Friday, 16 August 2013

I think the ICO are a tad confused

In the ongoing case against Deane Computer Solutions (which is going to court, by the way), the ICO are also involved as I have made a formal complaint to them.

However, the ICO seem a tad confused.

They wrote asking me to confirm I am an individual subscriber, but also stated "It would appear that you work for a Limited Company — Andrews & Arnold Limited who are the registrar for Titanic.co.uk. If Andrews & Arnold own this domain then, then[sic] your email address would belong to a corporate subscriber."

This is plainly wrong for several reasons.

1. The registrar is not the owner, and no relevance. The registrant is the "owner" in so much as anyone "owns" a domain. They do say "if" they own it though, so maybe they have some clue there.

2. They seem to think that the "owner" of a domain has any relevance to the "owner" of an email address, or more importantly to the "subscriber" for the email service on that address. This is plainly not true. I know many people with email addresses ending @btinternet.co.uk, even some with shares in BT and who work for BT, but that does not mean they are "corporate subscribers".

3. That the idea that being shareholder, employee, or director of a limited company somehow stops me being able to have a contract with that company is wrong. I have an employment contract, for a start. Andrews & Arnold Ltd is a separate legal entity to me, and can have a contract with me for email services and could provide that for email addresses under a domain "owned" by Andrews & Arnold Ltd just as it could to someone who is not an employee, shareholder or director of Andrews & Arnold Ltd.

I have, of course, asked them to clarify these issues and will post any reply.

Thankfully, in this case, there is no such confusion as titanic.co.uk is not owned by Andrews & Arnold Ltd. It just happens that the owner uses A&A as a registrar. So we will see how that goes in court. The only defence filed appears to be the continual assertion that adrian@titanic.co.uk is not an address of an individual subscriber. Well, I have proof. I have a letter, and invoice, from the email service provider (who is owner of the domain) confirming we have a contract for email services where I act as an individual. If both parties (me and them) agree that we have an agreement, then, pretty much by definition, we have an agreement.

8 comments:

  1. It does strike me as a fatal flaw in the current legislation that we can't actually tell with any certainty whether any given address is an "individual subscriber" (with rights) or the second-class entity of "corporate subscriber", condemned by bureaucrats to be spammed without recourse for no sane reason.

    Is md@btinternet.com "corporate" (probably the boss), or an individual guy called Mike Davids who uses his initials for a username?

    Can anyone come up with a sane reason why any email address should be denied the protection of "individual subscriber" status? (Or, conversely, why companies are allowed to make anonymous phonecalls; at the very least, I think 141 should be disabled on all non-residential lines.)

    ReplyDelete
    Replies
    1. Indeed, there is no way of telling. I was half expecting that as a "defence", but maybe he is saving that for the hearing. Basically, if you can't tell if what you are doing (sending junk emails) is going to break the law or not, then, well, don't do it! The same crazy situation applies to junk faxes where you don't need to FPS register a residential fax number - how do they know if a number is residential!

      I agree, it is crazy that corporate subscribers are excluded. It's an EU regulation - how does one get that changed? I assume one spams an MEPs "corporate" mailbox...

      Delete
    2. I expect that the EU directive sets minimum protection - the UK should be free to extent that protection to all email addresses regardless of ownership, as long as it maintains at least the required level of protection. Certainly worth asking ICO or a friendly MP, if there is such a thing.

      Irritatingly, 141 being available and free of charge seems to be an EU mandate, though I don't know if it's required to be available to business users; again, though, I think the UK government could improve matters by requiring anonymous call rejection to be a free option as well. (Absurdly, it's not even an option on mobiles that I've been able to find so far, and BT charge an excessive amount for it on landlines at present.) Widespread use of that should render business abuse of anonymous call facilities self-defeating since it would reduce rather than increase their chances of getting through.

      That, and allow access to identify the owner of a phone number: I've had a few recent TPS complaints bounce since even with the caller's number and claimed company name they are unable to identify the caller! Technically, if I were able to claim compensation, I think I would then have standing to obtain a court order to identify them, which would be nice; as it is, I'm reliant on ICO enforcement (in)action based on the TPS report to them.

      Delete
    3. The automatic rejection is a requirement on mobiles, and I had a long exchange with the ICO the day it came out. The agreed (eventually) that the mobile operators were in breach and they said they were not going to do anything. The original stock answer of "press the red key on the phone" only afforded the "user" a reject option, not the "subscriber" as required by the regs.

      Delete
    4. But pressing the red key doesn't reject the call - at least on my phone, it performs the Busy action which means I have to pay for the call to be diverted to the office and if nobody gets to it in time, I have to pay for the call to be diverted again, this time to the business answering service. Very very different to rejecting the call in the first place.

      Delete
    5. AIUI, the reason individual subscribers are more strongly protected is that it's easy for an individual subscriber to assert that no-one has given consent for the message to be sent to them; as the individual subscriber, you are the only person who can give such consent.

      Company mailboxes get more complicated; for example, many businesses have a "sales@example.com" type address which goes to multiple people, some of whom may have left the business. Any of those people could have given consent for the message, making the risk of false accusations of unlawful e-mail higher; plus, my manager could have arranged for someone to contact me (providing consent from the business), while failing to inform me that he'd done so. It's easier to avoid all these cases where the complainant and the consent granter are separate people by exempting corporate mail boxes.

      If the court interprets the exemption of corporate mail boxes in this way, they'll be unsympathetic to a "but I didn't know he was an individual subscriber - there's no way to tell" defence; the point of the exemption is to allow you to obtain consent from management on behalf of a business's accounts, and thus your defence would be that you'd obtained consent from someone who you reasonably believed could grant it, and thus had evidence that you thought it was a business mail box.

      Delete
    6. As ever, an interesting view, Simon, but for things like marketing mailing lists it is very simple to double opt-in. When someone signs up for it, email them asking them to confirm they really want to sign up, and keep that reply as proof. Requiring some proof that a recipient of email to an email address has indeed consented would work for work email addresses as well, surely.

      All the junk mail I am getting to adrian@titanic.co.uk has not had that simple step taken as I would never reply to such an email and I have never submitted that email address to any lists or subscriptions. I don't actually use the email address normally.

      Delete
    7. For mailing lists, yes; but the regulations apply to all forms of "unsolicited communications by means of electronic mail for the purposes of direct marketing" - this would cover (for example), my boss meeting someone at a trade show and saying "e-mail Simon at this address - he's the person who makes our decisions on that sort of product."

      It would also cover the confirmation e-mail you describe - such a mail (if not requested by the recipient) is "unsolicited communication by means of electronic mail for the purposes of direct marketing". While I'd expect the damages to be minimal in this case, it's still true that it's covered by the regulations.

      Delete