As previously documented on this blog, on 5 June, Jolyon Maugham and his (Not Very) Good Law Project launched an online tool to “defend democracy from data dark arts”, by enabling supporters to send a data Subject Access Request (SAR), via the GLP, to one (or more) of five political parties, with a promise that, “if they ignore you, there will be consequences: together, we can take them to court”.

With the General Election done and dusted, this now deleted (see below) online tool would appear to be the sum total of a “broad campaign”, launched by the GLP in January, and for which the GLP has (so far) crowdfunded £32,573 from 1,755 donors, to:

“defend your data rights both through litigation and through reporting on bad practice, shine a light on shady campaigning schemes, and put us all back in control of our democracy.”

Reader, since January there has been no litigation, no reporting on bad practice, and no shining a light on shady campaigning schemes. Just a solitary online tool, via which some 13,000 data SARs were submitted to the five political parties – all but 2,000 of them to the Conservative Party – between 5 June and 4 July.

Twice, on 15 June and 17 June, the TV celebrity Carol Vorderman, who works closely with the GLP, urged her 990,000 followers on X/Twitter to use the GLP’s online tool to send a data SAR to the Conservative Party, simply to “throw sand into the Tory engine”. “Sign up if you fancy”, Vorderman urged her followers on 17 June.

Carol and her followers did get the numbers up: by 4 July, the Conservative Party had received some 11,000 SARs via the GLP campaign. Yet ICO guidance states that a data SAR is ‘manifestly unfounded’ if it is “being used to harass an organisation with no real purpose other than to cause disruption”.

Many of the 11,000 people who signed up to ‘throw sand into the Tory engine’ couldn’t even be bothered to verify their identity, when understandably and quite legitimately asked to do so by the Conservative Party. So much for wanting to ‘defend democracy’. And those who did verifify their identity and subsequently received a full response to their data SAR report that the Conservative Party is not exactly the Stasi or KGB.

Not only is it unclear what, if anything, this deluge of GLP-facilitated data SARs achieved, but it’s far from clear what Jolyon and the GLP hoped or expected it would achieve. The GLP last promoted the online tool on X/Twitter on 1 July, and haven’t mentioned it or the ‘broader campaign’ since. The Conservative Party is diligently processing each of the 11,000 data SARs, so it seems the GLP will not, as threatened, be taking the Tories – or any other political party – to court, and the online tool has been removed from the GLP’s website, which now simply states:

This campaign has now ended. In the run-up to the general election on 4 July, we shone a light on political parties using personal data to compete for votes. Personal data you probably didn’t know they had – and almost certainly didn’t agree they could use. We enabled more than 13,000 people to exercise their legal right to stop political parties from using their data.

Well, whoopee-doo. Democracy is saved!

Whatever, the campaign has confirmed what I and others have repeatedly suggested in recent years: that Jolyon and the GLP are not quite as keen on transparency and accountability as they insist others should be. On 5 June, having decided to play the GLP at their own game, I submitted a data SAR to the GLP, via the ‘contact page’ in the privacy notice on their website.

In contrast to the dastardly Conservative Party, which was asking those making a data SAR via the GLP to verify their identity within 48 hours of the first SARs being submitted, the GLP took until 28 June – more than three weeks – to ask me to verify my identity.

I replied by email, attaching a copy of my driving licence, the same day. But on 1 July, the GLP emailed to tell me that, as my data SAR is “complex”, they require an extra two months to process it, so will not respond in full until 5 September.

As ‘requiring time to consider and apply exemptions’ is not among the “examples of factors that may, in some circumstances, add to the complexity of a request” set out in the ICO guidance for organisations on when a data SAR is complex, on 2 July I emailed the GLP asking them to clarify, with reference to the ICO guidance and the Good Law Project’s own stated values, why they consider my data SAR to be complex. And later the same day the GLP replied, claiming that my data SAR is complex “because it involves us filtering for matters which are confidential and/or benefit from legal privilege”.

Who knows what that means, or why the tools working at the GLP are holding so much of my personal data that they need to spend three months filtering it in the hope of finding ways to hide some of it from me. But maybe things will become clearer on 5 September.

And, if they don’t … well, there will be consequences.