Off topic: DPA question

Andrew Cormack Andrew.Cormack at
Tue Jun 17 10:47:09 BST 2014

> -----Original Message-----
> From: ukcrypto-bounces at [mailto:ukcrypto-
> bounces at] On Behalf Of Derek Fawcus
> Sent: 16 June 2014 15:00
> To: UK Cryptography Policy Discussion Group
> Subject: Re: Off topic: DPA question
> On Mon, Jun 16, 2014 at 07:53:04am +0000, Andrew Cormack wrote:
> > But the question was also about e-mails and there the PECR has a
> separate distinction between
> > the addresses of "individual subscribers" and "others". The PECR,
> still transposing the original,
> > unamended, Directive, only restricts sending of unsolicited
> advertising e-mail to individual subscribers.
> > If you aren't an IS - for example because your company pays the bill
> (or, as far as I can see,
> > your parent or significant other does) then PECR doesn't protect you
> from spamming, only DPA does :(
> You might wish to read about Adrian Kennard's battle on the 'individual
> subscriber' front,
> he seems to have taken the position that unless the sender knows the
> addresss is _not_
> an individual subscriber,  they must not send such;  and that usually
> the sender can not
> know that.
> (some of the above are telephone,  some email)
> .pdf

<grin/> I've both read it and heard about it from Adrian over dinner!

Since the law for individual subscribers is that they can only be sent unsolicited advertising material after they have taken some positive action ("soft opt-in"), it seems logical to me that the sender must know either that someone isn't an IS, or that they are and have taken the required action. Otherwise you simply re-create an opt-out (as for phone or text marketing) where it's OK to spam someone until they tell you that they are an IS.

>From a quick look at the ICO's 'what we are doing' pages, it doesn't seem as if they've done any enforcement specifically on e-mails yet (either under the PECR or DPA). The actions I see mentioned either related to sending phone or SMS to people who have actively opted out by joining TPS, or to processing personal data without being registered with the ICO.

And as far as I recall the successful private actions have been for not ceasing processing when ordered to, so again avoiding this unclear area of law.


More information about the ukcrypto mailing list