"Data Breaches… Armageddon…" – as announced by the Three Horsemen

Stuart Ritchie


Under the GDPR, a data subject must be informed of the recipients or the categories of recipient of their personal data. These two choices are genuine alternatives. The controller can choose. But can that choice resist circumstances?

Under the old regime, likewise it was necessary only to specify non-particularized categories. Hence the semantically meaningless rubbish filling up the non-statements of processing held in various supervisory authorities’ existing "registration" databases.

So, under the GDPR, can we still get away with it? After all, most controllers, commentators, and implementers assume we can all still get away with it. A million fliesexperts surely can’t be wrong? Shouldn’t we eat what the fliesexperts eat?

Well, maybe, maybe not. "It all depends".


Depends on what? Ok, let’s wargame this. I’m a data subject. You’re a controller. You truthfully and compliantly (truth being insufficient for compliance) notify me as per Article(s) 13/14. Perhaps you even accede in good faith to the exercise of my right to access by sending me a full copy of my data under Article 15. All faithfully telling me (among the rest) that you share my data only with your recipient category "Carefully Selected Partners".

Next step: for any reason or no reason I get curious as to the identities of your Carefully Selected Partners. Perhaps I’ve been:

  • receiving emails from SpammersRUs (UK) Limited;
  • defamed in generous quantities by Blacklists UK LLP;
  • getting calls from Frozen Call Center Marketing, Inc;
  • seen newspaper reports of a data breach in respect of my local police department’s data sales to the private sector; and/or
  • bombarded by pro-Republican political messages from Oxford Analytica arising from their processing of data provided by (the horror!) Zuckbook; along with my usual
  • beamings from the Illuminati (in competition with planet Zog’s lizard-men) to the control chip in my head, as already repeatedly explained to my local Court.

Anyway, being a concerned citizen and data subject who is unshakably convinced he "Knows His Rights" (spit, I’d hate myself as a client), I come to speculate you might have passed all these companies and (especially) the lizard-men and secret societies my data under the rubric of your very carefully selected "carefully selected partners".

So I write to you asking you for your Carefully Selected Partner list. Maybe I reveal to you the truth about the lizard-men, maybe I don’t. However, unlike some implementations of the old law, under GDPR my motivations are wholly irrelevant and it doesn’t matter at all whether my speculations are well-founded.

You (yawn) respond, perfectly correctly in law, precisely citing GDPR article references as to why you don’t have to particularize the recipients of my data. And, of course, there’s nothing that I can do within GDPR Article 13-15 to secure an Order to provide me with that list.

But what about alternative means?


Ok, let’s cut to the chase. How can I sue thee? Let me count the ways – distinct* methods lawfully to compel you to disclose the list:

    1. Withdrawal of consent (processing, transfer, and/or extra-EU).
    2. Statutory unfairness of consent (processing, transfer, and/or extra-EU).
    3. Statutory unfairness of contract (you know, the one that competitors and the EC routinely deployed to slice and dice Google in the EU before the GDPR penalties arrived, masquerading as anti-trust law).
    4. Data minimization issues for any non-consent bases.
    5. "Process minimization" issues for any non-consent bases.
    6. "Recipient minimization" issues for any non-consent bases.
    7. Public interest (automatic).
    8. Legitimate interests (automatic).
    9. Any other unlawful processing (not hard to find, just look at almost any Article 13/14 Notifications) – see also route 21.
    10. Processing is unlawful but data subject opposes erasure (a surprisingly common litigation scenario, I’ll enjoy this one) – see also route 21.
    11. Data subject requires data for legal claims (not necessarily you: also recipients, unconnected third parties, etc) – see also route 21.
    12. Non-GDPR obligation to erase data.
    13. Child data (automatic – note this altogether bypasses Article 8 tests and associated Member State derogations).
    14. Direct marketing associated with the process (which will lead to further cases logic-chopping the meaning of "direct marketing").
    15. Profiling associated with direct marketing by some other process or recipient (topically alumni data sales, or Zuckbook/Oxford Analytica).
    16. Alleged inaccuracy (automatic).
    17. Alleged profiling (near-automatic).
    18. Exercise of GDPR data subject right to general remedy.
    19. Order by any Supervisory Authority (of which there are 46) under various Article 58 scenarios.
    20. Any Court Order under another substantive law.
    21. Any Court Order under local procedural law (eg in England and Wales that would include CPR, CrimPR, disclosure / discovery, RFI, Norwich Pharmacal, etc, in addition to routes 9-11 above which thus are new procedural options available for general use accompanying any other civil litigation for which the data subject’s circumstances fit).
    21. Miscellaneous communications and circumstances such as undertakings, estoppel and/or arguably untrue representations.

* This is a distilled/condensed version of the little particulars list I assembled a few days back. All but the last five rely on simultaneously pleading a specific combination of GDPR Articles – these are bewilderingly diverse especially for this condensed list, and they’ll be aired soon enough, so I won’t particularize them.

What prompted this bit of navel-gazing? Well, it’s nearly May: spring is here, spring is here; life is skittles, life is beer. And, just as antisocial media data scientists in spring-time channel their math guru Professor Lehrer, their thoughts inevitably straying to life-enhancing outdoor activities (except for the few million that Dr Kogan "takes home to experiment" with Oxford Analytica), thus for law geeks and litigation. So my Little List is just part of a project compiling alternative-ways-home-to-single-prayer thought experiments associated with distinct objectives. I should say I’ve sourced the list purely from the plain GDPR Articles, and (on this particular objective) was surprised just how many alternative routes I think I’ve discovered without even having to interpret the Recitals’ guidance.


Ok, let’s consider a few of the "traditional" or foreseeable scenarios, derogations etc that controllers might try to deploy against data subjects in this context. Are they usable? For example:

  • Rights and freedoms of recipients as individuals (aka "mixed data")? Can’t see it. Individuals don’t get a pass here.
  • Impossible? Good luck with this one: actually it’s impossible that disclosure of your operational business processes is impossible – and, amusingly, were you so courageous as to assert such impossibility, the assertion per se would amount to actionable admission of other GDPR breaches anyway, so add route 8[correction: route 9] to the pleadings…
  • Disproportionate? No, in strict law. Alternatively, laughable especially given that the manual process of disclosing recipients is so simple that (with a minor lightweight extension to controllers’ Article 30 Artefacts) such disclosure can be fully automated from a single click).
  • The information is "commercial in confidence" or even confidential? I’m sure that’d work about as well as it always works in data protection law. The judge, unless very new and inexperienced, will (a) treat our submissions that private law trumps statute law with all due gravity and respect for at least ten seconds; and (b) avoid laughing out loud or reporting Counsel for misconduct for just about as long.
  • Processors aren’t recipients? I’m sure someone will try this. Good luck. Anyway, processors aren’t really the problem unless they’re fake processors (watch out goggledocs, gogglemail, and similar cloud providers with contracts that enable slurping by the putative "processor").
  • Local laws/derogations? Depends if such derogations are permitted by the GDPR and the Charter. Against known Member State attempts, some of these will fail for both of those reasons. For non-Member States, analysis starts with the EC’s timeless pre-GDPR amicus brief to the US Supreme Court in US v Microsoft. So foreseeably there’ll be acres of submissions on such issues…
  • National security? Sure, mostly that will work (subject to both necessity and minimization plus analysis of material derogations as above).
  • "Public security" aka incarcerating non-criminal immigrants/refugees? Prima facie unlikely, but the Courts likely will decide quite early in certain Member States such as the UK by whom the euphemism apparently was invented.
  • Law enforcement? Just as for national security, certainly that often will work (subject to necessity and minimization etc), but just as under the old law the controller had better be…. guess what? A law enforcement agency! (three cheers for those who guessed right – it’s amazing how many private sector multinational Defendants in correspondence seem to think they’re law enforcement agencies until… well, until they go to Court and have to get a real lawyer)

So, after all these turgid move and counter-move thought-experiments, where are we – you know, the controller and their data-subject-from-hell?

Commercial Analysis/Strategies?

There seem to be so many possible routes that I would infer that from time to time our data subjects will get what they want on this one. After all, as always, there’s always someone cleverer than us. Similarly, there’s always lawyers cleverer than our lawyers (fees in certain areas of law having little or no correlation with quality, as the GDPR rapidly will demonstrate). So if any of us try to game our data subjects the way some of us traditionally have done (nah, not looking at you, Alexander and Mark), we now should expect a bit more payback.

Some things will work, but most probably won’t. So fight or flight, but you may as well choose now and plan for it either way, rather than end up bushwhacked by scenarios which (self-evidently) already are being wargamed.

Caveat: is there a downside if we simply choose to fold?

Possibly: unless this is done carefully. If we do choose flight, it’s a terrible mistake to "over-compensate". Specifically: if we decide to fold, there is a question as to whether we voluntarily should supply recipient lists to our data subjects within Notifications up-front, as some well-meaning Supervisors such as the ICO appear to have suggested (as allegedly "good practice")? After all, it’s technically easy to do so, so why not…?

To comply in this particular way sometimes might be an avoidable mistake. We’ll only end up wasting our time, annoying our data subjects for no good reason, and probably breaching other parts of the GDPR.

Why? For most data brokers (controllers with recipients other than the specific data subject) their datafeed customers/recipients regularly will change, sometimes daily. And every time the information supplied on our Notifications becomes obsolete, we have to re-notify, remember? Notification fatigue is going to be bad enough for both controllers and data subjects without the former constantly peppering the latter with breathless updates as to our new carefully selected partner Spammers R Us (US), Inc. So if we feel like folding as a matter of policy, or giving our data subjects recipient details up-front, the smart way to do it is to have regularly updated dated recipient lists sitting on your web site and simply link to it from your notifications if they’re interested in (expressly) additional information, aka if you start getting a lot of requests.

To any data subjects reading this: don’t get ideas to try this at home. In fact, treat it all as fantasy until and unless you get hold of particularized pleadings. And even then don’t do it until July (for both substantive and procedural/tactical reasons I won’t address here). Not for the first time, I do wish Professor Carroll’s US class action against Oxford Analytica under the old English law and the Californian class action against Zuckbook had waited a few months, people will only get confused.

    All facts and opinions set out above, including but not limited to spoken content and attachments/links, are provided for informational purposes only as a non-legal service to the public, and do not constitute legal advice or a substitute for legal counsel, and do not create any lawyer-client relationship, nor do they constitute advertising or provision of a legal service, nor are they the opinion of this web site or of its owner. The author is a co-founder of GDPR360 but does not speak in that capacity or in the capacity of a lawyer.