Monday 17 April 2023

ICO Failings

I have two significant examples showing why companies have basically no incentive to protect personal data.  In both cases the companies have clearly broken data protection legislation, but the ICO don't see why they should intervene:

Reel Effect Limited

This company sent a number of spam emails to me in May - July 2022.  There are a couple of things to cover first:

  1. The email address they were sending spam to belongs to an "individual subscriber", as defined by The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).  Since they didn't have my consent, this was unlawful (Regulation 22 of PECR).
  2. Although the email address did not contain my name, is it an address used solely by me, and if you Google for it the top link clearly identifies me.  Article 4(1) of the UK GDPR defines personal data as: ‘"any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" (emphasis mine).  The email address is an online identifer from which I can be easily identified, so should be regarded as personal data.

I sent a subject access request to them, which Article 15 of the UK GDPR requires them to respond to within a month.  They didn't respond, so in October 2022 I made a complaint to the Information Commissioner's Office, who are the UK's data protection regulator.

Around 3 months later, the ICO concluded that there was "more work" for Reel Effect Limited to do, and wrote to them.  However, Reel Effect Limited ignored the ICO's letter, I re-reported them to the ICO in March 2023 and the ICO again wrote to them.  This finally resulted in opening up some communications from Reel Effect Limited, who essentially started making up excuses and creative interpretations of the law.  Here are some examples:

  • On why they ignored my Subject Access Request, they said that only one marketing email was sent and I didn't send the SAR until 2 months later, after they had migrated to a different domain.  This is simply not true - they sent me several spams and I sent my SAR to the sales email address listed on their website the day after the latest spam.  (They have no privacy policy on their website and list no address for data protection queries, so the sales address seemed the best option.  The spam emails stopped, so it seems pretty reasonable to assume they got the message and decided to ignore it).
  • They said that PECR does not apply to addresses that do not contain someone's name.  This is not at all true - PECR applies to all "individual subscribers".  See my comments below on the definition of an "individual subscriber", but there is no requirement for addresses to contain someone's name).
  • They then went on to claim that because the DNS host for the email address's domain is a limited company it must be a "corporate subscriber" address.  I would imagine that most "individual subscribers" contract a limited company to host their DNS, so this seems an odd position to take.
  • Then another odd claim is that since I am the director of the limited company that hosts the DNS, that makes me a "corporate subscriber".  Again, this seems like a very odd position to take - it should be of no relevance who I contract to provide DNS hosting services for my personal domains.  In this case I used a limited company for which I am a director, but I could have equally chosen another business.

So this seems fairly straight forward to me - my email address is clearly "personal data" as defined by the UK GDPR, and I am an "individual subscriber" as defined by PECR.  Imagine my surprise when the ICO decided that Reel Effect Limited has complied with their data protection obligations because they did not know they were dealing with personal data or an individual subscriber.  This absolutely boggles my mind that if you break data protection legislation, the ICO think that's ok so long as you didn't do enough due-diligence first to know you were breaking it!

This due-diligence isn't even hard - visit a website to find out what the business name or number is, then visit the Companies House website to look up the company.  My website clearly isn't a corporate website, and it contains a notice at the top pointing out that the email addresses on the domain are those of individual subscribers.  The fact of the matter is that they simply didn't do any due-diligence at all.  And its basically paid off because the ICO has now endorsed this process.

And if you receive a Subject Access Request, its probably worth answering it rather than completely ignoring it even if you don't think you're handling personal data, since it might turn out that you were wrong.

Here is the ICO's redacted response.  I've added some highlighting on the important bits:

The ICO points out that I can still take Reel Effect Limited to court, which is what I intend to do.  But I do feel that the ICO's bonkers decision does a lot to undermine my claim.

Individual Subscribers

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) (amongst other things) protects "individual subscribers" from spam email.  If you're not an "individual subscriber" (e.g. the email address belongs to a limited company) then you get no protection.  But it has a rather odd and convoluted definition of what an "individual subscriber" is:

First of all, it defines an "individual" as "a living individual and includes an unincorporated body of such individuals".  This seems pretty straight forward - basically, this definition includes people, but also unincorporated businesses such as sole traders, partnerships, etc.

The definition of a "subscriber" is less straight forward: "a person who is a party to a contract with a provider of public electronic communications services for the supply of such services".  So what is a "public electronic communications service"?  Well, Section 151 of the Communications Act 2003 defines this as "any electronic communications service that is provided so as to be available for use by members of the public".

I am not a lawyer and absolutely none of this is legal advice, but as far as I can see:

  • If you (as an individual) pay a company that provides services to the public, such as your ISP, for an email address, then that is very clearly an "individual subscriber" email address.
  • But what if you self-host your email? Well, this seems much less clear - if you contract a company to host the DNS for your domain, I would think that makes you an "individual subscriber" too... Maybe you pay for a virtual machine to host your email on - that should make you an individual subscriber too, I guess. You probably also pay an ISP to provide the internet connection through which you access your email, so surely that makes you an individual subscriber?

Something that seems often missed, and which was presumably never the intent of the legislation, is that Regulation 22 of PECR simply regulates "electronic mail to individual subscribers" - the "individual subscriber" is the person that is receiving the email and the legislation doesn't appear to make reference to what email address was used to contact them.

Presumably almost everyone is an "individual subscriber" in some way or other - they have contracts with internet providers, mobile phone networks, etc.  So does this mean that this whole idea of "corporate" email addresses having no protection can be thrown out of the window?  If you spam a corporate email address and the individual it is delivered to has a contract with an ISP in a personal capacity, does that mean that Regulation 22 of PECR would apply?  I don't know, but I would love to see this tested in court!

(The legislation does not say you can spam "corporate subscribers", it says you must not spam "individual subscribers".  So if there can be some overlap between these definitions, the spammer needs to be sure that you are not an "individual" rather than checking that you are "corporate").

Either way, whether or not you can spam someone is determined by the recipient's contractual relationship with a service provider.  That might be something that the spammer can take a guess at, but it certainly isn't something that the spammer can be sure about.  The only reasonable way for a spammer to be sure that they are not breaking the law is to... not send spam!


This is a company I have bought from in the past and they have retained my details on file and then started spamming me daily.  I don't know what gets into the heads of marketing people - even if you didn't mind receiving spam, surely a spam every single day is far too much?!

I made a complaint to CarParts4Less in July 2022.  They ignored it and continued spamming me, so in October 2022 I escalated the complaint to the ICO.  The ICO responded saying they would not consider my complaint, because I had not yet complained to CarParts4Less about their failure to handle my complaint.

So the process that you have to follow when an organisation fails to comply with their data protection obligations appears to be:

  1. Complain to the organisation.
  2. Wait a month.
  3. Complain to the organisation again.
  4. Wait another month.
  5. Complain to the ICO.
  6. Wait 3 months for the ICO to possibly write to the organisation.
  7. Wait another month and hope the organisation doesn't ignore the ICO too.

Honestly, at this point I'm expecting the ICO to say that they won't do anything because I haven't yet complained to the organisation about their failure to handle my complaint about their failure to handle my complaint!

(For the record, CarParts4Less are still regularly spamming me and the ICO have done nothing).


With the way the ICO are handling data protection complaints, other than private litigation there's essentially no risk for an organisation unless they are a huge company that the ICO decides to go after to get some headlines to justify their existence.  A lot of the time the ICO will refuse to do anything, and if they decide to do something it almost always amounts to nothing more than writing to an organisation to remind them of their data protection obligations (even if they have to "remind" them multiple times!)

Between April 2022 and April 2023, the ICO fined just 7 companies for using personal data unlawfully for marketing purposes.  Over the same period, I have personally received settlements from 12 companies for the same reason - its quite a lot of work, and something the regulator should be doing instead of individuals.

No comments:

Post a Comment