Saturday, 2 November 2013

Finally, the ICO agree with me

I have been chasing the ICO on the point of "individual subscriber" in relation to section 22 of The Privacy and Electronic Communications (EC Directive) Regulations 2003.

An unsolicited marketing email to an individual subscriber without consent (via various permitted means) has been illegal for over 10 years.

The reason I have been chasing this is that the determination of what constituted an "individual subscriber" for an email address seemed to be unclear to the ICO. They seemed to be insisting that anything that could be called a "work email address" would not count. In fact, as they have now finally agreed, it is the nature of the party to a contract with a provider of public electronic communications services for the supply of such services that matters. If that party is an individual, or not. It is as simply as that and a simple matter of fact, not opinion.

I have many email addresses, ranging from ones where a third party (who is a provider of public electronic communications services) sells me email, and is otherwise nothing to do with me, through to a case where AAISP, my employer and a company I own, provide a personal email address, and finally where AAISP have a domain but contact with me personally for email services on that domain.

The latter is the most "edge case" I could come up with. Whilst it is not what I put on my business cards (that is actually an email on a domain I own), it is clearly a "work email address", adrian.kennard@aaisp.net.uk. Indeed, it has to be a work email address to meet Nominet rules for net.uk, but there is nothing to stop AAISP contracting with me such that I am the one paying for that email, even if the usage is always "work usage". Due to a quirk of the way we always have to have someone to bill for everything, I personally have been paying a nominal charge for email and domain services to AAISP for many years. So, I personally have the contract for email services on that domain.

Thankfully, after a lot of discussion, and a complaint and an internal review in ICO I have this.


They do go on to say that it is ultimately up to the court and that the court do not have to listen to ICO. It seems to me that as the ICO are the ones that enforce the criminal aspects of these regulations, their comments should play a major part.

The reason it took so long is not so much that this is, in any way, vague or a grey area. It is that mostly people are trying to get a work email or a university email address considered as an individual subscriber when that is not normally the case. Normally a company pays a provider of public electronic communications services for the email, and they are not themselves a provider of public electronic communications services, so even with a contract with the member of staff or company owner, the email is not that of an individual subscriber. Working for an ISP I am in an unusual position to come under the regulations, which should, IMHO, apply to commercial email addresses anyway.

So, I thank the ICO, and I may have to notify Deane that I have an extra document to reference in my upcoming court case now.

14 comments:

  1. Somehow I have managed to zap a comment on Nominet rules, not intentional. But Nominet rules do not preclude the possibility of an ISP being an individual (trading as himself) or an incorporated body of individuals, so you cannot assume net.uk is not an individual. Nominet rules talk of the way the domain is used. We use aaisp.net.uk entirely for AAISP use, it is a work email address. Use of the domain, and who is contracted to pay A&A for that use, are not the same thing :-)

    ReplyDelete
    Replies
    1. The comment was:
      Isn't A&A therefore in breach of the Nominet rules for your holding of .net.uk - should I complain?

      for .net.uk domains:

      "11.2.5 The Domain Name must not be used in connection with any service provided by the registrant on behalf of any other entity. For example, the Domain Name must not be used as part of another entity's e-mail address or URL."

      So surely as you are paying for the e-mail account on the .net.uk domain as a private individual (eg another entity) you are in breach. And given that the .net.uk rules state it's only for ISP use (eg a business and not an individual subscriber) surely the entire case you have is moot since the other side could reasonably argue I'd imagine that they could *EXPECT* a .net.uk e-mail address to be a corporate and not individual subscriber...

      Delete
    2. A further comment was:
      Moreover, I'm not sure "two wrongs make a right" would hold up here: if A&A, or for that matter BT or Virgin, suddenly gave all their customers an email address on a .net.uk domain, they might have a row with Nominet over that - but it wouldn't stop those customers being individual subscribers, or be a good defence for any spammer caught spamming them illegally.

      Indeed, 'sole trader' is one of the permitted classes of entity for .net.uk on Nominet's list, so any sole trader with their own active ASN would be a perfectly legitimate .net.uk domain but also an "individual subscriber" for spam purposes. (Nothing I can see to stop them outsourcing their email service to A&A, Fastmail, Google Apps or whatever, at which point they have indeed contracted for the email service, too.)

      Delete
  2. Sorry about re-posting comments. I am not sue if I have all of them. The issue is that I often get people posting the same comment twice or more, presumably because they do not see it appear when they post (goes for moderation), so I have to delete the duplicates. In this case I had posted the comment, saw the same comment again this morning, assumed it was a delete and so clicked delete. Instead of saying "it is already posted", blogger just zapped it and the comments I had posted in reply! I'll try to be more careful.

    ReplyDelete
    Replies
    1. Ah, I was wondering what had gone wrong there - I hit 'publish', got the Google login page and realised I was logged in with the wrong account. Logging out and back in under the right address got me back here without the usual "comment posted, pending moderation", so I thought logging out before posting had junked it and reposted.

      Of course, if even the ICO themselves can't figure out the classification of any given address, what clearer example could there be of the current legislation being hopelessly defective? Maybe one day that will be enough for it to be fixed eventually...

      Delete
    2. I'm not sure that the current legislation is hopelessly defective; as I understand it, the distinction is to allow for the fact that in the case of a corporate mailbox, tracking down who can and cannot give consent for mail to that address is difficult - think of the case where my boss gives a company valid consent to send a mailbox he shares with me marketing e-mails, then gets hit by a bus and is in hospital for 12 months unable to communicate.

      On the other hand, the difficulty in classifying mailboxes should put spammy businesses on notice - they'd better have proof of consent before they risk it, because if their heuristics are wrong, and they pick up a personal mailbox, they're in bother.

      Delete
    3. I'm not convinced that's a real issue. Yes, a company could have a shared mailbox like that, to which multiple people could consent - but so could a family: is JennyAndIain@example.com a "corporate" subscriber on that basis?

      The real solution would be for the spammer to keep evidence of consent. "John at ExampleTech asked me to contact Simon about this" - if you do complain, what are the odds of John happening to be incapacitated long-term to make their claim unverifiable, and does that really matter enough to add unenforceable and unknowable criteria to the law? If they faced a fine if their claim were proven false, they'd be taking a huge gamble there if they lie.

      As RevK has just demonstrated, it is literally impossible to determine whether a given email address is "individual" or "corporate" for these purposes! I can't see how the impossible distinction could be any more flawed than that.

      Delete
    4. Whilst Simon has a good point, the current legislation (a) allows a "unincorporated group of individuals" to be an individual, and so has the issue already, and (b) you have this issue with any company - how do I know someone sending a P/O is authorised by the company any more than someone consenting to email. But the point Simon makes that anyone sending any unsolicited emails has no way to know the address is not an individual so needs to have consent anyway to be sure, is important.

      Delete
    5. I can see Simon's logic - yes, it could be more difficult to establish consent from a company (actually, the same is true of individuals: unless they had an actual record of me consenting, what's to stop me denying it later without needing to be in a coma or involve a second person?) - but you're right, trying to divide email addresses into corporate and individual doesn't actually solve the problem anyway. If they get proof of consent properly, that solves it for both cases too: Simon complains about spam at work, spammer replies "but your boss said to spam you, look at this message from him", end of complaint.

      We can't be sure about his second point until the court rules, though: if you win, yes, companies will have to err on the safe side and treat all addresses as individual anyway - but if the court accepts "we can't tell if an address is individual or not" as a defence, they can go the other way entirely and treat us all as "corporate" spam targets on that basis.

      Delete
    6. So my understanding is that the exemption of corporate mailboxes is simply to ensure that early cases are simple - consent on an individual subscriber's mailbox is easy to prove or disprove, as the individual subscriber asserts no consent, and it's up to the spammer to prove that the individual subscriber is lying.

      With a corporate mailbox, it's much harder, as there are many more people who could have consented, some of whom may have their details published as a matter of law (see Companies House, for example), and some of whom are outside UK jurisdiction (think UK subsidiary of a US firm). It's thus much harder to prove that a spammer's claimed consent is forged, since you need cross-border co-operation in some cases. Rather than get into that mess, the goal of the legislation is to deal with the simple case now, and see what happens later.

      Whether we need new legislation or not depends on how the court system rules - if they rule that it's the spammer's obligation to get the needed consent, and if the spammer is relying on the corporate exemption, they have to prove that they knew the address was a corporate address, then no change is needed; effectively, the spammer is forced to prove consent. If, on the other hand, the courts rule that companies can rely on the corporate exemption unless they know an address is an individual subscriber's address, new legislation is needed.

      Delete
    7. Of course, an answer would be to ban all marketing e-mail to any e-mail addresses unless it was a) opted into, and b) the details of the opt-in were contained within the e-mail.

      Delete
    8. I'm amazed the ICO found this so hard. "Individual" and "subscriber" are defined in regulation 2(1) PECR 2003. As you say, Adrian, it is the nature of the entity contracting with a provider of public electronic communication services that matters.


      Those given rights and subjected to obligations by the law are said to have legal personality. Individuals have legal personality, as do recognised legal fictions such as companies. Unincorporated bodies, such as a club or association, do not have a distinct legal personality: they are a collection of individuals each having legal personality.

      Regulation 2(1) PECR 2003 merely reflects this understanding of legal personality. "Individual" is a living individual or unincorporated body of individuals without distinct legal personality. "Corporate subscriber" is any entity with its own legal personality, including the four examples given.


      Simon Farnsworth's idea that the distinction between individual and corporate was to do with entitlement to give consent is attractive but incorrect. PECR 2003 transposes Directive 2002/58/EC, and the reason behind regulation 22 PECR 2003 (Article 13 of the underlying Directive) is found in the 40th recital to the Directive. The primary intention is to prevent unwarranted intrusion into privacy, including the often disproportionate burden placed on the recipient's resources in dealing with messages that are relatively easy and cheap to send. A corporate body has a lower expectation of privacy than an individual. Corporate bodies and their employees/agents expect to receive unsolicited sales pitches as part of normal operations, making the proportionality of resources less asymmetric for a corporate recipient than an individual.


      The case law database of the Court of Justice of the European Union, the final authority on the interpretation of EU law, contains four records with some reference to Article 13 of Directive 2002/58/EC. None of the three underlying cases are concerned with the interpretation of the Article. This is no surprise: I think the meaning is clear to everyone other than, seemingly, the ICO.

      It is the contract for the relevant public electronic communications service (as defined in ss. 151(1) and 32(2) Communications Act 2003) that is important - in this case, the contract relating to conveyance of the electronic mail over a public electronic communications network. I would interpret this to be the contract relating to the mail hosting for those using hosted e-mail (webmail, POP3, IMAP4, OWA etc.) and the contract with the end-user's ISP for those hosting their own MX.

      I have no idea why the ICO placed so much weight on what the e-mail address looks like, as this is a concept unknown to the relevant legislation. The registrant of the domain with Nominet is equally irrelevant so far as I can tell.

      Delete
    9. Thanks David, my views exactly. And I am glad they finally saw sense on this.

      Delete
  3. Indeed, we now clearly understand the law.

    It is impossible to identify the underlying contractual position from whether an address is role-based or belongs to an individual, the registrant of the domain or the use made of the domain. ISP operated domains are particularly risky as they may contain a mix of corporate, staff and customer addresses. Anyone spamming [RevK's address]@aaisp.net.uk has no way of being aware of the underlying contractual position.

    This impossibility of knowing the type of subscriber to a public electronic communications service means anyone sending unsolicited communications risks breaching regulation 22 PECR 2003 unless they have opt-in permission (no existing relationship) or have ensured the addressee has not opted-out (when there is an existing relationship).

    I think it's clear that e-mail addresses belonging to individual members of staff at a university or business fall outside regulation 22 PECR 2003, as the subscriber to the public electronic communications service is a corporate body.


    The one notable piece of UK case law on regulation 22 PECR 2003 is Microsoft Corporation v McDonald (trading as Bizads) [2006] EWHC 3410 (Ch). This concerns the resource utilsation placed on public electronic communication services by spammers - in this case, Hotmail. McDonald was trapped by Microsoft's honeypot addresses (see paragraph 2 of the judgment).

    The 40th recital to Directive 2002/58/EC was held to extend the protection of regulation 22 PECR 2003 to the burden imposed by spammers on the electronic communication networks - see paragraphs 3 to 12 of the judgment. European Union law is applied using the purposive approach - the law is interpreted in such a way as to give effect to the purposes behind its enactment. Ultimately, Microsoft won a restraining injunction and damages against a supplier of address lists which included Hotmail addresses. The judgment is a good read, not least for the sheer joy of the defendant's arguments being comprehensively demolished by Mr Justice Lewison. As a High Court case, it's binding on the County Court (including small claims track proceedings), but of persuasive authority only in the High Court and higher courts.

    ReplyDelete