Feeds

UK regulator wants powers to stop the spammers

'Inadequate and impractical'

  • alert
  • submit to reddit

Security for virtualized datacentres

The Office of the Information Commissioner (ICO), enforcer of the UK's main anti-spam laws, has received around 600 spam complaints in the past 12 months. But it has taken no legal action, in part because its powers are inadequate and impractical.

OUT-LAW spoke to Caroline Monk, Casework and Advice Manager with the ICO, following the publication of Information Commissioner Richard Thomas's annual report this week. The report shows that Mr Thomas's team successfully prosecuted 12 cases in the year ended 31st March 2005, though none of them involved spammers.

All of these cases were under the Data Protection Act and concerned either failures to notify the ICO of data processing (a basic requirement that affects most organisations), or unlawful obtaining of personal data without the consent of the data controller (cases that tended to involve dishonesty, not ignorance or carelessness). Most sentences were fines – ranging from £70 to £1,600. Three sentences were conditional discharges – two of 12 months, one of 18 months.

Nobody faced legal action for other matters within the remit of the ICO, such as failing to display a data protection notice, using cookies on a website without notifying users, or sending spam in breach of the Privacy and Electronic Communications Regulations. But that is not to say that no action was taken.

The number of enquiries about websites is quite low and, of those received, cookie enquiries appear to outnumber other website data protection and privacy issues. Figures are not available, but Ms Monk said that online matters were mostly requests for compliance advice from organisations, rather than user complaints.

A few complaints have been made over missing privacy notices and missing information about cookies; but Ms Monk said they tend to be easily dealt with, by approaching the website operator. Amends tend to be made in response to such approaches. As long as a website explains its use of cookies in its privacy policy and how to control them, and as long as that privacy policy is easily located, the ICO will be satisfied. "You shouldn't have to dig to find out about cookies on a website," said Ms Monk. (For more on cookie compliance, see OUT-LAW's sister site, AboutCookies.org).

Ms Monk said that roughly 50% of the spam complaints received by the ICO were outside the scope of the Regulations. The Regulations came into force on 11th December 2003 – meaning this is the first annual report to cover a full year of their operation. By comparison, data protection legislation in the UK is 21 years old.

Most email to corporate email accounts will not fall foul of the law, nor will email that is sent where there is an existing customer relationship. Overseas senders – responsible for most spam – also escape the ICO's attention, as do those who simply cannot be identified from the offending email.

Ms Monk said there were "less than 600" spam complaints in total. So only around 300 complaints were made that Ms Monk's team could actually deal with. They are not ignored, however. Most of them concern reputable companies that made an innocent mistake, such as failing to action an unsubscribe request. The ICO will write to these organisations. "We do get a very high success rate with these companies suppressing the email address when we approach them," she said. And it seems that further action is seldom necessary.

But clearly some complaints target less scrupulous email marketing activities – and these organisations tend to ignore the warning letters. This is where the ICO wants greater powers of enforcement. The ICO cannot fine a spammer; it cannot even stop a spammer effectively.

Ms Monk said: "The powers we've got are not appropriate for the nature of the Regulations. We have to supply a preliminary Enforcement Notice before we can issue a formal Enforcement Notice. That Enforcement Notice can be appealed. It costs nothing to appeal the Notice and most of them are appealed. At that point, our action is suspended for an Information Tribunal to be convened."

Ms Monk described a case she handled where enforcement action was taken against a company that was sending unsolicited faxes. "We waited nearly a year just for the tribunal to be convened," she said. In the meantime, the company was able to continue its unlawful activities.

She explained that the ICO had lobbied the Department of Trade and Industry for more immediate powers. "We want something like the Stop Now Orders," she said.

Consumer protection bodies like the Office of Fair Trading already have the power to apply to the civil courts for Stop Now Orders that can be used to force an unscrupulous trade to cease trading immediately. Failure to comply with a Stop Now Order is treated as a contempt of court and is punishable by an unlimited fine or imprisonment. But the ICO does not share these powers.

The ICO also wants better information gathering powers, like those enjoyed by Ofcom, which would help to identify the company behind spam email. "We can approach an ISP and ask for the identity of a sender. Under the Data Protection Act, they are allowed to tell us; but they are not compelled to do so," Ms Monk explained.

The ICO issued only three Enforcement Notices this year, all of which concerned irregular police activities. In dealing with spam, there were no Enforcement Notices or even preliminary Notices.

Ms Monk admitted the reason for this is that they have to be realistic in deciding what to do about a complaint against an uncooperative spammer. She said that the number of complaints received represents a tiny proportion of the total volume of spam that lands in our inboxes; and those complaints that are not resolved informally represent an even smaller proportion. Factoring this together with the limited enforcement powers means that it is very difficult to be able to take effective action.

"The powers are appropriate for the Data Protection Act," she said. "They are not appropriate for the Regulations."

It is not the first time the ICO has said this. In last year's annual report, Richard Thomas wrote, on the subject of spam: "…our existing powers are inappropriate. They do not allow us to take decisive action against those who continue to send unsolicited marketing material."

He noted at the time, July 2004, that the DTI was reviewing these powers, "to explore the possibility of providing us with some form of injunctive power which will enable us to take swift effective action." But it seems that nothing has changed. The ICO's lack of powers is believed to be among the reasons for the European Commission considering European court action against the UK Government (see: UK's Data Protection Act might not meet European Union standards, OUT-LAW News, 19/05/2004).

Meantime, the ICO has made its own internal changes. A major re-structuring has taken place, largely attributable to the massively increased workload of the ICO as a result of the Freedom of Information Act coming into force in January. It is reflected in the report's statistics: there were 11,664 cases received in 2003/2004, and 19,460 cases received in 2004/2005.

The new structure includes a new 20-person Regulatory Action Division that is charged with investigations and enforcement. Until now, the ICO has only been reactive. Assistant Commissioner David Smith told OUT-LAW that the new Division "will allow us to go out and make checks for compliance, not just act on complaints." He added that it will help to bring important cases to a successful conclusion more quickly.

But for as long as the ICO's powers remain unchanged, these cases seem unlikely to trouble the spammers.

See: Information Commissioner's Report, July 2005 (64-page / 1.1MB PDF)

See also: Information Commissioner publishes annual report, OUT-LAW News, 14/07/2004

© Pinsent Masons 2000 - 2005

Related stories

Malware maelstrom menaces UK
Hackers attack Mozilla site to spread spam
Zombie bots fuel spyware boom
VXers release 'London bombing' Trojan
Trojan downloader spam poses as admin email
China signs anti-spam pact

Beginner's guide to SSL certificates

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.