would also need to have a data processing agreement with that TOC so that they could act as a Data Processor.

There's no issue with TIL processing the data, they have legitimate interest in the same way the TOC do because they are acting on behalf of the TOC.

35B said:
the retailer is acting as an agent for the TOC(s) who will provide travel

For that specific journey, there would be no issue with transferring data; as you say, the retailer is acting as the TOC's agent for that journey.

However that would, in my opinion, be limited to the specific journey and only data that is required for the TOC to provide the contracted service. Other data that Trainline hold should not be transferred to the TOC. A journey history certainly should not be.

Bletchleyite · 10 Jul 2020

Tetchytyke said:
However that would, in my opinion, be limited to the specific journey and only data that is required for the TOC to provide the contracted service. Other data that Trainline hold should not be transferred to the TOC. A journey history certainly should not be.

Is it possible that the TOC already had the data from previous journeys if they were on that TOC, i.e. that it wasn't actually transferred later for this explicit purpose?

talltim · 13 Jul 2020

Puffing Devil said:
The Trainline cannot share information without a request from a "Competent Authority". These are set out in Schedule 7 of the act.

Schedule 1 describes lawful reasons to hold and process data, not disclosure.

Access to the Trainline history, possibly without consent, was one of my first concerns at the top of this thread.

Are you implying that TIL are competent?

najaB · 20 Jul 2020

Tetchytyke said:
A privacy policy is part of that. Although you are correct it is not the be-all and end-all, you can't process data for purposes not set out when the data was obtained.

Not entirely correct. You can process data for purposes that are "compatible with" those for which it was collected. To quote Article 5:

Personal data shall be: ... 1. (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Using data from apps like Trainline as part of fare evasion prosecutions

Established Member

RailUK Forums

Veteran Member

Veteran Member

Veteran Member

Veteran Member

Veteran Member

Veteran Member

Veteran Member

Veteran Member

Veteran Member

Veteran Member

Member

Established Member

Established Member

Member

Established Member

Established Member

Established Member

Established Member

Established Member

Established Member

Veteran Member

Veteran Member

Veteran Member

Established Member

Veteran Member

Veteran Member

Established Member

Veteran Member