15.01.2026

Secrets, spin and smears

Factional differences are being fought out using the state machine, unattributable media briefings and bureaucratic information control. Mike Macnair investigates the latest attack on Zarah Sultana and her associates

Someone high up in Your Party, as yet unidentified, gave an unattributable briefing to the New Statesman, which, as presumably calculated, has caused something of a storm. The smoking gun is the Information Commissioner’s Office and its letter replying to the Peace and Justice Project. That reply, the full contents of which remain undisclosed, dealt with Zarah Sultana’s September 2025 attempted membership launch and the Jeremy Corbyn-controlled PJP’s referral about a possible breach of data protection regulations.

The published New Statesman story is that Zarah Sultana and her associates may be guilty of “serious criminal activity”. A charge that could have come from the ICO reply, or the briefing, or the New Statesman itself. The Guardian repeated the story in the same or stronger terms. Inacio Vieira on Substack adds merely criticism of the report as overstated and his unsuccessful attempt to get the ICO to give a clear answer about what it had said.¹

The ICO letter is not a secret to be ‘leaked’. The PJP’s referral was publicly announced, and there is no obvious reason why the ICO’s reply should be confidential or subject to litigation or legal advice privilege. What is at issue is the briefing - whether it was misleading and whether it would appear to be misleading if the ICO’s reply was disclosed in its full form.

The point of the briefing was presumably to smear Zarah Sultana and her associates in advance of the coming elections to Your Party’s central executive committee. But, if so, it seems inept, since it is just as likely to work as a smear on the originator of the briefing, as somebody who uses unattributable briefings to promote a particular line, or as a smear on Your Party as a whole, as characterised by apolitical clique warfare among its leaders.

Fraud

Unfortunately, we cannot avoid speculating about what the ICO may have meant by its letter, because the essence of the New Statesman and Guardian reports is the claim that the ICO has said that Sultana and her associates may be guilty of something more serious than some technical contravention of the European Union’s General Data Protection Regulation 2016 (GDPR). Inacio Vieira argues that there was probably merely a standard clause in the letter - as it were, ‘We aren’t taking this up, but if you think there is a case you can try “Report Fraud” (renamed from “Action Fraud”, which has been nicknamed “Inaction Fraud”²)’.

However, the New Statesman version claims that in the ICO letter is this: “A police investigation would take primacy over an ICO investigation, the advice added.” This is a slightly different point. What might be being said is that if the allegations (whatever they were) the PJP made to the ICO were true, this would amount to a serious crime, with the result that a police investigation should happen before the ICO dealt with the alleged infraction of the GDPR.

This is analogous to rape cases in universities and other private disciplinary procedures: the effect of doing the internal disciplinary procedure first is to preclude there being a successful prosecution, since the evidence which could be used in the prosecution becomes ‘contaminated’ by being processed through the quasi-judicial internal disciplinary procedure.³ So, similarly, a fraud prosecution would be prejudiced by the ICO making findings about the authority, or lack of authority, of the attempted membership launch.

But how plausible is this interpretation? The Guardian claims that the ICO “advised the PJP to consider going to Action Fraud … and the police to determine whether the issue constituted criminal activity”. The alleged crime would, then, have to be one of the offences under the Fraud Act 2006: probably either fraud by false representation under section 2⁴ or fraud by abuse of position under section 3.⁵

But both offences require that the defendant has acted dishonestly and with a view to making a gain or causing a loss. Thus, for example, in section 2:

(1) A person is in breach of this section if he:

(a) dishonestly makes a false representation, and

(b) intends, by making the representation,

(i) to make a gain for himself or another; or

(ii) to cause loss to another or to expose another to a risk of loss.

Section 4 contains analogous words. By section 5 (2) (a) “Gain” and “loss” “extend only to gain or loss in money or other property”; this is presumably in the statute in order to exclude dishonest representations by politicians and journalists with a view to obtaining votes.

The likelihood of a successful prosecution of Sultana or her associates under the Fraud Act is thus minimal. A prosecutor would be in the highest degree unlikely to be able to show either dishonesty or a view to making a gain or causing a loss on the basis of the aborted membership launch of September 2025.

Nevertheless there might, in principle, be civil claims available. Eg, for defamation, on Sultana’s side, but she has said she will not pursue this⁶ -sensibly, given the extreme extent to which the specialist bar in defamation sells and denies justice. Or in contract, on the basis that there may have been some legally binding agreements involved - though what if anything was agreed is very obscure.

GDPR

We do not know what the PJP said in its referral to the ICO. There are a number of possibilities posed by the labyrinthine bureaucratic structure created by the GDPR and the 2018 act giving it legal effect in the UK after Brexit. The simplest, however, is that the PJP reported the aborted membership portal launch as a “personal data breach”, as an “unauthorised disclosure” or “unauthorised … access” under GDPR article 4 (12): “… ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.⁷

This would require the claim to be made that Sultana and her associates in the launch were “third parties” under article 4 (10) - “a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data”.

Alternatively, the objection could be of unauthorised processing, contrary to GDPR article 29: “Article 29. Processing under the authority of the controller or processor: The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by [domestic law].”⁸

For this purpose, we would have to take it that the claim was that “the controller” was the PJP and “the processor” Sultana and her associates, so that Sultana and her associates, having access to personal data, processed that data without instructions from the PJP, thus violating article 29.

As soon as we attempt to approach the issue in this way, it becomes apparent that what was actually at stake in the September 2025 aborted membership portal launch was not what we would normally call a “data breach” (hackers get in; data is accidentally sent to the wrong recipient; and so on). Rather, it is a dispute about what company lawyers call the “internal management” of the company⁹ - in this case, the internal management of the new party project, which became YP. But this at once takes us into the extreme obscurity of the agreements and authority relations in the ‘new party project’; Carla Roberts has tracked some of the obscure history in this paper.¹⁰

This background would make it reasonable for the ICO to decline to go further with the reference, but to do so in a very neutral manner in order to avoid prejudicing any other possible claims. These would be, as I said above, civil contract claims, rather than criminal - though I have to say that the obscurity of the facts and the political context mean that both sides would be very ill-advised to pursue these.

Having said this, it is worth noting that I have not gone in depth into what I have described above as the labyrinthine bureaucratic structure created by the GDPR. This is a matter which is itself politically important. Critics have made the point that the GDPR produces a complex bureaucratic and box-ticking exercise, which discriminates in favour of ‘Big Tech’ and against smaller businesses by virtue of the resources required for compliance.¹¹

As soon as we see that the form of the GDPR discriminates in favour of Big Tech, and why, we can also see that this is a branch of the phenomenon I referred to in relation to defamation, that Charles III (and his recent ancestors) sold and denied justice, in violation of chapter 29 of Magna Carta, through the legal profession and the ‘free market in legal services’. The construction of elaborate regulatory schemes, like the GDPR - but equally like the Companies Act 2006 with its 1,300 sections and 16 schedules - inherently discriminates in favour of concentrated wealth. Thus regulatory schemes of the GDPR type are anti-democratic and promote the dictatorship of capital.

It is a part of this that GDPR compliance is commonly (if often inaccurately) used as an excuse for non-transparency.¹² In this respect, the underlying aim of the GDPR - protecting privacy in information - is antagonistic to political democracy and socialism.

We can see this at work at two scales. The larger can be illustrated by reports that lots of renewable electricity supply operations - mainly wind farms - have been built which have to be paid to stay idle because the electricity grid has not been improved sufficiently for them to be connected.¹³ This is both a market incentives failure and a simple planning failure. The market incentives failure is obvious. The planning failure reflects the fact that private information management (in this case, in the form of government spin) precludes rational decision-making. This irrationality is a symptom of the basic irrationality of capitalism in the 21st century.

The smaller scale can be seen in Your Party, where we began. It is perfectly clear that the effect of the central PJP people clinging to control through a combination of secrecy and unattributable briefings of the capitalist press has been to demobilise the possible energy and enthusiasm evoked by the initial announcement of a new party project. Political openness is the only way forward.

1. New Statesman: www.newstatesman.com/politics/uk-politics/2026/01/your-party-advised-to-refer-unauthorised-membership-launch-to-police; Guardian: www.theguardian.com/politics/2026/jan/09/zarah-sultana-your-party-unauthorised-membership-portal-launch-may-have-been-serious-criminal-act. Vieira: inacioinvita.substack.com/p/new-statesmans-serious-criminal-activity.↩︎

2. publications.parliament.uk/pa/cm5803/cmselect/cmpubacc/40/report.html (March 31 2023).↩︎

3. See G Davies, ‘Contamination of witness memory’ in A Heaton-Armstrong, E Shepherd and D Wolchover (eds) Analysing witness testimony London 1999, chapter 2. Compare also www.barstandardsboard.org.uk/code-guidance/guidance-on-witness-preparation. See other references in M Macnair, ‘Workers' movement: bureaucratic ‘justice’ and dealing with sex assault cases’ Weekly Worker April 4 2013: weeklyworker.co.uk/worker/958/workers-movement-bureaucratic-justice-and-dealing-.↩︎

4. The “false representation” being that the membership launch was authorised. This would depend on arguments about what the legal authority for actions in the name of the project was - not a straightforward matter. But, in view of the other requirements of the Fraud Act, the issue can be set to one side.↩︎

5. This section 4 claim would require positing that Sultana and/or her associates’ access to the data about expressions of interest in what became Your Party would involve expecting them “to safeguard, or not to act against, the financial interests of another person” - the “other person” here being whoever was considered to have a proprietary interest in the data. This would at best be a complicated claim, but again, in view of the other requirements of the Fraud Act, can be set to one side.↩︎

6. ‘Zarah Sultana vows reconciliation and cancels legal action after Your Party row’ The Independent September 21 2025: www.independent.co.uk/news/uk/home-news/labour-reform-uk-greens-b2830904.html.↩︎

7. www.legislation.gov.uk/eur/2016/679/article/4.↩︎

8. www.legislation.gov.uk/eur/2016/679/article/29.↩︎

9. This is a very extensively debated topic in company law, but Wikipedia has a convenient summary: en.wikipedia.org/wiki/United_Kingdom_company_law, under the subheads “Constitutional separation of powers” and “Corporate litigation”.↩︎

10. Eg, ‘Corbyn’s maybe party’, September 19 2024 (weeklyworker.co.uk/worker/1507/corbyns-maybe-party); ‘Dead-end politics’, February 20 2025 (weeklyworker.co.uk/worker/1526/dead-end-politics); ‘Still waiting for Jeremy’ July 10 2025 (weeklyworker.co.uk/worker/1546/still-waiting-for-jeremy). (More of the saga can be found linked at weeklyworker.co.uk/worker/authors/carla-roberts.↩︎

11. See, for example, MS Gal and O Aviv, ‘The competitive effects of the GDPR’ Journal of Competition Law & Economics Vol 16 (2020), cited in C Ducuing, ‘Data protection without romance’ Utrecht Law Review Vol 21 (2025); Y Smirnova and V Travieso-Morales at blogs.lse.ac.uk/businessreview/2025/08/01/why-is-gdpr-compliance-still-so-difficult (August 1 2025).↩︎

12. Eg, blog.frankleonhardt.com/2022/its-the-law-gdpr-as-an-excuse; and workers-can-win.info/2024/gdpr-a-barrier-to-organising.↩︎

13. Eg, finance.yahoo.com/news/britain-pushed-ahead-green-power-130000238.html; and www.industrialinfo.com/news/article/uk-ditches-zombie-projects-to-free-up-power-grid--351483.↩︎