Monday, 16 September 2013

Bending the rules?

The ICO still cannot get it through their heads that in the case of my "work email address" the company, Andrews & Arnold Ltd is not the subscriber. They are still saying that the email is for a corporate subscriber because "the company in questions is a Limited company". They think that A&A is like any other company that has a contract with a provider for email. Well, A&A don't. A&A run mail servers and have contracts with subscribers like me. Being a ISP makes us special, it makes us the other side of the contract in the definition of "subscriber". I am trying once again. They declined to answer my simple yes/no questions for some reason.

Anyway, this leads me to ponder a simple service A&A could offer.

When companies buy email from us it is normally for a whole domain, typically a company domain. We contract with the company for the domain, DNS, email and web space, normally.

However, there is no reason, technically, why we could not contract with individual members of staff at a company for their work email address within such domains. As the domain is not "ours", the company would have to give us permission to do that, and the company would no doubt already have clauses covering work email with their staff ensuring they keep it confidential and used for work purposes, so no DPA implications. From a technical point of view the service would be identical where staff access an IMAP mailbox from work computers. The only change would be the contract, which would be between us and individual staff members at a company.

What that would do is make all of those work email addresses come under the definition of "individual subscriber" under the regs. As we would not be their employer, we would not be providing it as part of employment to them, so even the ICOs made up rules on that would not make them corporate subscribers. It would not be the employer contracting with the staff for email, it would be us. This is important as we are providers of public electronic communications services, and our typical business customers are not.

The hassle is the admin of charging people for individual email addresses. Thankfully we do have a very efficient direct debit system in place, so charging even £1 a year or some less would not necessarily mean we lose money.

Do let me know if anyone thinks this is a useful service? Not saying we would definitely offer it yet, and it would really only be sensible if we were to convince the ICO of the validity as well.

Then we just need to push MEPs to make the spam laws cover corporate subscribers anyway.


  1. From the employer side of things there are questions that would need to be addressed and the answers may well counteract what you are trying to achieve.

    What happens if an employee refuses to pay for their own email account?

    What happens if the employee leaves? As they have a contract with you for the email address can they keep using it? If not can the employer access the contents of the mail box?

    If an employee goes off sick can someone else access their email? If so then does each colleague need individual authorisation from the mail box owner?

  2. All very good questions, and I am sure most, if not all, could be sorted with some simple terms. But good questions to ask. To be honest, the employees are the ones that benefit, so would be no forcing them to contract for email individually.

  3. Some thoughts which might be of use in forming an argument, although probably not useful in and of themselves.

    1.) The rule in question comes from European legislation, which is phrased in a different manner to that of the UK implementing regulations:

    "The use of ... electronic mail for the purposes of direct marketing may be allowed only in respect of subscribers or users who have given their prior consent."

    It says nothing about "individuals", just "subscribers or users".

    2.) From the recitals to the directive, it is clear that the term "subscriber" is not just limited to humans:

    "... consent of a user or subscriber, regardless of whether the latter is a natural or a legal person, should have the same meaning ..."

    Clearly, a subscriber can be a legal person, since a subscriber is a bill payer, and the bill payer may be a legal entity.

    3.) The rule in question has within it a limitation of sorts, in that the basic prohibition:

    "shall apply to subscribers who are natural persons. Member States shall also ensure, in the framework of Community law and applicable national legislation, that the legitimate interests of subscribers other than natural persons with regard to unsolicited communications are sufficiently protected."

    Leaving aside your argument as to whether you are a "natural person" by virtue of your arrangements for providing an email address, it is clear that the rules imposed by the ICO must protect the a legal entity's legitimate interests too.

    3.) The recitals set out the harm which the article is designed to cover:

    "Safeguards should be provided for subscribers against intrusion of their privacy by unsolicited communications for direct marketing purposes in particular by means of automated calling machines, telefaxes, and e-mails, including SMS messages. These forms of unsolicited commercial communications may on the one hand be relatively easy and cheap to send and on the other may impose a burden and/or cost on the recipient.

    Moreover, in some cases their volume may also cause difficulties for electronic communications networks and terminal equipment. For such forms of unsolicited communications for direct marketing, it is justified to require that prior explicit consent of the recipients is obtained before such communications are addressed to them."

    The harm envisaged by the directive, against which the article is designed to offer protection, is exactly that which you are suffering: a needless burden to deal with unwanted incoming communications, even leaving aside the contractual service mechanism you are attempting to construct.

    4.) The directive notes that "The single market requires a harmonised approach to ensure simple, Community-wide rules for businesses and users."

    Whilst the directive is, in itself, a harmonising measure, it is hard to understand how the objective of "simple, Community-wide rules" is effected unless there is a consistent approach. It might be worth seeing what other Member States do to protect legal entities.

    5.) The Article 20 Working Party has published — quite some time back — an opinion on direct marketing, and section 3.4 might be worth a read, if you have not already done so:

    1. That sounds very much like there was a clear intent in the legislation to provide some protection for corporate subscribers as well as individuals - so what I am trying to do here is actually very much in the "spirit" of the regulations!

    2. Absolutely! You just have a more difficult talk than might otherwise be the case, since the ICO has nailed its colours to the mast, and changing its position requires a change of policy. See, for example, it's recent publication on direct marketing, at paragraph 131:

      "These rules on consent, the soft opt-in and the right to opt out do not apply to emails sent to companies and other corporate bodies (eg limited liability partnerships, Scottish partnerships, and government bodies). The only requirement is that the sender
      must identify itself and provide contact details."

      You are going to have a tough time persuading the ICO with you argument around the ownership/operation model of the AA email address, as, in my view (having had considerable experience of dealing with the ICO) as it is simply a layer of complexity too far. You might, however, look at who you are discussing the matter with at the ICO, and perhaps seek to talk witho a more senior representative? There is an industry representative for telcos, which might be a better way in for you, even though the underlying point of your argument is that you are a natural end user, receiving spam in your personal, rather than professional capacity.

    3. I apologise for the most sloppy spelling grammar!

      sed -i 's/talk/task/g'
      sed -i 's/it\'s/its/g'

      (And, in my previous post, it's the Article 29 working party, not Article 20...)

    4. My biggest issue here, and I cannot be alone in this, is that I operate one mailbox, ultimately. All of my email addresses go to the same email box, and cause the same hassle as any other email if they are junk mails. The fact that some are addressed to a "work email address" and some to a "home email address" is not a distinction I feel when suffering the burden of handling the crap that I get. It makes no sense that the law should, in my case, differentiate them. As for beating up the ICO - yes - hard work. I have a range of email addresses from totally 100% clear that they are personal email addresses for personal use and consist almost entirely of my name, through to those that would, to anyone you asked, be considered a "work email address", and many in between. I confuse the issue slightly by having a "personal" address on my business cards, i.e. an address that, if I ever left A&A, would stay with me as my domain and used for my families email. So we should be able to incrementally push ICO to a sane policy. I'll try.

  4. Any chance you can find out the ICO's CEO/CTO/other managers email addresses and then post them publicly? After all, if they aren't personal email addresses and therefore personally identifying information I'm sure they won't mind lots of additional email... (Probably find out that they insist their secretaries print the emails for them to respond to as they can't be doing with that new fangled technology - and they never actually see how bad the problem is)