As I've mentioned many times before, spamming is unlawful (except in some specific circumstances), but the Information Commissioner's Office is useless and generally doesn't do anything about it. Thankfully, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the UK GDPR both allow you to take civil action to protect your personal data from misuse.
Usually, when challenged, spammers admit that they broke the law and offer to pay compensation, which is generally best for everyone concerned. But I now have two rare examples of spammers wilfully refusing to understand what they've done wrong, and taking the claim all the way to a court hearing.
This has not really gone well for these two spammers. They have both lost, wasted everyone's time, and now have court fees to pay too.
Spammer 1
This was an eBay shop that I had made a purchase from around 5 years ago, and they subsequently started spamming me on the email address that I use exclusively for eBay. Despite me objecting numerous times, they continued to spam me over a long period.
Since I was a customer, under PECR, they could only have lawfully spammed me if:
- I had given my informed, specific and unambiguous consent; or
- they had given me the opportunity to opt out at the time my details were collected, and in every subsequent email.
Needless to say, they didn't get my consent, and eBay provides no way for them to provide an opportunity to opt out.
Now, this is a point of weirdness: I'm extremely surprised that eBay would ever pass on my email address, and indeed the spammer says they don't. But that address is only ever used on eBay, and the spamming started not long after my purchase...
The spammer insisted that I must have gone to their website and subscribed my address to their mailing list (obviously I didn't). They also made the claim that maybe someone else did it since they don't use double-opt-in verification (no explanation as to who else would have access to an address that is only used on eBay, and I'm not sure how you would demonstrate consent without double-opt-in verification). They didn't keep any records, so ultimately couldn't provide any evidence showing how they got my email address, and therefore that the way they collected it met the legal requirements.
The hearing was held over video link, because I was testing positive for CoViD at the time. Ultimately, the judge ruled against the spammer, mainly because they had ignored my repeated objections. However, he reduced the damages slightly as he judged my claim to be a bit too high (but the spammer has to pay court fees on top of that anyway). He also said that I should have clicked the "unsubscribe" link in the spams, as I had an obligation to reduce my losses - nevermind that clicking links in random unsolicited emails is probably not a great idea!
So, key points:
- I made my claim under Articles 79 and 82 of the UK GDPR, and regulation 30 of PECR. These are basically the bits of legislation that say "if someone breaks this law, you can take them to court".
- My claim was for "loss of control of personal data", which Recital 85 of the UK GDPR cites as "non-material damage".
- I noted that it is difficult to arrive at a monetary figure for non-material damage.
- I explained how I arrived at the monetary figure for damages: I considered how much I might have reasonably decided to charge if someone asked to purchase a licence to use my personal data for this purpose.
- The spammer had broken Regulation 22 of PECR.
- The spammer had broken Articles 15 and 21 of GDPR, since they ignored my Subject Access Request and objection.
Spammer 2
This was a company with whom I had never had any dealings. They were spamming one of my business addresses, but that business is not incorporated and I operate it as a sole trader.
Since I was not a customer, they could only have lawfully spammed me if I had given my informed, specific and unambiguous consent.
Now free of CoViD, this is the first time I've actually attended court in person. The spammer declined to attend the hearing and just provided a witness statement 7 days in advance, which meant that I had plenty of time to prepare a response to their points. In fact, I prepared far more than I actually needed.
I had two main points to my claim:
- Spamming me was unlawful under PECR; and
- The spammer had scraped my personal data off LinkedIn and then used for a purpose which is explicitly disallowed by LinkedIn's terms and conditions. I'm not completely sure, but I don't think this would be allowed under GDPR, since the data is being used for a purpose for which it was not originally collected.
I found this judge much better than the previous one - he wanted me to walk through step-by-step why I thought the spammer was breaking the law, so I took him through the legislation and why the exemptions didn't apply, etc. and found that this gave me a much better opportunity to explain my position. He was pretty meticulous at asking me about definitions and looking things up as we went through the legislation.
In the end, the judge was only interested in the PECR breach. He had decided that the spammer was clearly in the wrong, so there was no need to consider the GDPR breach since it would make no difference to the outcome of the claim.
The spammer had consistently misunderstood PECR, arguing that all "business-to-business" communications are exempt, even when I point out that sole traders are not exempt. The spammer even cited guidance from the ICO as evidence for their position, despite that guidance specifically saying that PECR prohibits them from marketing to sole traders without their consent. This was ultimately the spammer's undoing - they could not demonstrate any reason why their communications would have been exempt from PECR because they never addressed the reasons I had given as to why they weren't exempt.
I was asked to justify the amount I was claiming for non-material damage: this is usually a tricky one because its basically impossible to demonstrate a tangible loss, but I successfully explained that losing control of my personal data and having it used in unlawful ways is distressing.
I was also asked why I wasn't making a claim for material damage, and I explained that the time it takes to delete a small number of spams is very small so the damage is immeasurable. However, I did make the point that the majority of email on the internet is spam sent from the likes of the defendant, and that does have a real cost, even if extremely hard to measure, since it necessitates filtering systems which occasionally throw away legitimate emails.
The judge ruled that the defendant had broken PECR, and that the £200 (plus court fees) that I was claiming was not an unreasonable amount to claim for the distress caused by their misuse of my personal data.
So, key points:
- I made my claim under Articles 79 and 82 of the UK GDPR, and regulation 30 of PECR. These are basically the bits of legislation that say "if someone breaks this law, you can take them to court".
- My claim was for "loss of control of personal data", which Recital 85 of the UK GDPR cites as "non-material damage".
- I noted that it is difficult to arrive at a monetary figure for non-material damage.
- I explained how I arrived at the monetary figure for damages: I considered how much I might have reasonably decided to charge if someone asked to purchase a licence to use my personal data for this purpose.
- The spammer had broken Regulation 22 of PECR.
- The spammer had broken the UK GDPR since they had taken data from LinkedIn in a way that is disallowed by LinkedIn's terms and conditions, and used it for a purpose for which it was not originally collected. (This was never considered by the judge).
Oh yes, there were also a couple of extra weird arguments from the spammer...
- "Business contacts would expect to be contacted by B2B service providers to market and advertise their products and services" [and that therefore it's ok]... This appears to be a circular argument (this is lawful because people should expect us to act unlawfully), and it makes no sense to me at all.
- That I'm turning a profit by taking advantage of the court... Given the time needed to navigate all the legal processes and actually attend the court (which the spammer did not), this isn't really an especially profitable use of my time!
- That I'm up to no good because I've documented the legal processes I've gone through... Because I guess it's terrible to help people to understand the legal system that governs them?
Conclusion
I think this really demonstrates how dependant the outcome is on which judge is selected to hear your case. I had thought that the first claim was much stronger than the first, since it involved more spam emails over a longer period of time and multiple failures to act upon my exercising my data protection rights, but in the end the judge of the first case was much more lenient and reduced my claim whilst the judge of the second case considered my claim to be reasonable and awarded the full amount.