Zigbeeifying Xiaomi LYWSD03MMC temperature sensors

I asked for recommendations for good Zigbee temperature sensors, and lots of people recommended the Xiaomi LYWSD03MMC (which is Bluetooth rather than Zigbee, but can be flashed with custom Zigbee firmware).  I ordered a couple from AliExpress (https://www.aliexpress.com/item/4001209595851.html), which appear to have been dispatched from a UK warehouse and arrived very quickly.

I had some problems installing the new firmware, so this post is documenting the process.

These sensors came with a fairly new firmware, which unfortunately complicates the over-the-air firmware update process.  They must first be associated with the Xiaomi app and then the keys extracted.

1. Install the Xiaomi Android app, create an account and pair the sensors over Bluetooth.
2. Download the Xiaomi token extractor Python script (https://github.com/PiotrMachowski/Xiaomi-cloud-tokens-extractor) and execute it.  This will output some info for each device.  I had a lot of trouble with this because it kept telling me I needed to do 2-factor authentication, but that never worked.  Eventually after a lot of Googling, I tried setting a name for my home and a nickname for my user, and the 2-factor auth problems went away.  I'm not sure specifically what fixed the problem.  Beware: I came across a blog post suggesting that you can extract the "ssecurity" and "serviceToken" values from your HTTPS traffic and bodge them into the Python script - doing this appeared to make the login succeed, but the app would always tell me "No homes found for server" for each of the servers that it tried.  In the end I didn't need to bodge those values into the Python script.
3. Go to https://pvvx.github.io/ATC_MiThermometer/TelinkMiFlasher.html - I did this in Chrome from my phone because my workstation has a very old Bluetooth adaptor which didn't want to talk to the temperature sensors.
4. Click "Connect".
5. Wait while it finds devices to pair with, select the appropriate temperature sensor and click "Pair".
6. Once connected, copy and paste some of the values from the token extractor:
   ID -> Device known id
   TOKEN -> Mi Token
   BLE KEY -> Mi Bind Key
   (I found running KDE Connect very useful since it allowed me to copy into the clipboard on my workstation and then paste them on my phone).
7. Click "Login" and the status bar on the page should show "Login successful".
8. Press the "Original_OTA_Xiaomi...." button.  Flashing the original firmware is apparently the recommended thing to do before any custom firmwares, to make sure you're starting from a known firmware version.
9. Press "Start flashing" and wait.  The status bar will show the status of the update - it will take a couple of minutes.
10. Once flashing is complete, press "Reconnect" and wait until it has reconnected.
11. Copy and paste the same values from the token extractor again.
12. Click "Login" again.
13. This time, select "Custom Firmware: ATC_...".
14. Press "Start flashing" and wait again.
15. Once flashing is complete, press "Reconnect" and wait until it has reconnected.
16. This time, we don't need the info from the token extractor.  Select the Zigbee firmware and click "Start flashing".  The device will show dashed lines on the screen while you wait for the update to complete.
    
17. When complete, the device will briefly display "oo o" and then go back to showing temperature and humidity as normal.
18. Put the Zigbee bridge (in my case, Zigbee2MQTT) into pairing mode and wait for it to pair.  I needed to bring the temperature sensor close to the coordinator - it wouldn't pair to the nearest smart plug for whatever reason.

I'm now going to spend a few days evaluating these sensors, and if they work well I'll get a bunch of them.

Moving home with pets

We've recently moved house, and have needed to do an outrageous number of address updates and things like banks, insurers, etc.

Pets like cats and dogs should be microchipped, so if they get lost someone can hopefully scan them, look up the pet on a database and contact the owner.  There are a number of database operators, and Echo (our cat) is registered with Identibase.  As far as I understand, these database operators get paid a fee at registration time which covers the cost of running the database for the life of the pet.  Identibase also offers a few subscription services for an annual fee, which I'm not really interested in.

What came as a surprise to me is that Identibase don't allow you to update any of your personal details, such as your address, unless you have subscribed to one of their additional services (for a fee).  This seems a bit outrageous - the whole point of these national databases is to accurately identify a pet's owner, and they are actively putting blocks in the way of keeping their database up to date.  Some Googling shows that other providers are also charging for address updates.

In the grand scheme of things, a few quid at a time when you're spending thousands to move house isn't a lot, but also: it's a few extra quid that you'd prefer not to spend, at a time when you've already spent thousands!

Luckily, this is where knowing your rights pays off: your address is your "personal data", and is therefore covered by the United Kingdom General Data Protection Regulation (GDPR) and the Data Protection Act.  Article 16 of the UK GDPR provides data subjects (i.e. you) with a "right to rectification": if some of your personal data is inaccurate or out of date, you can tell the data controller (in this case, Identicare Limited) and, by law, they have to correct it.  What's more, Article 12(5) says they have to do this free of charge, and per Article 12(3), "without undue delay and in any event within one month".

So, I emailed their data protection officer (privacy@identibase.co.uk), asking for them to update my address, citing the above legislation.  I had already sent my request to their customer service address, which had been ignored, but it was actioned within a day of sending it to their privacy address.

The same legislation applies to all of the database operating companies, so there's no reason why you shouldn't be able to use this method to avoid the fees that any of them charge for personal data updates.

Another day in court (arguing against the ICO)

Going to court is always an interesting and educational experience, and to some extent I quite like it because judges are generally methodical impartial people who are just trying to come to reasonable conclusions and aren't trying to prove a point.

So, right off the bat, here are some things I learnt this time around:

• "Do not disturb" mode on my Android phone doesn't appear to stop WhatsApp from going "bong".  I got told off for not turning my phone off because of this one!
• Make sure you put all of your claims on the original (N1CPC) claim form.  If you neglect any claim, the judge will strike it out from the start.
• Ensure you include all evidence that might be relevant in the trial bundle.  In the interests of keeping the trial bundle relatively small, I had omitted some of the emails that I thought weren't relevant.  Of course the judge asked me questions about those emails and, although I don't think it affected the outcome, it did make it a bit harder to make my arguments.
• Although methodical, the judge won't necessarily address your claim in the order that you've presented it in the witness statement.  This means it can be hard to find the appropriate information within the trial bundle (even though it should contain an index page).  I'm not sure if there's really any way to resolve this since you can't predict exactly how the judge is going to approach it, but if you're claiming for several different things, its probably best to try and separate out each claim in the witness statement and group all of the information relating to that claim together.  I had, instead, done a chronological account so gathering together the info for each specific claim was a bit of a pain.  Maybe it is wise to organise the information both ways, even if it feels like you're repeating yourself?

Anyway, this organisation started spamming me.  Article 14 of the UK GDPR says they should have sent me privacy information (including contact details of their data protection officer) when they acquired my personal data, but they didn't do that.  Here's where I made one of my mistakes - I neglected to mention their breach of Article 14 when I filled in the claim form, and so even though I included this point within my witness statement, the judge said that he couldn't rule on it.  The moral of the story is to list all breaches in the claim form so that you can later rely on them to support your claim.

The spam emails did contain an unsubscribe link (which I didn't click on, because clicking random links in unsolicited emails is a pretty stupid thing to do from a security stand point), but didn't link to any privacy policy.  Their website also has no privacy policy.

So without a better point of contact, I emailed the "Reply To" address from their spam emails to make a Subject Access Request.  I got no reply, so ended up complaining to the Information Commissioner's Office, who told the Defendant to respond to me within 28 days.  The Defendant ignored the ICO's instructions, so I asked the ICO to reopen the complaint and the ICO instructed them to contact me within 7 days.

What is personal data?

The Defendant ignored the ICO's 7 day deadline, but did eventually send me an email, in which they stated that they had sent me a marketing email, but that my email address was not personal data.

The email address in question did not contain my "real name", but as far as I can see it should still be considered to be personal data, by the UK GDPR's definition.  Article 4(1) says "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."  Sticking the email address in question (surrounded by quotes) into Google gives exactly 1 hit, clearly identifying me by name, so IMHO the email address is personal data.

The problem is that the ICO waded in and reversed their original decision and decided that my email address isn't personal data after all, because the address didn't itself contain any "personal identifiers", and there was no evidence to suggest that the Defendant were themselves holding other information to link the address to me.

This interpretation that "it's only personal data if you're using it as such" seems very problematic to me: data protection legislation requires that organisations protect personal data, in part, to prevent it falling into the wrong hands and being used for nefarious purposes.  If you are able to say "we don't need to prevent it from falling into the wrong hands, because we're not linking it to an individual ourselves", that exposes individuals to great risk since the data controller can't prevent it from being misused once it has been taken by a bad actor.  Furthermore, this interpretation doesn't seem to be supported by the legislation, which says that its personal data if it can be used "directly or indirectly" to identify an individual - nowhere does it qualify that by saying "if it can be used to directly or indirectly identify an individual using only data held by the data controlled".

As you can imagine, the ICO's decisions carry considerable weight, so arguing in court that they are wrong felt tough.  Thankfully, the judge agreed with me that the ICO's interpretation wasn't supported by the legislation, and ruled that me email address is personal data, even though it doesn't contain my name.

Right of access

The Defendant had repeatedly ignored my Subject Access Request, and their justification for this was that the Right of Access by the Data Subject (UK GDPR Article 15) only applied to personal data, and since my email address wasn't personal data, they didn't need to comply.

At this point, I should point out that they could have answered the questions in my Subject Access Request whether or not they were dealing with personal data.  Its just that if you're dealing with personal data you're required to answer them.  Had they responded, they would have saved both of us a lot of bother.  Their refusal to engage with me on this just felt like wrong-headed stubbornness.

Anyway, with the judge's decision that my email address is indeed personal data, their only defence for ignoring my SAR disappeared and the judge agreed with me that they had not fulfilled their obligations.

Unfortunately I still don't have the answers to the questions I raised in my SAR almost 2 years ago, and the judge said that he didn't believe it was in his gift to order the Defendant to provide a full response.  I may send the court's decision to the ICO and ask them to reopen the complaint, but frankly the ICO are so useless I don't expect anything useful to come of that.

PECR

I am a director of a limited company, but also operate a separate unincorporated business as a sole trader.  Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) says that you can't send marketing emails to an "individual subscriber".  As I've mentioned previously, the definition of an "individual subscriber" is messy, but for the purposes of this claim, the email address in question is used by me in my capacity as a sole trader, and by sending email to it you are therefore emailing an "individual subscriber".  (Had the Defendant sent spam to an address owned by the limited company, this would probably have been lawful, although they would still have needed to meet their data protection obligations.)

The Defendant made various claims about my email address belonging to my limited company, which is not true - the DNS for the domain is hosted by the limited company, and they are the administrative contact (as they are for most other customers' domains that they host), but they do not own the domain.  In fact, there's no way for the Defendant to know who actually owns the domain since the whois data for that domain is not published.

However, the judge mostly seemed to ignore their arguments and instead questioned whether it was reasonable for the Defendant to have contacted me through that email address if they were doing so in my capacity as director of that limited company.

I treat the limited company and unincorporated business as separate entities, so it has always made sense to me that the unincorporated business's website would only list its email addresses, and the limited company's website would only list email addresses belonging to the limited company.

It doesn't seem to have made any difference to the judge's final decision, but it seems things would have been more straight forward if the unincorporated business's website had specifically said not to use that email address for matters relating to the limited company (and I've now fixed the website to do that).

The ICO had previously ruled that the Defendant had not broken PECR because there was no evidence that they knew that my address belonged to an individual subscriber.  This is a ridiculous position to take, that something you do is only unlawful if you knew it was unlawful.  The Defendant had also argued that there was no way for them to know whether the address belonged to an individual subscriber - they are probably right, but that doesn't mean that you just plough on with a potentially unlawful course of action simply because you don't know whether it's lawful or not.

In any case, the judge again disagreed with the ICO and found in my favour - the Defendant had not complied with PECR, and had sent marketing to an "individual subscriber" without consent, therefore making them liable to pay compensation.

Honey-trap

The Defendant also made various other spurious claims about me, such as accusing me of operating a "honey-trap".  I was questioned about this claim, and to my mind, since I had no previous interactions with the Defendant and did not encourage them into their unlawful course of action, I cannot see how a situation into which the Defendant has entered of their own volition can be described as a "honey-trap".

The Defendant also suggested that if I were genuinely concerned about people misusing my data, I would not release it at all.  My email address was published for legitimate purposes, not to receive unlawful marketing, and it seems to me that saying essentially "you mustn't do anything legitimate if I could use it to break the law" is a pretty bonkers way to think!  I mean, this is surely why we have laws - to ensure that people can go about their lives without being too concerned that people will use things against them.

Quantum

No, not half-dead cats in boxes.  This is how much is due in compensation.

The small claims court is all about recovering losses, not imposing fines or punishment.  This is where things seem to vary significantly, depending on which judge is hearing your claim.  Recital 85 of the UK GDPR cites "loss of control of personal data" as a type of non-material damage, and Article 82 gives individuals the right to claim compensation for non-material damage.  In my experience, some judges say "that sounds like a reasonable figure" when you present a figure for the non-material damage, and others want to have hard evidence showing that you have lost that amount of money.  So, despite the law saying that you can claim for "non-material damage", you might be called upon to provide evidence that you have actually materially lost that amount, which is obviously pretty hard (probably impossible) to do.

In this case, the judge was the latter type, and therefore rejected my figure for damages.  It is possible for the case to be lost on this point - it doesn't matter what laws the Defendant has broken, or how they have behaved, if the judge decides that you're not due any money then you've automatically lost the claim.  Today, although the judge did not support the figure that I had claiming, he did come up with his own figures, so the ruling was in my favour.

Despite being awarded less than I had hoped, the Defendant has to pay both the awarded damages, and court fees which they could have avoided by engaging with me at an earlier stage instead of letting it proceed to a court hearing.

Last thoughts

Although today's proceedings were not a complete success for me, and were somewhat time consuming, I did find it pretty interesting.  I was rather nervous going into it arguing that the ICO was just plain wrong in their interpretations of the legislation, and am reassured that the judge agreed with me.

Reason 324873 why the ICO aren't worth the £62m they are paid

The Information Commissioner's Office has an income of about £62m per year.  I receive about 1000 spam emails a year - most are from anonymous foreign actors, but a significant proportion are from registered UK businesses who are flouting the rules.  As a point of comparison, in the past year the ICO have taken "enforcement action" against just 2 organisations with respect to email marketing: Join the Triboo Limited, and Monetise Media Limited.  In both cases, the organisations were sent "enforcement notices", which they ignored, and were then fined, which probably does a fair bit to demonstrate how much "enforcement notices" are worth.

The ICO is partly funded by fines, so there's incentive to go after one or two big cases (which make them money) and ignore the thousands of small cases (which cost them money).

Anyway, without further ado, here I present reason number #324873 why the ICO are a waste of money:

Some company called Autosuggest started spamming me.  I won't give them the publicity by showing the email here, but it was badly formatted, contained my first name, my employer's name and information about the nature of my employer's business.  There was no unsubscribe link or privacy information in the email.

The email was sent to my "corporate address", so probably wasn't in breach of PECR (although the definitions are rather convoluted and could be interpreted either way).  But they've still processed my personal data, and that means they needed to comply with GDPR.

The first thing to note is that Article 14 of the GDPR requires them to have provided me with "privacy information", and they have not done so.  Its common for spammers to include a link to that info in their emails, which does fulfil the requirements so long as the emails are sent within a month of obtaining the personal data, but in this case they didn't even do that.

So, back in February, I made a Subject Access Request, which asked for various pieces of information.  The most obvious of these was "provide me with a copy of all data you hold which relates to me", but there were a few others such as asking to confirm who the data controller is, and records of processing activities.  The "right of access" is provided by Article 15, and although that particular article doesn't mention time scales, Article 12(3) does.  They are required by law to respond to my request within 1 month.

The month came and went with complete radio silence and after a second month I sent a chasing email which at least generated an automated confirmation of receipt that said it would be reviewed by a "consultant".

Needless to say, they didn't reply, so 2 months later (now 4 months since I made the original request) I raised a complaint with the ICO.  Another 2 months went by and the ICO responded, upholding my complaint and instructing Autosuggest to respond to me within 14 days.

Thank you for your email of 12 June 2023 regarding a data matter involving Autosuggest. We have considered the information available in relation to this complaint, and we are of the view that Autosuggest has not complied with their Data Protection obligations. This is because you did not receive a response to your subject access request within one calendar month and were sent unsolicited marketing communication.

We have written to Autosuggest about their information rights practices. We requested that the organisation revisit the way your SAR has been handled, provide you with all of the information you are entitled to as soon as possible or within 14 calendar days, and also stop sending you unsolicited marketing emails.

Should Autosuggest not provide you with the personal data to which you are entitled, you have the right to approach the courts for an order for your data to be released. Legal action of this nature is not something that the ICO can assist with, and we would recommend that you seek some independent legal advice before taking this step.

We will not be taking further action on this case at this time. Furthermore, please note that the organisation is not located in the U.K., so the ICO’s jurisdiction does not cover the organisation’s location. However, we hope the organisation adheres to our guidance, upholds best practises, and respects individuals privacy rights.

Please be aware that the ICO cannot award compensation, nor can we advise if it should be awarded. It is for the organisations to decide if compensation is appropriate on a case-by-case basis, or the individual may go to court to claim compensation for damage or distress caused by any organisation if they have breached the Data Protection Act.

Thank you for bringing this matter to our attention.

I note that it does point out that Autosuggest aren't based in the UK.  However, they are marketing to UK customers, using the data of UK individuals, so GDPR's extraterritorial reach does apply.  Also, I've had similar experiences with the ICO when dealing with UK companies, and a quick comparison between the number of data protection breaches, and the number of enforcement actions they have taken does quite a good job of demonstrating that they just don't enforce, even where they can.

Anyway, great - the ICO have ordered them to provide "all of the information" within 14 days, so they'll do that, right?

And indeed, they did send a response.

Thank you for contacting us.

Apologies for our late reply.

We hereby would like to inform you that regarding your personal data we have only stored your first name, last name and e-mail address in our database.

Also, we have removed your e-mail address from our marketing communication as per your wish, this has already happened previously after we have received your e-mail.

In case of any further questions, please feel free to contact us.

Hmm... not exactly comprehensive is it.  It says what types of information they hold, but not what the information actually is so no way to check if its accurate.  Also, their spam included details about my employer, but they haven't mentioned that at all.  And most of all, I asked several other questions, none of which they have answered.  But they do say I can contact them if there are any further questions, so I did that the next day and received an auto response saying my email had been received.

2 months later (now 8 months since my original request), still no response, so back to the ICO I go.  I asked them to re-open the case since Autosuggest had only provided a minimal response, which was obviously short of the "all of the information" that the ICO had told them to send.  I attached copies of the emails, etc.

Now, I'm going to look at what the ICO said in their reply in some detail:

Thank you for your email of 16 October 2023 regarding your data concern that involves Autosuggest. Please note that Autosuggest have informed the ICO that they have supplied all the information they hold on their system concerning you. They have ensured that the information provided is complete and comprehensive.

Ok... but I had sent both my Subject Access Request, and Autosuggest's response to the ICO, so the ICO can clearly see that it is not "comprehensive".  So why have they presented Autosuggest's statement as-is and not acknowledged that Autosuggest have lied to them?

If you believe that there may be other information missing or have concerns about the completeness of the information provided, it is recommended that you raise this specific concern directly with Autosuggest, giving them an opportunity to address it. By engaging with the organisation first, you can allow them time to respond and resolve any potential issues.

Right, but again, they can see from the evidence I sent them that I did raise this specific concern with Autosuggest, and they didn't reply.  So why are the ICO telling me to do something that I have already done and didn't work?

The ICO expects organisations to genuinely address the concerns raised by individuals and take appropriate action to resolve them.

Its all very well to outline these expectations, but this organisation clearly isn't meeting them so why are the ICO communicating those expectations to me instead of penalising Autosuggest for not meeting them?

Therefore, it is advisable to follow the steps outlined above before considering involvement with the ICO.

But the ICO can see, from the information I've given them, that I did already follow the steps outlined above before getting them involved, so why are they telling me this?

Should you decide to pursue the matter with Autosuggest, I recommend allowing them a reasonable timeframe like a month, to respond to your concern.

Well!  A month, you say?  Did you notice that I had given them two?

This will facilitate a constructive dialogue between you and the organisation focused on addressing your data protection rights and rectifying any potential shortcomings.

Did they really mean "constructive dialogue", or maybe they meant to say "constructive monologue" since Autosuggest won't reply to any of my communications?  Maybe the ICO should explain how a monologue can be constructive?

Please remember that our role at the ICO is to monitor compliance with data protection regulations and ensure that organisations fulfil their obligations.

But when they are faced with an organisation that is not fulfilling their obligations, what are the ICO doing to "ensure" that they do?  In my experience, except for a handful of high profile headline cases, the answer is "nothing".

We encourage you to approach Autosuggest first in order to resolve any outstanding issues you may have.

Again, why are the ICO reiterating this when they can clearly see I already "approached" Autosuggest first and got nowhere?

Thank you for your understanding, and we hope for a swift resolution to your concern with Autosuggest.

Well, whoop-di-do, thank you for all your help ICO.

Anyway, I replied to the ICO pointing all of this out and I got a rather blunt reply that just referred me back to the email above, without addressing the fact that all of the information they had provided was useless.

Oh, and they also told me they would ignore any further emails I sent the ICO regarding this... so.. yay?

So this is essentially the state of play in the UK.  There is (for now) good data protection legislation, but practically no enforcement.  So unless you are concerned about reputational damage to your company, you can completely ignore it with very little risk of penalty.  If you're a trashy little spammer, or data broker, why would you comply with the law, since your reputation is already trash anyway?

ICO Failings

I have two significant examples showing why companies have basically no incentive to protect personal data.  In both cases the companies have clearly broken data protection legislation, but the ICO don't see why they should intervene:

Reel Effect Limited

This company sent a number of spam emails to me in May - July 2022.  There are a couple of things to cover first:

1. The email address they were sending spam to belongs to an "individual subscriber", as defined by The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).  Since they didn't have my consent, this was unlawful (Regulation 22 of PECR).
2. Although the email address did not contain my name, is it an address used solely by me, and if you Google for it the top link clearly identifies me.  Article 4(1) of the UK GDPR defines personal data as: ‘"any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" (emphasis mine).  The email address is an online identifer from which I can be easily identified, so should be regarded as personal data.

I sent a subject access request to them, which Article 15 of the UK GDPR requires them to respond to within a month.  They didn't respond, so in October 2022 I made a complaint to the Information Commissioner's Office, who are the UK's data protection regulator.

Around 3 months later, the ICO concluded that there was "more work" for Reel Effect Limited to do, and wrote to them.  However, Reel Effect Limited ignored the ICO's letter, I re-reported them to the ICO in March 2023 and the ICO again wrote to them.  This finally resulted in opening up some communications from Reel Effect Limited, who essentially started making up excuses and creative interpretations of the law.  Here are some examples:

• On why they ignored my Subject Access Request, they said that only one marketing email was sent and I didn't send the SAR until 2 months later, after they had migrated to a different domain.  This is simply not true - they sent me several spams and I sent my SAR to the sales email address listed on their website the day after the latest spam.  (They have no privacy policy on their website and list no address for data protection queries, so the sales address seemed the best option.  The spam emails stopped, so it seems pretty reasonable to assume they got the message and decided to ignore it).
  
• They said that PECR does not apply to addresses that do not contain someone's name.  This is not at all true - PECR applies to all "individual subscribers".  See my comments below on the definition of an "individual subscriber", but there is no requirement for addresses to contain someone's name).
• They then went on to claim that because the DNS host for the email address's domain is a limited company it must be a "corporate subscriber" address.  I would imagine that most "individual subscribers" contract a limited company to host their DNS, so this seems an odd position to take.
• Then another odd claim is that since I am the director of the limited company that hosts the DNS, that makes me a "corporate subscriber".  Again, this seems like a very odd position to take - it should be of no relevance who I contract to provide DNS hosting services for my personal domains.  In this case I used a limited company for which I am a director, but I could have equally chosen another business.

So this seems fairly straight forward to me - my email address is clearly "personal data" as defined by the UK GDPR, and I am an "individual subscriber" as defined by PECR.  Imagine my surprise when the ICO decided that Reel Effect Limited has complied with their data protection obligations because they did not know they were dealing with personal data or an individual subscriber.  This absolutely boggles my mind that if you break data protection legislation, the ICO think that's ok so long as you didn't do enough due-diligence first to know you were breaking it!

This due-diligence isn't even hard - visit a website to find out what the business name or number is, then visit the Companies House website to look up the company.  My website clearly isn't a corporate website, and it contains a notice at the top pointing out that the email addresses on the domain are those of individual subscribers.  The fact of the matter is that they simply didn't do any due-diligence at all.  And its basically paid off because the ICO has now endorsed this process.

And if you receive a Subject Access Request, its probably worth answering it rather than completely ignoring it even if you don't think you're handling personal data, since it might turn out that you were wrong.

Here is the ICO's redacted response.  I've added some highlighting on the important bits:

The ICO points out that I can still take Reel Effect Limited to court, which is what I intend to do.  But I do feel that the ICO's bonkers decision does a lot to undermine my claim.

Individual Subscribers

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) (amongst other things) protects "individual subscribers" from spam email.  If you're not an "individual subscriber" (e.g. the email address belongs to a limited company) then you get no protection.  But it has a rather odd and convoluted definition of what an "individual subscriber" is:

First of all, it defines an "individual" as "a living individual and includes an unincorporated body of such individuals".  This seems pretty straight forward - basically, this definition includes people, but also unincorporated businesses such as sole traders, partnerships, etc.

The definition of a "subscriber" is less straight forward: "a person who is a party to a contract with a provider of public electronic communications services for the supply of such services".  So what is a "public electronic communications service"?  Well, Section 151 of the Communications Act 2003 defines this as "any electronic communications service that is provided so as to be available for use by members of the public".

I am not a lawyer and absolutely none of this is legal advice, but as far as I can see:

• If you (as an individual) pay a company that provides services to the public, such as your ISP, for an email address, then that is very clearly an "individual subscriber" email address.
• But what if you self-host your email? Well, this seems much less clear - if you contract a company to host the DNS for your domain, I would think that makes you an "individual subscriber" too... Maybe you pay for a virtual machine to host your email on - that should make you an individual subscriber too, I guess. You probably also pay an ISP to provide the internet connection through which you access your email, so surely that makes you an individual subscriber?

Something that seems often missed, and which was presumably never the intent of the legislation, is that Regulation 22 of PECR simply regulates "electronic mail to individual subscribers" - the "individual subscriber" is the person that is receiving the email and the legislation doesn't appear to make reference to what email address was used to contact them.

Presumably almost everyone is an "individual subscriber" in some way or other - they have contracts with internet providers, mobile phone networks, etc.  So does this mean that this whole idea of "corporate" email addresses having no protection can be thrown out of the window?  If you spam a corporate email address and the individual it is delivered to has a contract with an ISP in a personal capacity, does that mean that Regulation 22 of PECR would apply?  I don't know, but I would love to see this tested in court!

(The legislation does not say you can spam "corporate subscribers", it says you must not spam "individual subscribers".  So if there can be some overlap between these definitions, the spammer needs to be sure that you are not an "individual" rather than checking that you are "corporate").

Either way, whether or not you can spam someone is determined by the recipient's contractual relationship with a service provider.  That might be something that the spammer can take a guess at, but it certainly isn't something that the spammer can be sure about.  The only reasonable way for a spammer to be sure that they are not breaking the law is to... not send spam!

CarParts4Less

This is a company I have bought from in the past and they have retained my details on file and then started spamming me daily.  I don't know what gets into the heads of marketing people - even if you didn't mind receiving spam, surely a spam every single day is far too much?!

I made a complaint to CarParts4Less in July 2022.  They ignored it and continued spamming me, so in October 2022 I escalated the complaint to the ICO.  The ICO responded saying they would not consider my complaint, because I had not yet complained to CarParts4Less about their failure to handle my complaint.

So the process that you have to follow when an organisation fails to comply with their data protection obligations appears to be:

1. Complain to the organisation.
2. Wait a month.
3. Complain to the organisation again.
4. Wait another month.
5. Complain to the ICO.
6. Wait 3 months for the ICO to possibly write to the organisation.
7. Wait another month and hope the organisation doesn't ignore the ICO too.
   

Honestly, at this point I'm expecting the ICO to say that they won't do anything because I haven't yet complained to the organisation about their failure to handle my complaint about their failure to handle my complaint!

(For the record, CarParts4Less are still regularly spamming me and the ICO have done nothing).

Summary

With the way the ICO are handling data protection complaints, other than private litigation there's essentially no risk for an organisation unless they are a huge company that the ICO decides to go after to get some headlines to justify their existence.  A lot of the time the ICO will refuse to do anything, and if they decide to do something it almost always amounts to nothing more than writing to an organisation to remind them of their data protection obligations (even if they have to "remind" them multiple times!)

Between April 2022 and April 2023, the ICO fined just 7 companies for using personal data unlawfully for marketing purposes.  Over the same period, I have personally received settlements from 12 companies for the same reason - its quite a lot of work, and something the regulator should be doing instead of individuals.

Anti-spam in court

As I've mentioned many times before, spamming is unlawful (except in some specific circumstances), but the Information Commissioner's Office is useless and generally doesn't do anything about it.  Thankfully, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the UK GDPR both allow you to take civil action to protect your personal data from misuse.

Usually, when challenged, spammers admit that they broke the law and offer to pay compensation, which is generally best for everyone concerned.  But I now have two rare examples of spammers wilfully refusing to understand what they've done wrong, and taking the claim all the way to a court hearing.

This has not really gone well for these two spammers.  They have both lost, wasted everyone's time, and now have court fees to pay too.

Spammer 1

This was an eBay shop that I had made a purchase from around 5 years ago, and they subsequently started spamming me on the email address that I use exclusively for eBay.  Despite me objecting numerous times, they continued to spam me over a long period.

Since I was a customer, under PECR, they could only have lawfully spammed me if:

1. I had given my informed, specific and unambiguous consent; or
2. they had given me the opportunity to opt out at the time my details were collected, and in every subsequent email.

Needless to say, they didn't get my consent, and eBay provides no way for them to provide an opportunity to opt out.

Now, this is a point of weirdness: I'm extremely surprised that eBay would ever pass on my email address, and indeed the spammer says they don't.  But that address is only ever used on eBay, and the spamming started not long after my purchase...

The spammer insisted that I must have gone to their website and subscribed my address to their mailing list (obviously I didn't).  They also made the claim that maybe someone else did it since they don't use double-opt-in verification (no explanation as to who else would have access to an address that is only used on eBay, and I'm not sure how you would demonstrate consent without double-opt-in verification).  They didn't keep any records, so ultimately couldn't provide any evidence showing how they got my email address, and therefore that the way they collected it met the legal requirements.

The hearing was held over video link, because I was testing positive for CoViD at the time.  Ultimately, the judge ruled against the spammer, mainly because they had ignored my repeated objections.  However, he reduced the damages slightly as he judged my claim to be a bit too high (but the spammer has to pay court fees on top of that anyway).  He also said that I should have clicked the "unsubscribe" link in the spams, as I had an obligation to reduce my losses - nevermind that clicking links in random unsolicited emails is probably not a great idea!

So, key points:

1. I made my claim under Articles 79 and 82 of the UK GDPR, and regulation 30 of PECR.  These are basically the bits of legislation that say "if someone breaks this law, you can take them to court".
2. My claim was for "loss of control of personal data", which Recital 85 of the UK GDPR cites as "non-material damage".
3. I noted that it is difficult to arrive at a monetary figure for non-material damage.
4. I explained how I arrived at the monetary figure for damages: I considered how much I might have reasonably decided to charge if someone asked to purchase a licence to use my personal data for this purpose.
5. The spammer had broken Regulation 22 of PECR.
6. The spammer had broken Articles 15 and 21 of GDPR, since they ignored my Subject Access Request and objection.

Spammer 2

This was a company with whom I had never had any dealings.  They were spamming one of my business addresses, but that business is not incorporated and I operate it as a sole trader.

Since I was not a customer, they could only have lawfully spammed me if I had given my informed, specific and unambiguous consent.

Now free of CoViD, this is the first time I've actually attended court in person.  The spammer declined to attend the hearing and just provided a witness statement 7 days in advance, which meant that I had plenty of time to prepare a response to their points.  In fact, I prepared far more than I actually needed.

I had two main points to my claim:

1. Spamming me was unlawful under PECR; and
2. The spammer had scraped my personal data off LinkedIn and then used for a purpose which is explicitly disallowed by LinkedIn's terms and conditions.  I'm not completely sure, but I don't think this would be allowed under GDPR, since the data is being used for a purpose for which it was not originally collected.

I found this judge much better than the previous one - he wanted me to walk through step-by-step why I thought the spammer was breaking the law, so I took him through the legislation and why the exemptions didn't apply, etc. and found that this gave me a much better opportunity to explain my position.  He was pretty meticulous at asking me about definitions and looking things up as we went through the legislation.

In the end, the judge was only interested in the PECR breach.  He had decided that the spammer was clearly in the wrong, so there was no need to consider the GDPR breach since it would make no difference to the outcome of the claim.

The spammer had consistently misunderstood PECR, arguing that all "business-to-business" communications are exempt, even when I point out that sole traders are not exempt.  The spammer even cited guidance from the ICO as evidence for their position, despite that guidance specifically saying that PECR prohibits them from marketing to sole traders without their consent.  This was ultimately the spammer's undoing - they could not demonstrate any reason why their communications would have been exempt from PECR because they never addressed the reasons I had given as to why they weren't exempt.

I was asked to justify the amount I was claiming for non-material damage: this is usually a tricky one because its basically impossible to demonstrate a tangible loss, but I successfully explained that losing control of my personal data and having it used in unlawful ways is distressing.

I was also asked why I wasn't making a claim for material damage, and I explained that the time it takes to delete a small number of spams is very small so the damage is immeasurable.  However, I did make the point that the majority of email on the internet is spam sent from the likes of the defendant, and that does have a real cost, even if extremely hard to measure, since it necessitates filtering systems which occasionally throw away legitimate emails.

The judge ruled that the defendant had broken PECR, and that the £200 (plus court fees) that I was claiming was not an unreasonable amount to claim for the distress caused by their misuse of my personal data.

So, key points:

1. I made my claim under Articles 79 and 82 of the UK GDPR, and regulation 30 of PECR.  These are basically the bits of legislation that say "if someone breaks this law, you can take them to court".
2. My claim was for "loss of control of personal data", which Recital 85 of the UK GDPR cites as "non-material damage".
3. I noted that it is difficult to arrive at a monetary figure for non-material damage.
4. I explained how I arrived at the monetary figure for damages: I considered how much I might have reasonably decided to charge if someone asked to purchase a licence to use my personal data for this purpose.
5. The spammer had broken Regulation 22 of PECR.
6. The spammer had broken the UK GDPR since they had taken data from LinkedIn in a way that is disallowed by LinkedIn's terms and conditions, and used it for a purpose for which it was not originally collected.  (This was never considered by the judge).

Oh yes, there were also a couple of extra weird arguments from the spammer...

• "Business contacts would expect to be contacted by B2B service providers to market and advertise their products and services" [and that therefore it's ok]... This appears to be a circular argument (this is lawful because people should expect us to act unlawfully), and it makes no sense to me at all.
• That I'm turning a profit by taking advantage of the court... Given the time needed to navigate all the legal processes and actually attend the court (which the spammer did not), this isn't really an especially profitable use of my time!
• That I'm up to no good because I've documented the legal processes I've gone through... Because I guess it's terrible to help people to understand the legal system that governs them?
  

Conclusion

I think this really demonstrates how dependant the outcome is on which judge is selected to hear your case.  I had thought that the first claim was much stronger than the first, since it involved more spam emails over a longer period of time and multiple failures to act upon my exercising my data protection rights, but in the end the judge of the first case was much more lenient and reduced my claim whilst the judge of the second case considered my claim to be reasonable and awarded the full amount.

Invoicing a spammer

Maintaining control of my personal data is important, and companies who spam me usually end up on the receiving end of a nasty email exercising my rights under GDPR to find out what data they have about me, where they got it and to demand that they stop using it.

Back at the start of 2021, several companies who were spamming me all said that they had contracted another company to do their marketing, and all of them pointed at the same company.  I sent an email to the spam company consisting of:

1. A "Notice Before Action" demanding that they pay damages for the misuse of my personal data.
2. A "Subject Access Request" to find out what data they held and where they got it.
3. A request to cease spamming me.
4. A proposed contract, under which they would be allowed to send me further spam emails in exchange for a £30 charge per email.
   

They admitted fault and (after some more prodding) agreed to pay a £200 settlement.

Although I don't think that sending spam emails is an ethical business plan, I'm not going to name the spamming company because they have been pretty reasonable under the circumstances.

The email address that the spam was directed to was a business address.  However, I operate that business as a sole trader, so under the Privacy and Electronic Communications Regulations (EC Directive) 2003 (PECR), that makes it the address of an "individual subscriber", no different from a personal email address.  It is unlawful to send any unsolicited marketing email to an "individual subscriber" except in some very specific circumstances.

The spam company said that their systems had misidentified me as a limited company.  According to the Information Commissioner's Office, email addresses belonging to incorporated bodies such as limited companies are not those of "individual subscribers" and therefore out of the scope of PECR, so there is no prohibition on sending them spam.

The legislation is not quite so clear, and whether or not an address is that of an "individual subscriber" depends on things which are not discoverable by the sender.  Sending unsolicited email to anyone is a risk, since the sender can't know whether or not doing so would break the law.

I was assured that the problem had been fixed and would not reccur.

More recently, I've been receiving some spam from a number of different businesses, all sharing a few similarities:

• The from addresses of the emails were all from domains which started with "ins." - for example, example@ins.example.com.
• They all shared a number of identical non-standard email headers.

Many of the emails were really scammy looking - things like emails promoting Amazon Business coming from a variety of email addresses that don't appear to be associated with Amazon.

After some investigation, it became clear that these were from the same spam company - the one that, a year earlier, had admitted fault, paid me £200 and assured me it wouldn't happen again.

I identified 31 spam emails that they had sent, I'd already sent them a contract, and since 31 emails × £30 = £930, I invoiced them, fully expecting to end up in court.  The only thing that would make the emails they sent lawful was the contract, so I could conclude that they had accepted it.

What happened next really surprised me.  I quickly received an email from them admitting fault, pointing out that I had missed 5 emails and asking me to reissue the invoice for 36 emails × £30 = £1080.  So I did and they paid up immediately.

According to the spam company, they migrated to a new system, which introduced the error.  I can only assume that they never actually fixed the original problem of individuals being misidentified as limited companies and instead just added my address to a suppression list.  When they transferred to a new system, they presumably didn't transfer over their suppression list.