Over The Counter Culture

So what’s my connection? Well, a couple of years ago BPP was purchased by the Apollo Global group, the main operator of for-profit higher education in the US, including the massive University of Phoenix. BPP is the UK law school I just completed my Graduate Degree in Law at.

The acquisition as 4/5th funded by Apollo, whilst the Carlyle Group (well known to Michael Moore and his unwashed ilk for its huge presence in the US war machine and its ties to both the Bush and Bin Laden families and the UK Conservative party) stumped up $200m for the ongoing joint venture.

Since then, BPP has been aggressively expanding, and I have been part of that effort: as a Brand Manager, I’ve assisted on open days, fairs and even a marketing video. The UK Bar Standards Body, the non-governmental body which regulates education to become a UK barrister (read: attorney) had their guts for garters over a disgraceful ‘administrative error’ that led to massive oversubscription on the course, swelling class sizes and seeing people turned away at short notice before the start date of the course they’d previously been accepted to.

BPP is adding centres around the country, and increasingly shifting to online, long-distance courses. Leverage. It’s also running a very strong upselling campaign to get people in my position to ‘upgrade’ our GDL into LLB (i.e. Bachelor of Law) degrees – getting the accreditation to do so was one of the very first moves it made after Apollo took the reins.

And in very recent news, BPP also announced that it is abandoning its bases as a professional educational college, and taking the title ‘University’ – the first private university in thirty years, and fully in keeping with Apollo’s US track record.

Yet it’s worth pointing out that the tutoring and teaching I got last year was mostly really very good. I was lucky to be in a class of very bright people and mostly quite good tutors. So my concerns aren’t derived from personal experience; they came from an HR person I got talking to that was attending a BPP event I was working at. She was from a very decent City law firm.

BPP, she said, has become less selective in who it allows onto the course. People with 2:2 (i.e. third-rate) degrees from universities are now given places when before a 2:1 or better was required. Her complaint is that this has made her job harder; no longer a badge worth trusting, she has to look deeper into CVs to see if they have to be binned at first sweep through the thousands of applications they receive. Worse, the HR personnel now have to field calls from emotional mothers asking why their child is being turned down for City jobs despite the family having shelled out/indebted itself in order to pay for the most expensive GDL course on the UK market. In truth, a third-rate university degree is going to be a straight-up rejection and the HR personnel view BPP’s new practice as at best immoral, at worst, downright deceptive.

So that’s my connection. I realise that sharing it in this tripartite piece is labelling myself a profiteering hypocrite whilst simultaneously shooting myself in the foot by potentially devaluing the value of a keystone of my CV; and may perhaps come to be seen as a snobbish and irrational act from an Oxford graduate irritated at seeing the value of his further education cheapened as his degree is made more accessible to ‘the high street’. Even if this comes to be seen as a good thing, it’s an enduring truth that good things are not necessarily good ideas.

Smart, very smart: how to navigate a city, avoiding tourists: stay away from the red zones (photos taken by tourists), consider the blue zones (photos taken by locals) or yellow (could be either). Click the photo to see an enlarged version; click here to be taken to a gallery for other cities.

Here is the letter I sent Facebook to ask for my data (for the background to this story, see this post)

TO: Data Controller / Legal Compliance

Facebook Ireland Ltd

Hanover Reach

5-7 Hanover Quay

Dublin 2

IRELAND

RE: Subject Access Request (Data Protection Acts)

Dear Facebook (Ireland),

I wish to make a subject access request under s4 of the Data Protection Acts 1988 and 2003 (Ireland), the Data Protection Act 1998 (UK) and all other applicable legislation reflecting the rights I am conferred as an EU citizen under EU Directive 95/46/EC.

If you are not the designated Data Controller for Facebook, please pass this to the appropriate person, bearing in mind the legal deadline. I am expecting the company’s full and frank compliance with applicable Irish and EU law and thus expect to be given this data within the stipulated 21 days. Facebook was first given notice of this request in writing (via several channels on your online communication system on the Facebook website) on 10^th May 2010.

As my (EU-based) contracting party, I am by law entitled to receive a copy of any information you keep about me, on computer or in manual form, and any information about me passed outside the EU.

I would like a full and frank disclosure of all information held. Please inform me of all information you are legally bound to withhold. Please note that I will not be satisfied by any attempted exemption of information allowing the identification of third parties where those parties are known to me (i.e. form part of the same Facebook ‘Networks’ as me).

I prefer to be sent this information digitally wherever possible, in as full a depth and breadth as possible, and additionally in such structured formats as it is accessed, processed and/or communicated by your company.

I understand that you might like me to prove my identity, so a copy of my UK passport is attached. That is to be the sole lawful purpose for that document’s use. I understand that my rights also extend to demanding the removal of information about me when it is not held for the lawful and clearly stated purpose, and thus am giving advance notice of my exercise of that right: please release and delete that document once it is no longer required to prove my identity.

Yours faithfully,

Philippe Bradley

Also included was a photocopy of my passport and my contact details, plus a link to my facebook profile.

I am on a little quest. A quest to get Facebook to show me what it knows about me. The thing about ‘Web 2.0’ businesses (how old hat that sounds now) is that their entire business models are focused on understanding you, profiling you, getting as much information about you from many relevant sources:

• - your conscious self, actively filling in your profile
• - your less conscious self, passively interacting with the site, browsing certain pages, ‘Liking’ pages around the Web (or not clicking the Like button and still telling Facebook what pages you’re on)
• - your social network, interacting with you – indeed, your social graph can be highly predictive of who you are.

But what constitutes ‘my information’ for the purposes of a Subject Access Request (SAR) under UK, Irish (indeed, Europe-wide) Data Protection legislation?

A subject access request is an order any person in the EU can send any EU-based business that collects their data. It’s an order along the lines of ‘show me what you got’.

So I sent one. Initially, and with infinitesimally little hope of a reply, through some of the Contact Us webforms on facebook.com – doubtless to join mountains of rubbish in there, despite being clearly marked ‘Legal request: please respond; subject access request under the Data Protection Acts’.

And yet I knew that an earlier brave soul had managed to use a different part of the Data Protection Act to get Facebook to properly delete his account (Facebook prefers you to ‘deactivate’ accounts so you don’t leave an information black hole in the picture they’ve built up of everyone around you.

This told me two things. One, that for some reason Facebook thought it was under DPA jurisdiction. Two, it considers your social graph to be very important data – data about you, but with wider implications than that. So it was worth pushing on.

Thanks to a good spot by eagle-eyed lawyer Andrew Sharpe (@TMT_lawyer on Twitter if you want to follow his developing thoughts on the implications of his find; and here’s me), the secret is out: unless you’re accessing Facebook from the USA, in which case you’re contracting with a business in California, under Californian law, if you’re dialling in from anywhere else you’re dealing with a business in… Ireland!

All hands to the typewriter, I boshed out a pitiful attempt at a serious sounding Subject Access Request Letter (which I will post later)(Edit: HERE) and dispatched it, airmail to be signed for on delivery, with haste.

I suppose technically Facebook’s 40 days for compliance started when I sent them my first SAR (through their website forms). That was 16 days ago. Whether I want to argue that or not probably depends how nasty I’m feeling 24 days from now. Facebook’s been under the privacy kosh recently and maybe they deserve the extra 16 days if we mutually were to consider my posted letter to be the first SAR.

Let’s see what happens now. I would love suggestions in the comments concerning what data I should insist upon receiving, and in what format.

I will also be posting a rough guide to use of European data protection legislation in the coming weeks. In the meantime, wherever you are, you can have a look at the EU pages on the subject.