Will parking firms be able to buy driver addresses from DVLA under GDPR
Will parking firms be able to buy driver addresses from DVLA under GDPR

In addition to clamping down on cavalier use of individuals' data by private enterprise, there has been speculation about whether incoming GDPR could potentially hit some government schemes that monitise the data of citizens explicitly given to them for the delivery of a service, but which is then sold on to third parties without the data owner's consent. 

Via the electoral role the government collects the details of people who register to vote, and the DVLA is provided with addresses to register cars. In the latter case, the government is reported to be making more than £1 million a day selling the drivers' addresses to private parking firms so that they can be pursued for parking fines.

Under GDPR, one of the primary justifications for gathering data is that the data subject has provided informed consent for the uses to which the data will be put, and the entity storing that data will not use it for other purposes without permission – and if the data subject requests the information be deleted, then unless it is actually needed to provide the service – or a couple of narrowly defined exceptions (such as for public health purposes), then the record must be deleted. This subject control of their own data is the overall thrust of the legislation. However, there are other justifications including legal obligations, which would allow the DVLA to continue its actions, as Tim Turner explains further down the page.

In a comment to Yahoo from a DVLA spokesman, the organisation said: “DVLA's data release charges are set to recover the cost of providing the information.” 

Lee Munson, security researcher for Comparitech.com, emailed SC Media UK to suggest, however that: "The days of private car parks fleecing motorists for maximum gain, even for a very short overstay, may be of huge concern to Christmas shoppers, but there is light at the end of the tunnel.

"While the DVLA is perfectly within its rights to sell personal data to private firms at this point in time, the incoming General Data Protection Regulation (GDPR) has the potential to close that lucrative side-line overnight, if motorists are aware of their rights.

"From 25 May next year, companies will have to show compliance with the new regulation, one of the requirements of which is the need for informed and unambiguous consent to be in place before data can be shared with third parties.

"As a government agency, I would expect DVLA to be completely transparent about requesting that consent anew from all motorists. Failing that, drivers will of course have the right to withdraw any pre-supposed consent at any time. In either case, the agency will not be able to pass data on in the manner in which it is currently doing so."

However, as noted earlier, that's not the full story and there are other justifications that the DVLA can give, as,  in response to an earlier version of this story, Tim Turner wrote on the SC Media UK comment section: "The GDPR does not require the data subject to give informed consent as a default. Consent is one of six legal justifications, and any of them are valid for legitimising the use of personal data. The DVLA are under a legal obligation to provide data to those operating parking schemes, and having a legal obligation is one of the other legal justifications for processing data. This is true now, and it remains true under the GDPR. It is depressing that so close to GDPR being live, such basic errors are still be shared."

The issue then is whether the current legal obligation will be maintained, as, if it is maintained, then the DVLA will be able to continue to sell the data.