It has become apparent that the passing of phone numbers via the Payforit API could be considered a breach of GDPR. There is no guarantee that such a challenge will succeed, but I can see no good reason not to try. The regulations around this are complex and are often misunderstood. Victims of Payforit scams are often convinced that a breach of GDPR has occurred because they never gave explicit consent for their phone number to be given to third parties. If only it were so simple!
There are six bases on which personal data may be lawfully processed under GDPR. These are described as follows by the ICO:
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
The two bases most likely to apply are “Consent” and “Legitimate interests”. As explicit consent has not been sought, it seems inevitable that the networks will try to justify their processing using the “legitimate interests” basis.
This is where things get a bit complicated. The networks do have legitimate interests in passing your phone number to third parties when, for example, you use a directory enquiries service, or make a text donation donation to children in need, or even when you make an international call which is handled by a third party. This use is entirely legitimate. Our phone service would cease to function if data wasn’t transferred in this way.
The case of the Payforit API is different. The processing is not necessary, as it is quite possible to sign up for phone-paid service without your number being supplied by your network.
The ICO requires that for use of the “legitimate interests” basis a three part test is applied:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
The networks are likely to argue that reducing “friction” in the purchase of Phone-paid Services is a legitimate interest, so the Purpose test will be passed.
The Necessity test is more complex. It is NOT necessary for the networks to pass phone numbers to third parties through the API. They do it because it makes things a little simpler for the consumer. However it is not necessary.
The Balancing test is where I believe the networks will loe the argument. There is a great deal of evidence that the disclosure of consumers phone numbers through the Payforit API is causing consumer harm. This harm surely outweighs the minor incovenience of an extra step for consumers who really want to sign up for these services.
Indeed, it is hard to see any reason why consumers should not be allowed to opt-out of having their phone numbers passed to the API.
It is likely that the networks will try to confuse the issue by talking about the more general issue of passing data to third parties. In any complaint it will be necessary to be absolutely clear that we are talking about the Payforit API and nothing else.
GiffGaff Letter
I have drafted a letter which has been sent to GiffGaff’s Data Protection Officer, highlighting my concerns. They are currently considering their position. I expect to be able to post their response by the end of March.
This is a Microsoft Word document which you can download and adapt to your needs. The html version is here.
O2 Letter
This is a letter which you can use to make a GDPR complaint if you have been defrauded via Payforit. You will, of course need to amend it to suit your own situation, but it contains the essential framework to ensure your complaint is taken seriously.
This is a Microsoft Word document which you can download and adapt to your needs. The html version is here.
Hi
I have received a text from jamjar mobile stating they are going to charge me £4.50 per text. I do not know who jamjar mobile are and why I would possibly need them to send a text when I can use Giffgaff? They sent a text and phone number for me to reply and stop the process but I do not believe, after reading about them, that they will leave me along. Should I simply find another phone provider. As jamjar mobile have said in a text they have stopped the false account?
Please help as I am not up to the this modern world.
Regards
Mr Michael Boland
JamJar is a Payforit scam. As you are on GiffGaff, they can only take money rom your airtime credit. They will take £4.50 per week until you send the STOP text, or phone them. So you should do this without delay. You need to get confirmation from them that they have stopped the charges. Also ask for a refund of any money that has already been taken.
Unfortunately, if you stay with GiffGaff you will always be vulnerable to Payforit fraud, as they offer no means of protection. You could move to EE, who are the only network to offer proper protection. Moving to another provider will not stop JarJar charging you, unless you also change your number.