Wednesday, 15 April 2015

Day in court

So, suing a spammer today, and to be clear, he did send an unsolicited marketing email to me, an individual subscriber - sadly I lost the case. But as ever, it works out a cheap lesson in how the civil justice system works.

Neil Brown was kind enough to observe and make detailed notes, here. Thank you. It is worth noting that the judge was very happy that this was a public hearing and so there were observers allowed. Indeed, the defendant asked his wife to come in when he realised.

There were a couple of interesting procedural points which are worth noting. For a start, even though the defendant had refused an arbitration call, and even though the judge agreed that is normally considered in costs, the judge award expenses against me!

As for the expenses, it seems it is very worth while bringing all your receipts to the hearing, including, it seems, the cost of recorded delivery postage for the defence and paperwork to the court and other party. I had no idea you could claim such things, but the judge was happy to pay documented expenses, and even 45p a mile for travel. So I'll be doing that in future.

Sadly the point of whether I am an individual subscriber was not addressed, which is a shame. The judge went straight for the idea that I had no evidence of damages and hence that I have no claim. She also said that you cannot claim for distress.

This is a worrying view, as it basically makes regulation 30 pointless in almost all cases.

The good news, of course, is that such cases are not a precedent, and the next judge may well have a different view.

So what to do next...
  1. I need a nice clear summary of the recent cases, which do set a precedent, which make it clear that you can claim for distress in cases like this. Had I got this with me I could have countered the assertion that the judge made. There have been several cases where traditional damages were indeed nominal (and £1 awarded) but distress was substantially more (hundreds of pounds).
  2. I need to look in to how the value of distress is normally calculated, and then show those calculations for the basis of my next claim. This may, of course, mean I end up claiming more.
Of course, once we have this, I can post details on my blog here for anyone else to use (not legal advice, obviously).

Oh, and obviously, I should report this incident of spam to the ICO and request that they exercise their enforcement function. Sadly they will do nothing as usual.

83 comments:

  1. Why were damages the only thing considered? If the spammer broke PECR then they broke it, and should lose the case even if the judge subsequently doesn't award you any money.

    ReplyDelete
    Replies
    1. Because reg 30 say I can bring a case if I suffered damages.

      Delete
    2. Is 'damages' defined in reg 30? My understanding (which is very limited, I'll be the first to admit) is that 'damages' doesn't just mean 'pecuniary loss'. A quick Google and it appears that English law seems to recognise distress as a form of damages too.

      Delete
    3. No, "damage" is not defined. "Distress" is generally not recoverable, although (as another poster below has commented), there is increasing recognition under the broader privacy framework (data protection), that distress should be recoverable more easily, given that distress, rather than damage, is more likely to occur. However, these are relatively recent developments.

      "Distress" is sometimes recoverable, but generally when it occurs in addition to "damage": this is very much the case under the data protection framework, but the wording of PECR did not seem to be to Adrian's advantage here.

      Delete
    4. OK, so if I understand this correctly, the PECR says "you may claim damages", but the courts say "there will never be any damages".
      Oh I love our legal system.

      Delete
    5. Germ of an idea. I've mentioned this before but I'd love some input now on whether this may have legs. If so, I may be tempted to set this up for a hobby, if someone wants to be a guinea-pig :)

      A simple email service with the domain "@individual-subscriber-under-regulation-22-privacy-and-electronic-communications-regulations-2002.co.uk"

      A contract for the mailbox that spells out standing charges: £1 per mailbox per year (to cover costs and have a contract whereby money changes hands for a service) and a penalty to the user which is enshrined in the contract for "receiving spam in contravention of Reg 22 of PECR2002" which fines the person that uses the mailbox a set amount.

      All of the email addresses are published on www.individual-subscriber-under-regulation-22-privacy-and-electronic-communications-regulations-2002.co.uk website - notifying that these addresses are indeed individual subscribers and personal email addresses and are not to be sent any marketing emails without consent etc as the users of it will suffer a penalty.

      The user reports the spam the receive to the service provider (because they are honest) and the service provider sends out an invoice on 180 day terms (to give

      This defines the "loss" to the receiver of spam in very clear terms that can be easily demonstrated in court.

      Now - here is the tricky bit...
      Either we try to make the contract to be worded in such a way that the invoice can be credited should the conditions be "wrong" e.g. the case goes cold, the judge doesn't award damages.
      However this could demonstrate to the judge that it's not really a loss if they read this contract.

      OR

      We set the "damages" low enough to swallow, but high enough to claim in Small Claims (e.g. £35). There is no refund, that we simply make the whole enterprise funding worthwhile charity donations.

      Then presumably it's a fairly simply cut and dry case? We have multiple locations (including the email address itself) clearly defining that the address is an individual subscriber under PECR22 and clearly stated damages (an invoice with is a penalty under a signed contract for the email service).

      In an ideal scenario then, the spammers get sued, damages are demonstrated, cases are won, costs for appearing are reimbursed and charities get the benefit - until we've made enough cases to seriously piss off any UK spammers :)

      Obviously though, it is down to the judge... Is it possible that the judge can say "you shouldn't be using this service. Case dismissed." ?

      Delete
    6. I was thinking similar, but the provider having a "deal with this spam" service, which has a cost, and involves blocking the address, after investigating if one address or a whole domain or some more detailed checking needed; contacting the spammer to advise that it is unlawful and asking them to stop; documenting it all and logging any repeat attempts; maybe even correspondence with the spammer on the matter; and providing an evidence bundle to the subscriber if they wish to take the matter to court. It would be a service and cost money, but necessary to "deal with the unlawful spam"... I wonder if that would work.

      Delete
    7. I had a thought that, in the cases where a spammer offers "I'll donate to a charity of your choice" you could set up a charity who's sole purpose is to provide financial backing for anti-spam small claims cases. Bit of a kick in the teeth for the spammer :)

      Delete
    8. Dan's proposal:

      My personal feeling is that this is (and would be seen by a judge as) a vehicle for causing damage to be suffered, to make it claimable, and that doesn't feel right to me.

      It's one thing, in my view, to tackle those who spam and cause disruption, annoyance and inconvenience, but rather different to contrive an arrangement to give a basis for a claim?

      However, leaving personal feeling aside, I am not sure it would lead to a judge finding in favour of someone who receives spam.


      Adrian's proposal:

      This feels less "bit-of-a-chancer" as a gut reaction, although I wonder whether a judge would turn round and say that, by clicking on the button to order the service, a claimant had failed to mitigate their loss (i.e. the "just click unsubscribe and be done with it" approach). Hmmm...

      In my opinion, it would be better (perhaps overly idealistic) to find a way of persuading a judge that spam is inherently damaging, and thus within the scope of the Regulations, with reference to spam receive in actual, day-to-day, email accounts, rather than resorting to a more contrived setup for "arranging" damages, if I can put it like that.

      Delete
    9. Thank you for responding Neil. I did think it probably had a fatal flaw :)

      I guess it comes down to geeks thinking that the law is like RFC's! (just follow the recipe)
      Not so!

      Delete
  2. You may find a recent Appeal Court judgement (which is precedent ;-)) useful in regard to question of damages for distress. It was a DPA case but again the point is that actual damages are unlikely. Summary here:

    http://www.panopticonblog.com/2015/03/27/google-and-the-dpa-rip-section-132/

    and the full judgement:

    https://www.judiciary.gov.uk/wp-content/uploads/2015/03/google-v-vidal-hall-judgment.pdf

    ReplyDelete
    Replies
    1. Paragraph 77 on in the judgement appear to be the significant points, and it may be necessary to compare what PECR says with what the original EU directive it is meant to implement says to determine whether the same logic is likely to apply here.

      Delete
  3. Why did you decide to go for distress instead of damages? In all my cases (haven't, yet, had one go to court - although one coming up looks likely), I've gone for straight damages worked on on my hourly billable rate as a contractor - but whilst one came back "it takes seconds to delete an email", I did reply using the "time to get back on task"/"time to check records to see if I had previously had business dealings with you"/"finding your details" etc - and I was able to justify 3/4 hour that way.

    I've also make it clear, when it looks like it may be going to court, that I reserve the right to take action under the Data Protection Act and Business Names Act (if they've failed to include full, proper, business name, registered number and registered office in the email).

    ReplyDelete
    Replies
    1. I tried all three - the nominal actual costs for electricity, the delay to my work (and the time to get back to work) which was dismissed, and the distress. No joy.

      Delete
    2. Electricity, bandwidth, storage and processing are all pretty negligible costs so I am not too surprised that they aren't considered. However, were any reasons given for dismissing delayed work? This does seem like something that should be quantifiable, albeit with some assumptions that you'd probably have to back up.

      A recent case of mine didn't go to court, but I did prepare a written statement to try and distill my thoughts down so I had some arguments I could refer to. Here is an excerpt WRT justifying my damages: "The financial damages are difficult to determine and I welcome the court's guidance on this matter. I am a self employed software developer by trade and therefore require a high level of concentration. If an email arrives this breaks my concentration. A well known software developer with numerous publications to his name, Joel Spolsky, once estimated that it takes a developer 15 to 30 minutes to regain their productivity after each interruption. By this estimate, three unsolicited emails may have directly cost 90 minutes of my productive time. I also suffer a period of annoyance after receiving such emails, which I believe further extends the loss of productivity. Additionally, the break in concentration increases the risk of introducing bugs into my software, which would cause an incalculable ongoing cost. There are costs associated with storing and transmitting each message, and in maintaining anti-spam filters discard exactly this type of unsolicited email. No anti-spam filters are not 100% reliable (as can be shown by these emails having not been discarded), and there is a cost associated with legitimate emails being inadvertently discarded by such filters. Given these criteria, I have made an estimate of around £200. I have also looked into other similar cases that have gone to court, and find damages in the range of £300 (Nigel Roberts v Media Logistics UK) and £810 (Steve Higgins v Jean Patrique) are common, which suggests that this estimate may even be erring on the low side."

      I never got to try this argument in court, so I don't know how well it works, and there is quite a bit of hand waving and fuzzyness, but at least I can cite sources for some of the estimates there. It would seem unreasonable to expect someone to do a time consuming bulletproof analysis rather than a ballpark estimate for only £200 wouldn't it?

      To my mind, it seems bonkers that the judge found against you and awarded costs to the defendant - if the defendant acted lawfully (which the court declined to decide) then fair enough to award in their favor, but where they have acted unlawfully it doesn't seem right that the plaintiff gets lumbered with the costs, irrespective of the damages. My personal opinion is that, irrespective of the validity of the damages, the court should either decline to decide whether the law was broken and award costs to no one, or make a decision about whether the defendant acted unlawfully and award costs based on that.

      Delete
    3. Presumably taking action under the DPA and business names act would require you to also demonstrate damages, so suffer the same problem?

      Delete
    4. That does seem rather odd for it to be dismissed out of hand. Did you ask for permission to appeal? Or not worth it?

      Delete
    5. She made it clear that appeal would be very unlike,y, and I decided I'd just learn lessons from it.

      Delete
    6. > Did you ask for permission to appeal?

      The appeal would be to the High Court, and the lessened likelihood of not awarding the winning party their legal costs does not apply so, even if permission to appeal was likely to be granted, one might be wise to exercise restraint in doing so!

      Delete
    7. > were any reasons given for dismissing delayed work?

      It was not discussed at any length, and the timbre of the judge's comments were that there was no reason for work to be delayed: there is no requirement to check an email just because it has been received and that, even if one does check, the disturbance is limited to a couple of seconds to click "get lost". There was no discussion of the broader point about disruption to concentration, and I suspect that, had it been raised, it would probably have not got far in the absence of being able to show something very tangible (e.g. it disrupted my attention sufficiently that I managed to mess up the code I was writing, and I had to go back to it which took me another [x] minutes of time for which I could not charge, or the like).

      Delete
    8. This seems an odd position to take - I leave my email client open because I do receive legitimate urgent emails; but until I've read the email I don't know if it is spam or not (so the spam is guaranteed to interrupt me). Much as I leave my phone turned on so that legitimate calls can interrupt my work. I am happy to accept the lost productivity that results from legitimate interruptions, but not that which results from spam.

      But whether or not there is a legitimate reason for leaving the email client open, Is the court saying that it is the responsibility of law abiding people to adjust their practices to minimise the damage caused by law breakers?

      Delete
    9. I agree, and do the same.

      Delete
    10. I wonder what the judge's attitude would have been had somebody in the public gallery shouted "BEEP" at irregular intervals. I rather suspect that it would not have been "Oh, that's OK, it's not interrupting or affecting my work here."

      Delete
    11. Although it might be "When I found it a nuisance, I simply told him to leave — the offline equivalent of clicking 'unsubscribe', which takes the same trivial degree of time and effort."

      Delete
    12. Interesting news.. I can break the law, but as long as there are "no damages" (that can be proved) - I'm OK!

      grrr... This just brings me closer to creating a specialist email service that has contractual penalties for the subscriber receiving spam :)

      Delete
    13. The problem with not appealing any of these judgements is that there never gets to be any persuasive law on the matter. Until something ends up at appeal then there's nothing for the judges to refer to apart from the various CC cases dotted round which they may not feel to be relevant.
      Annoying really, that the cost of an appeal cannot be done on the same basis as the small claims track, and that there can't be at least the option of a fixed cost appeal where it goes to another judge to review based on the recording of the hearing. C'est la vie.

      Delete
    14. > where it goes to another judge to review based on the recording of the hearing.

      Probably a silly point, but the system doesn't allow someone to appeal simply because they do not like the result of a case — there has to be a valid grounds for appeal (CPR 52.11(3): http://www.justice.gov.uk/courts/procedure-rules/civil/rules/part52#52.11)

      This could be that the judge erred as a matter of law, or exercised discretion incorrectly, or that the outcome was unjust by virtue of a serious irregularity in procedure.

      (And, of course, an appeal could support the original ruling, and set a precedent that damages for spam are incredibly difficult to recover, for example.)

      Delete
  4. Just how much had you made the claim for Adrian?
    Shame you lost, even though you should still have "won" but had no damages paid.

    ReplyDelete
    Replies
    1. I was claiming £200, but had no way to "justify" it. And yes, if damages are nominal, award £1, but the spammer spammed, and I have a *right* to take that to court, IMHO.

      Delete
  5. Hrm, well I've always figured on the damages being Receipt at Server, Storage at Server, Transmission to Client, Receipt at Client, Storage at Client + Time spent dealing with the eMail, which normally takes around 20-30mins to figure out who sent it, find addresses etc, send NBA, and then 20-30mins to get back into whatever coding I was doing before hand. I've been claiming £100 per eMail, which sounds about right based upon my hourly rate, if not somewhat discounted!

    ReplyDelete
    Replies
    1. I'd be curious whether the "figuring out who sent it so I can send an NBA" time could be considered part of the damages - I had assumed that this would be considered preparation for the court case rather than damage caused by the actual spam, and therefore couldn't be included.

      I still think that storage and transmission costs, whilst still worth mentioning in passing, are so small as to be impossible to justify as damages. I argue from the perspective of lost productivity and a potential for introducing bugs in the code I'm working on, which have a significant cost (although not necessarily trivially quantifiable).

      Delete
    2. > Receipt at Server, Storage at Server, Transmission to Client, Receipt at Client, Storage at Client

      Can you put a figure on that? I suspect — not in the words of the court, I hasten to add — that this would amount to the square root of sod all?

      Delete
    3. I think the damages have to be held as part of the whole - you can demonstrate that there has been a loss, both in what the spam has cost you to receive and store, but in the time lost figuring out who sent it. I would argue it is not part of preparing for the court case.
      I have yet to look at the other aspect, and that is a per email spam charge that I have in the terms & conditions which are agreed to by every person who sends email to my servers, but that would be a B2B case, not B2C.

      Delete
    4. > I have yet to look at the other aspect, and that is a per email spam charge that I have in the terms & conditions which are agreed to by every person who sends email to my servers, but that would be a B2B case, not B2C

      I'm not in the business of dispensing legal advice online, but I have a feeling that, if I did, in a situation such as this, it would probably read "Nice try, but..." ;)

      Delete
    5. I figure it's got to be worth a try - contract, acceptance etc... Just because they don't read the terms doesn't mean they're not bound by them after all.

      Delete
    6. Well this is an interesting point. I'm preparing my next case which is slightly more complex:

      I've been receiving spam from De Vere Venues Group Limited for years - my logs only go back to the start of 2011, but I've got 195 spams from them in those logs. I've asked them to stop several times and had no response. Unfortunately the older requests for them to stop have been lost to time, but I do have copies of the emails I sent them in January and July last year. In addition to asking them to stop and making a subject access request, they said "A charge of £25 per email will be made for any further unsolicited emails received and your sending of any such emails will be deemed as acceptance of these terms." Eventually I complained to the ICO, who wrote to De Vere in October telling them to stop spamming me immediately (max 28 days to action) and to respond to the SAR. They eventually responded to the SAR 2 months later and confirmed I had been unsubscribed. Interestingly the SAR basically said "we didn't track where your details came from".

      Over a month after the ICO had told them to stop, I got a mail from a separate company that appears to be part of the De Vere group, saying that "as a valued De Vere customer" they were introducing me to their sister brand. I've been getting regular spams from this company and like De Vere, they haven't responded to SARs or notices before action.

      So obviously I'm raising a case against the sister company, since they're the ones still spamming me. A few questions that I'm wondering about though are:
      - Are the £25/email terms that I sent De Vere enforcable against the mails I got from De Vere after I sent them the terms?
      - Are those terms enforcable against their sister company too? (I'm guessing not, since it's a separate company who was never sent those terms).
      - Can I address it all in a single claim against one of the companies (again, I'm guessing not since they are separate companies).

      Looks like De Vere's data handling practices are either just bad (they sold off details they had been instructed to suppress), or this was a deliberate "screw you" to the ICO.

      Delete
    7. > Are those terms enforcable

      Only if "by responding to my post here, you agree to pay Neil £5" is enforceable.

      Of course, only a court can really determine whether something is enforceable or not, but my gut feeling would be that a court would be unlikely to find that there was a valid contract in either of the cases above.

      Delete
    8. You may be better off working with the DPA legislation to sue with on this one, I'm told it has better wording and allows for distress.

      Delete
    9. > allows for distress

      Only where there is also damage.

      In some cases, a court may be persuaded to find nominal damage, to allow a distress claim to go forward (Halliday, for example), and there appears to be increasing recognition of distress as a valid claim for data protection breaches on its own (Vidal-Hall), but nothing bang on the point for spam.

      Whilst the Halliday case could be used as a basis for pushing a PECR-based claim, personally, I am sure that a judge will have the same kind of motivation to find nominal damages as they did in that case, where the order of inconvenience suffered by the claimant over a prolonged period was arguably quite a lot higher, and probably attracted the judge's sympathy.

      Delete
    10. > Only if "by responding to my post here, you agree to pay Neil £5" is enforceable.

      That's a little bit different - it isn't your blog, so you are certainly not in a position to dictate terms for using it. Whereas it is my email address so maybe I can dictate terms. Compare to T&Cs hidden away on websites (Facebook, et al) which I believe have been found to be enforceable even though no bugger actually reads them.

      There was this one: http://www.saynotocoldcalls.com/
      Its not clear whether any of those cases are going to court or being settled out of court, but it's obviously not completely clear cut...

      [DPA]
      I've not looked at the enforcement action the public can take WRT the DPA, although the ICO previously have advised me that I could take court action since they weren't interested in enforcing the law - in that case it was a company who were not responding to subject access requests, even after the ICO wrote to them, so probably pretty hard to demonstrate any kind of financial damage there (but the ICO are of course not offering legal advice). However, it does seem odd if it requires monetary damages - there should be scope for stopping people distributing your details *before* you incur financial damage (through e.g. identity theft).

      Delete
    11. > it isn't your blog, so you are certainly not in a position to dictate terms for using it

      I I were in a position to control access, access in breach of my authority sounds more like a claim in trespass, for which, as a tort, you'd need to prove damage to recover anything (even if the tort is made out even without damage) — my feeling is that you would struggle to prove to a court that there was a contract in your mail server situation.

      See here:

      http://neilzone.co.uk/online_contracts.html

      Delete
    12. Ah, but still not the same thing: you haven't forewarned anyone that going to that link will incur a charge - in effect you are trying to form a contract for an action that has already happened. In my case, I'm only suggesting charging them for emails received after they have been told that further emails will be chargeable.

      Delete
    13. Yep, point taken. I had misunderstood and thought that it was an automated thing from your SMTP server when their server tries to connect to deliver the message, rather than a reply to an email.

      Could you prove that it had been opened, in the event of a defence of "we never saw that email, so cannot be bound"? (e.g. via a tracking pixel?)

      Delete
    14. I can't prove that it has been opened, but I can prove the recipient's SMTP server accepted it, and the notices are usually sent to multiple contact addresses that the spammer publishes. (Anyway, does anyone really still use an email client that displays remote images by default?!)

      We don't have to prove that paper mail has been opened, so I'm not sure why it would be required for email - at best we have recorded delivery, which only shows that it was delivered to *someone* - might've been the cleaning lady, the next door neighbour, or in my case even the postman (who keeps damned well signing for my recorded stuff so he doesn't have to wait for me to answer the door!) The police don't even use recorded delivery to send a notice of intent to prosecute for traffic offenses - they claim that proof of posting is good enough.

      Going back to T&Cs on websites, do Facebook have to prove you actually looked at the T&Cs before they can take action against you for breaking them, or do they just have to make sure the T&Cs are available? As another perspective, my bank doesn't stand over me and make sure I've read the T&Cs associated with my account, they send them through the post and if I don't read them that's my own fault.

      Delete
    15. > do Facebook have to prove you actually looked at the T&Cs before they can take action against you for breaking them, or do they just have to make sure the T&Cs are available?

      I suspect that they have a record of the moment at which, and the IP address from which, you clicked "accept"?

      (I can't talk for Facebook specifically, as I have not used it for so long.)

      I suppose my only point is simply that the claimant has to prove his/her case on the balance of probabilities. If the defendant simply says "never received an email, so never say what the claimant purports is an offer, so I can't possibly have accepted it", it might be beneficial to have a considered response, that's all!

      Delete
    16. These days, web services tend to just have a "T&Cs" link somewhere - you don't have to explicitly accept it, you are deemed to have implicitly accepted it by using the website, whether or not you actually read the terms (and if the T&Cs change and you didn't notice, too bad you're still bound by them unless you stopped using the website after they changed). ISTR that the US courts have ruled that this is an acceptable way to do things. I'm not sure whether any UK or EU courts have ruled on the matter, but the major web services are certainly doing the same here too.

      Frankly, I think this is completely bonkers, but there we go. :)

      EULAs are similar - you get a licence with some software, there's no way for the vendor to prove that you accepted the licence (you never hand them a signed contract). Even if it's a thing that has to be accepted before you use the software, how do they know _who_ accepted it - it could've been the bloke from the local computer shop, one of your kids (who would legally be too young to be held to a contract anyway), etc.

      I guess my answer to the "never received it" defense would be that it was sent to an contact address that they publish, it was provably delivered to their email server, their email server didn't notify me of any problems and it's basically their fault if they don't bother to read mail sent to their published addresses. Whether that would stand up in court, I dunno.

      If the police post you a NIP for a traffic offense, I doubt the court would accept "I never saw it" even though the police can only prove that they dropped it into the post, not even that it got to your address. I can prove that it was delivered to their mail server, which seems better than only proving that a letter was delivered to the post office. It seems the level of proof I can provide is about on par with recorded delivery - I can show it went somewhere vaguely sensible, but I can't prove it eventually went to the right person or if it did whether the right person bothered to read it.

      It would be interesting to look into the level of proof of delivery that courts require for documents that are being delivered by post, email, fax, etc. I do recall having to use a process server for a statutory demand, which doesn't seem like a common requirement for other paperwork.

      Delete
    17. > EULAs are similar

      If they want to rely on breach of contract; yes. If they are happy with a claim of copyright infringement, then there is no need for them to prove acceptance: either you complied with the terms, and so have a licence, or you do not, and have no licence, and so infringe (unless you have a statutory right of use).

      There is the notion of "acceptance by conduct", but it is less certain than being able to point to something more compelling.

      In the case of a web service, it's possible that they might look to bring a claim based on trespass rather than on contract, but perhaps little online legalese is enforceable generally?

      > It would be interesting to look into the level of proof of delivery that courts require for documents

      In terms of formal service, it's CPR Part 6: https://www.justice.gov.uk/courts/procedure-rules/civil/rules/part06

      Delete
    18. Yeh, but "usage of a computer program" as installed already on a computer by someone else - is that doing anything that Copyright law actually prohibits? After all, if the incidental copying for viewing a web page is outside scope, it is hard to see how hard-disk to RAM incidental to normal legitimate use of the computer and the s/w would be in scope.

      Delete
    19. There is no statutory exception for running a computer program, from memory, so it would fall within the restricted act of copying. There's probably an argument around implied licence, but this would, inevitably, have a very limited scope, and I suspect that licensor would make a big play of saying how there was a licence included with the software, so the rules around implied licensing do not come into play.

      > if the incidental copying for viewing a web page is outside scope, it is hard to see how hard-disk to RAM incidental to normal legitimate use of the computer and the s/w would be in scope

      In the UK, the exception which was relied on in the web-page viewing case (Meltwater), is s28A of the CDPA 1988: making of temporary copies. And, expressly, this limitation does not apply to computer programs:
      http://www.legislation.gov.uk/ukpga/1988/48/section/28A

      Delete
    20. Even so, the distinction of hard disk and memory and copying to/from is getting very blurred in computer logic these days. I am not sure it would count as copying, surely. But I doubt there has been a test case.

      Delete
    21. I've seen it argued that the act of copying software into RAM in order to run it would be a copyright infringement unless you had a licence to do so. But this sounds like a pretty thin argument to me.

      I've got an extremely vague recollection that some court has ruled that copying that is required to run software (such as copying from disk into memory) didn't invoke copyright, which would rather blow that out of the water, but I can't provide any citations for that.

      My personal opinion is that an EULA should be unenforceable since you can't prove who agreed to it (if anyone) and it isn't actually legally required to run the software (it only takes rights away that you would otherwise have). Conversely, a distribution licence such as the GPL is legally enforcable because the only reason you would have the right to distribute is through that licence, so the distributor mush have either implicitly accepted it or infringed copyright (i.e. it grants rights that you wouldn't otherwise have). Of course, judges may disagree with me. :)

      Delete
    22. > I am not sure it would count as copying, surely.

      The fact that you described it as "copying to/from" suggests that it probably is still copying in the every day sense of the term, and so probably does still fall within "copying" for the purposes of copyright law?

      Delete
    23. > EULA ... GPL

      I think it comes down to whether you are trying to use the document as a copyright licence (no permission unless licensed;c copyright infringement if not) or as a contract. The latter requires far more in terms of formality.

      However, I'm not sure I see the difference between "a EULA" and "the GPL" here: both grant rights to do restricted acts (e.g. the right to copy software, inherent in the act of running it). Whether the requirement under the GPL to make available source of a Work based on the Program when the WboP is distributed/conveyed is a condition of the grant of licence, or a term of a contract, is an oft-mooted point.

      Delete
    24. If we assume for a minute that using software doesn't invoke copyright:

      The GPL specifically talks about distribution - it places no restrictions on the use of some software, only the distribution of it. That is, if you are using some GPLed software on your computer, you can use it in any way you like, just as if the GPL didn't exist (you're only running the software, which we're assuming doesn't require a copyright waiver). If you give the software to someone else you have to comply with the GPL (which includes the whole making source available thing, etc.) The distribution side here is pretty clear cut - distributing copyrighted works requires some kind of licence, the author has licenced it under GPL so implicitly you had to either accept that licence or infringe copyright, QED.

      An EULA is a usage licence - it places restrictions on what you can do with software even though are aren't distributing it. For example, there is nothing in law that says you aren't allowed to reverse engineer some software, but many EULAs have a "no reverse engineering" clause. Given our assumption at the top, there is no absolute requirement for you to agree to the licence because the licence doesn't grant you any rights that you didn't already have. Therefore you can't make the implicit "so this person must have agreed" reasoning.

      Now looking at our assumption at the top, I feel that deciding that running software requires a copyright waiver would open up a whole host of problems. For example, my wife can install some software and the installer requires her to click through the EULA in order to install it. Lets assume she clicks "I agree" and the software is then installed. I now use her computer, I fire up the installed software, it does not present me with any licence agreement (in fact, there's probably no way for me to actually see what the licence agreement was even if I wanted to look). So does this mean that I am infringing copyright since I never agreed to the licence?

      Another thing to look at is traditional digital media (CDs, DVDs). They do not come with an EULA. When I put a CD in a modern CD player, it will buffer the data stream into RAM as it plays - am I infringing copyright by playing a CD? No? Why is running a software different? How about DVDs, which actually have software on them that the player runs (to an extent)?

      Delete
    25. I see what you are getting at in terms of the GPL / EULA distinction. I can promise that I am not trying to being obtuse (that can happen perfectly well enough without me trying...) :) I tend to get a bit nervous when people try to distinguish between a licence they might like (GPL) and a licence that they might not like (a EULA) by arguing that different rules apply, as my sense is that this just makes everything harder for everyone!

      > distributing copyrighted works requires some kind of licence

      It depends on what is meant by "distribution" here: "distribution" is not an act restricted by copyright. Me giving you a CD which I bought from a retail shop in Europe does not require a licence, for example, whereas me burning a copy of a copyright work to CD and giving you that CD would.

      > For example, there is nothing in law that says you aren't allowed to reverse engineer some software

      Hmmm... My feeling is that reverse engineering does entail the performance of restricted acts, else s50BA would not be necessary. The "right to reverse engineer" in the UK is more a "right to observe, study and test", and it is limited to the situation in which the user does this while performing an act which s/he is entitled to do. But a user with no licence to run the software in the first place cannot avail themselves of the right to observe etc., since the right is tied to a lawful use.

      (A term trying to curtail this right would, in the UK, be void: s296A)

      > there is no absolute requirement for you to agree to the licence

      Perhaps a nitpicky legal point, but there is never a need to agree to a licence: a licence is just a permission to do something which is otherwise prohibited, and is simply "there". It might be absolute, or it might be conditional, but its power comes not from consensual agreement but rather from permitting you to do something which would otherwise be prohibited.

      > because the licence doesn't grant you any rights that you didn't already have. Therefore you can't make the implicit "so this person must have agreed" reasoning.

      Agreed, but only because of the assumption cover your post, which is that running software is not an act restricted by copyright. I'm siding with "oh yes it is" for the moment :)

      > So does this mean that I am infringing copyright since I never agreed to the licence?

      No, as a licence does not require agreement. And, as long as you are doing what was contemplated by the licensor, you are probably fine.

      > When I put a CD in a modern CD player, it will buffer the data stream into RAM as it plays - am I infringing copyright by playing a CD? Why is running a software different?

      My understanding is that playing a CD is not treated as copying, but that running software is. It might suck. It might not be the desirable answer, but my understanding is that that is the legal position in the UK. (I want to point at s28A as the difference between music/ sound recording and a computer program in terms of treatment of temporary copies, since computer programs are clearly excluded, but memory tells me that there is something else at play here, but I can't recall quite what.)

      Delete
    26. CDPA 5(4) covers distribution.

      Delete
    27. http://www.legislation.gov.uk/ukpga/1956/74/section/5/enacted#text%3Ddistribution

      Delete
    28. Fortunately, the 1956 Act to which you link was abolished in 1988!

      Delete
    29. Ha! That was my rather hasty search. I was, however, sure, distribution was covered, but maybe it is not now.

      Delete
    30. And, in case there was any doubt, I'm being a berk. Having finally reached for a textbook, s50C: an express right to "copy" software as necesssary for lawful use, which Ian Lloyd comments as meaning that "a basic use right will now be implied [but] difficulties may arise."

      Delete
    31. > I was, however, sure, distribution was covered

      That largely depends on what is meant by "distribution". There is no prohibition on "distribution" in itself, but there are related, potentially relevant, restrictions depending on exactly what one is doing.

      Delete
  6. Given that the ICO has issued a number of Civil Monetary Penalties under PECR in recent years (and lobbied to get the CMP threshold dropped), the claim that the ICO will 'do nothing, as usual' is nonsense. They are a remarkably hesitant and timid regulator, but PECR is the one area where this is often not the case.

    ReplyDelete
    Replies
    1. I have sent the ICO 4000 separate detailed complaints of a clear breach of the PECR over the last nine months, each requesting they exercise their enforcement action. They have not acted and the calls continue to arrive. So I beg to differ.

      Delete
    2. It seems to me that this is one of the situations in which you are both right. The ICO has certainly taken some action around SMS spam, and, with the revised regime, should be in a position (legally, at least) to do more.

      However, is it likely that the ICO would exercise its enforcement function here? Probably not.

      Delete
    3. In this case, probably not, but for 4000 calls, I would hope so. Even so, the people providing mailing lists as "corporate contacts" or "opted in" need some action taken against them too, somehow.

      Delete
  7. As I read it if you cannot quantify damages then the case will be dismissed. This is borne out by other dismissed cases linked to this blog. Damages claimed for deleting an email cannot be calculated in any meaningful way and not to any value that would make going to court viable. I think this has been proven by Revk’s Day in Court.

    ReplyDelete
  8. Is this a reasonable approach for damages? (Neil?)

    I get very little spam from proper companies. If I receive a spam email, that means the sender has my email address and possibly other personal data.

    The ICO advise against replying or clicking links in spam if there are any doubts about the sender because this can confirm the email address is live.
    https://ico.org.uk/for-the-public/online/spam-emails/

    If I simply delete the spam without taking action then there is a strong likelihood that more will come from the same route and that the sender may sell my personal details. They have, after all, acquired and/or are using my personal details without my consent. If they send more spam and/or sell my details then the resulting increase in spam will amplify the costs in dealing with it.

    If it's likely that the sender has acquired my details from another party then offences may have taken place per Data Protection Act. I need to identify that other party in order to put a stop to their unlawful trade in my personal details.

    Therefore the most appropriate, and cheapest, course of action is for me to identify the sender then contact them to ask them (a) to demonstrate why they believe they have my informed consent, (b) for a copy of the data they hold about me (DPA Subject Access Request) and (c) what third party (if any) supplied the data to them.

    It is all information which the company must possess in order to fulfil their DPA and PECR responsibilities and the ICO's expect that companies must be able to provide it.

    Therefore the sender should send the necessary information and I can act upon it to opt-out and/or correct my details as necessary.

    The more I have to communicate with the sender, the greater the costs.

    The "damages" are my costs, including time, from inspecting the email through to managing to opt-out and/or correct my details.






    ReplyDelete
    Replies
    1. > Is this a reasonable approach for damages? (Neil?)

      It sounds reasonable (and non-contrived) to me, but I wouldn't be the judge in any case you ended up bringing!

      Delete
    2. I wonder also, if you sent them a DPA request, which they charged you for, if you could include that DPA request in the damages which you then sue them for? Does that seem reasonable Neil? (Really appreciate your views on this thread - as much as you shoot us down in flames, your answers really are useful!)

      Delete
    3. That doesn't sound unreasonable :) (Incoming regulation is due to remove the right for a data controller to charge for exercising the right of access, so it might be a short-lived approach.)

      > as much as you shoot us down in flames

      Hopefully I don't come across as too much of an a**e — and, of course, I may be wrong on any number of points!

      Delete
    4. Oh thats interesting (SAR charges disappearing). It's always been a point of annoyance for me that someone can be abusing *my* data for free, and yet I have to pay them to find out what data they (possibly unlawfully) hold and what they're doing with it. Do you have a link you can cite for the upcoming changes?

      I did have someone argue that they should be required to pay me no more than £10 for spam since that's the limit placed on them for what they can charge for SARs.. I didn't quite see the relevance of that point. :)

      Delete
    5. > Do you have a link you can cite for the upcoming changes?

      It's a horrible document to link to, I'm afraid, but take a look at the Parliament's proposed Art. 10a here:

      http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2014-0212+0+DOC+XML+V0//EN

      (I note that it does now say "generally", which was not the case in the original draft: Article 11(4) of: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52012PC0011)

      See also the ICO's "implications" document, at the bottom of page 15, but, again, this will have been working on an older iteration of the draft:

      https://ico.org.uk/media/about-the-ico/documents/1042341/implications-european-commissions-proposal-general-data-protection-regulation-for-business.pdf

      Delete
    6. I notice it talks about a "competent data protection authority" - do we have one of those? :)

      Delete
    7. If you asked Adrian, I suspect that when he finishes laughing, he'd say No ;)

      Delete
  9. Neil, thanks for your thoughts. It seems to me (IANAL) that I should spend some time establishing the facts before issuing a NBA. The damages will be the anticipated costs of returning my data to the position in which the law says it should be.

    Alex, I included this text on a DPA SAR this week. No reply yet:

    "You are entitled to charge a fee of up to £10 for processing this Subject Access Request. This request has arisen owing to a breach of s22 Privacy and Electronic Regulations 2003 where a marketing email was sent to that email address without my informed consent. s30 PECR entitles me to claim damage. Therefore, in the circumstances, I suggest that you should process this SAR without charging a fee."

    RevK, thanks for publishing your NBA which several of your readers have re-used, including myself. My first was send in January and completed out-of-court for £100 damages yesterday. Several more will be going out next week.

    ReplyDelete
  10. That makes for an interesting tactic Sue - I like that.

    It also occurs to me that I should do a DPA for one of the more troublesome data sources, who are holding inaccurate information and keep parroting this data back to other spammers who have used it. I can then get them to delete it and potentially sue them for DPA breaches if they continue to hand it out.

    ReplyDelete
  11. As a way to make money I can see that that following RevK’s guidance may work but just making up damages will not fool any judge?

    Neil Brown reported

    Had the claimant “suffered damage”?
    The judge read aloud the first words of Regulation 30 — “A person who suffers damage…” and stated that she could not see that the claimant had suffered any damage, and that the claimant had not put forward any case on this point.

    The fact that the email is or is not sent to an individual subscriber is irrelevant, the question will always remain where there damages or not. Sue Denim may have completed out-of-court for £100 damages but I would suspect there is no way that anyone can justify or calculate damages of £100 for deleting an email in front of a Judge. So the threat of taking a spammer to court seems to be off the table, but the bluff seems to still work.

    The courts are ruling against the latest claims which backs up this point?

    ReplyDelete
    Replies
    1. > I would suspect there is no way that anyone can justify or calculate damages of £100 for deleting an email in front of a Judge

      Why not? My justification is that it is estimated that a coder loses 15-30 minutes of productivity each time they are interrupted, and I can cite a software developer who is also a well known published author to back up this claim. That automatically gets me an estimate of 0.5*hourly_rate*number_of_emails.

      Beyond that, there is the cost of mistakes that are introduced into my work due to the distraction: this is harder to quantify.

      There is also the cost of losing important emails due to having to run spam filters - this argument is probably much thinner since the damages resulting from having to running spam filters would presumably be spread across all spammers, not just the one you're fighting.

      I think it's important to understand that the small claims process is intended for recovering losses, not to impose punitive fines on law breakers or to make a profit. I see the damages that I've listed above as legitimate losses and whilst a judge may estimate them differently to me, I would be interested to know the reasons why a judge would not consider them at all.

      > The courts are ruling against the latest claims which backs up this point?

      My reading of RevK's case was that he didn't really try to back up his claim of damages - it seems to me that the court ruled against him because he presented no evidence of damages, not because there were actually none. It is likely that people will learn from these cases and gain an understanding of how to present legitimate losses in a way the judge can understand and therefore uphold.

      Delete
  12. Pretty much the same outcome as mine then. "No quantifiable damages" :-(

    ReplyDelete
  13. Not a good result but in the Small Claims Courts results can be mixed.

    The notes that Neil made refer to a "list of cases which found in favour of a
    claimant under Regulation 30 for a breach of Regulation 22", are you prepared to make this list available? It may help others though I'm aware it didn't help you in this case.

    ReplyDelete
  14. FYI, clicking an unsubscribe button in most cases covertly places files on your PC. These themselves seem to be an invasion of your privacy under the Human Rights Act. Vidal Hall vs Google found that browser generated files of this type were private/personal data.

    Maybe the HRA/privacy law and the DPA provide more useful ways to make a claim and be paid.

    Re PECRs, clearly the law is an ass. Or else the law was cynically written by our rulers so that it would not interrupt spammers going about their business.

    Does anyone know if punitive damages can be claimed in a county court or only in a higher court? Spam is an example of conduct that clearly calls for punitive damages.

    ReplyDelete
  15. Looks like this ploy to get money has well and truly dried up. Good scam while it lasted but I suspect e-mailers have wised up to the fact that there are no quantifiable damages

    ReplyDelete