Fuuuucking hell what a terrible article. Here’s the pertinent paragraph:
Campaigners accuse Euro Parking of circumventing data protection rules by using EU-based agents to request driver data without disclosing that it is for UK enforcement.
TFL contracts Euro Parking to send fines to people. Euro Parking is based in the EU, and uses that fact to obtain information about European drivers, which TFL ultimately should not have access to.
Here’s the thing, it is the data CONTROLLER’S job to control data. You can make all the requests you want and it’s up to the party that holds the data to make sure that request is legitimate. The breach is on their side.
I guess there is an argument that this information has been obtained under false pretenses. If that’s true, it’s still got nothing to do with TFL. I guarantee there’s a contract term about complying with all relevant laws.