[YOUR NAME]

[YOUR ADDRESS]
[YOUR EMAIL ADDRESS + PHONE NUMBER]

 

Data Protection Officer  

Ipserv Ltd

Grafton House

15-17 Russell Road

IP1 2DE
 

[TODAYS DATE]

 

NOTICE OF PRIVACY BREACH

 

Dear Data Protection Officer, 

 

Following legal advice, I write this letter of claim under the Pre-Action Protocol for Media and Communications Claims (part of the Civil Procedure Rules). A copy of this protocol can be found at: 

https://www.justice.gov.uk/courts/procedure-rules/civil/protocol/prot_def 

 

After a PCN issued by Ipserv Ltd ([YOUR PCN NUMBER]) I have been forced to interact with two of your online websites: https://ipserv.zatappeal.com and https://ipserv.ec6pay.com to contest and pay the demand for the PCN in question.

 

I expect data controllers and processors of my personal data to comply fully with GDPR legislation. While accessing the aforementioned Ipserv websites, I became aware that, without my consent, your websites leaked my personally identifiable data to Google Inc., a US-headquartered multinational organization. Consequently, from simply driving into a car park managed by Ipserv Ltd, your operations have now materially broken data privacy laws, breached my personal privacy and caused me considerable distress.

 

Below are several recent references relating to the privacy breach that is present on Ipserv’s websites:

 

https://www.lexology.com/library/detail.aspx?g=8546d90b-61f5-4c96-8bd0-86d1676863c2 [Google fonts on your website? Do not share IP addresses with Google because of GDPR]

 

https://rewis.io/urteile/urteil/lhm-20-01-2022-3-o-1749320/ [The German Court has declared Google Fonts is not in compliance with GDPR/DSGVO]

 

https://www.theregister.com/2022/01/31/website_fine_google_fonts_gdpr/   [The recent German judgement finding use of Google Fonts in the way Ipserv uses them is a breach of GDPR in Europe, and awarding damages]

 

https://www.eadt.co.uk/news/23658755.suffolk-police-embroiled-facebook-data-sharing-scandal/  [Suffolk Police are presently under investigation for their use of a similar mechanism sharing sensitive details from their website visitors without consent]

 

Evidence of your websites (specifically https://ipserv.zatappeal.com and https://ipserv.ec6pay.com) transferring my personal data to Google Inc is as follows:

 

Your websites both make use of Google font files linked directly from Google-hosted servers around the world (namely ‘fonts.gstatic.com’). Upon visiting your websites, my web browser is automatically directed to download font files directly from Google for the purpose of correctly displaying your page. There is no consent requested to do this. As a result of this, internationally hosted Google servers receive a request that includes information that (i) I have accessed your website, and (ii) my personally-identifiable IP address.

 

Evidence of this mechanism and my breach is as follows:

 

Figure 1: ipserv.zatappeal.com (accessed [DATE YOU ACCESSED THE WEBSITE]). Note the ‘fonts.gstatic.com’ URL which is the result of a directive by your website to get my web browser to contact Google to load your webpage.

 

 

 

Figure 2: ipserv.ec6pay.com (accessed [DATE YOU ACCESSED THE WEBSITE]). Note the ‘fonts.gstatic.com’ URL which is the result of a directive by your website to get my web browser to contact Google to load your webpage.

 

Note that while your main website has an explicit consent footer button:

 

 

Neither https://ipserv.zatappeal.com or https://ipserv.ec6pay.com have any such consent button at the times I accessed them.

 

An IP address is a unique identifier to distinguish me from other users. The UK General Data Protection Regulation (UKGDPR) defines personal data as including “an online identifier” (Article 4(1)), and explicitly includes an IP address. The data that has been transferred to Google by Ipserv Ltd, without my consent, can be used to identify me individually and track my behavior around your website and the internet at large. Accordingly, the use of Google-hosted Google Fonts on your website facilitates surveillance of my personal internet usage by passing this to Google in the US; and as Google are subject to FISA that data is now available to international intelligence services.   

 

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) states in paragraph 6: 

 

“(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met. 

 

“(2) The requirements are that the subscriber or user of that terminal equipment- 

 

(a)   is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and 

 

(b)  has given his or her consent.  

 

Additionally, the same regulations at paragraph 2(1) says that “consent by a user or subscriber corresponds to the data subject’s consent in the GDPR”. Under the UKGDPR “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement”.  

 

The ICO is clear in its expectations on consent: 

 

https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/#consent 

 

Under the heading “What counts as consent”:

 

“To be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent. You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read. Similarly, you cannot set non-essential cookies on your website’s homepage before the user has consented to them.   

 

Consent does not necessarily have to be explicit consent. However, consent must be given by a clear positive action. You need to be confident that your users fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website. To ensure that consent is freely given, users should have the means to enable or disable non-essential cookies, and you should make this easy to do. 

You should take particular care to ensure clear and specific consent for more privacy-intrusive cookies, such as those collecting sensitive personal data such as health details, or used for behavioural tracking. The ICO will take a risk-based approach to enforcement in this area, in line with our regulatory action policy.” 

 

 

The UK Regulator, the Information Commissioner’ Office (ICO) has produced guidance on the penalties they can issue which is available at: 

 

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-law-enforcement-processing/penalties/ 

 

“What penalties can the Information Commissioner issue? 

The Information Commissioner has the power to issue a monetary penalty for an infringement of the provisions of Part 3 of the Act – Law Enforcement Processing. Any penalty that we issue is intended to be effective, proportionate and dissuasive, and will be decided on a case by case basis. 

Under Part 6 of the Act, there are two tiers of penalty for an infringement of Part 3 - the higher maximum and the standard maximum. 

What is the higher maximum? 

The higher maximum amount, is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. 

In practice, the higher maximum amount can apply to any failure to comply with any of the data protection principles, any rights an individual may have under Part 3 or in relation to any transfers of data to third countries. 

 

What is the standard maximum? 

If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.” 

 

 

In summary, my allegations are that you have: 

1. Transferred my personally-identifiable data to an international organization without an appropriate safeguard in place in breach of Article 46(1) of the UKGDPR
2. Failed to obtain my consent for this transfer in breach of paragraph 6(2)(a) of the PECR
3. Failed to process my personal data in a lawful fair and transparent manner in breach of Article 5 of the UKGDPR 

I also make a formal request for a copy of any appropriate safeguards you are relying upon for transfers of personal data to the USA. Please note following the Schrems II case Standard Contractual Clauses are insufficient for transfers to organisations that are subject to FISA, such as Google and Facebook (https://www.twobirds.com/en/insights/2020/global/schrems-ii-judgment-privacy-shield-invalid-sccs-survive-but-what-happens-now)

 

Consequently, I am therefore seeking compensation for: 

1. the loss of control of my personal data, a head of damage which Recital 85 of the GDPR confirms is more than minimal and therefore is an actionable loss; 
2. loss of ability to exercise my rights over my personal data;  
3. the distress caused by your breaches of the law; the Data Protection Act 2018 section 168(1) states that damage includes distress.  

To that end I also attach a without prejudice offer to settle.  

 

If you do not wish to accept my offer paragraph 3.6 of the Pre-Action Protocol for Media and Communications Claims states that you should provide a full response within 14 days but if you are unable to respond in that time period, you should specify the date by which you intend to respond.  

 

Please note paragraph 3.7 of the protocol states that your response must: 

• confirm whether liability is admitted or denied  
• if liability is offered what you are willing to offer as a remedy  
• if liability is denied you must explain your reasons for denying liability including an indication of any statutory defence or facts you will be relying upon in support of your defence.  

Please note if you wish to verify the technical evidence I have presented above of https://ipserv.zatappeal.com and https://ipserv.ec6pay.com leaking personally identifiable data to Google, you may do so by using the following tool: https://developer.chrome.com/docs/devtools/network/  

 

I look forward to your response.  

 

Yours sincerely,  

 

 

[YOUR NAME]

 

[YOUR ADDRESS]
[YOUR EMAIL ADDRESS + PHONE NUMBER]

 

 

 

 

 

 

----------------------------------------------------

 

 

 

 

[YOUR NAME]

[YOUR ADDRESS]
[YOUR EMAIL ADDRESS + PHONE NUMBER]

 

Data Protection Officer  

Ipserv Ltd

Grafton House

15-17 Russell Road

IP1 2DE
 

[TODAYS DATE]

PRIVACY BREACH DAMAGES SETTLEMENT

 

Dear Data Protection Officer, 

 

WITHOUT PREJUDICE  

 

I am claiming losses in the form of distress, loss of control of my personal data and loss of availability of my rights over the same, actionable damages as confirmed by case law and statute.  

 

I therefore make a without prejudice offer to settle this matter in the sum of £500.00 in full and final settlement of this claim. This offer shall remain open for a period of 21 days. 

 

The amount offered is below that awarded in case law in this area, namely the Court of Appeal decision in Halliday v Creation Consumer Finance (2008) in which the Court awarded £750.00 for distress (paragraph 48). The judgement can be found here: 

 

https://uk.practicallaw.thomsonreuters.com/D-017-2538?transitionType=Default&contextData=(sc.Default)&firstPage=true   

 

It is therefore very likely that more would be offered at trial. 

 

 

Yours sincerely 

 

[YOUR NAME]

 

[YOUR ADDRESS]
[YOUR EMAIL ADDRESS + PHONE NUMBER]