How to complain about spam to the ICO

Normally such complaints would probably have been filed in the pending tray at ICO headquarters, but Steven J. Murdoch – whose research covers privacy-enhancing technology, internet censorship, and anonymous communications – is known for discovering several vulnerabilities in the EMV bank chip and PIN system.

Writing for the Light Blue Touchpaper newswire, Murdoch says that, while there may be an unsubscribe link on most spam, clicking on actually tells the spammer that the your address has a real person behind it, and might actually encourage them to send more spam.

Things, he notes, are different if the sender of spam is in the UK, because then they might have violated the Privacy and Electronic Communications Regulations (PECR), and you can complain to the ICO.

“The process isn’t fast, or particularly easy, and there are plenty of ways the ICO can avoid investigating, but it can get results”, he says in his latest posting on the newswire.

“The last time I went through this process was regarding a PR agency which was sending me repeated emails despite me asking to unsubscribe. I sent the complaint to the ICO in November 2010, and it took over two months for them to deal with it, but the ICO did conclude that based on the information available, the PR agency did violate the PECR”, he said.

“At the time, the ICO didn't have powers to punish an organisation for PECR violations but they did remind the agency of their obligations. I was finally unsubscribed from the list and the PR agency even sent me a box of muffins as an apology”, he added,

Prior to this, Murdoch reports that he complained about an online DVD rentals company, for similar reasons, but the ICO initially refused to invoke the PECR, claiming that, if you work for or attend higher education - and are receiving unsolicited marketing emails to a university email address – the PECR does not apply.

The ICO did, however, say that if someone's name is identifiable from their email address, then the sender is processing personal data and thus is covered by the Data Protection Act.

“I could therefore ask the company to unsubscribe me (which I had done), and if they continued to send me email after 28 days I could complain to the ICO again”, he noted.

“In fact, the email address to which I was sent the spam was my personal address (I did however send the complaint from my university address), which I told the ICO. The ICO then wrote to the company reminding them of their obligations. I never received further emails from the company so it probably worked, but I didn’t get any muffins or even an apology from them”, he said.

But now here's the good news, Infosecurity notes, as Murdoch says that the ICO can now fine organisations up to £500,000 for very serious breaches of the PECR - - “although as far as I can tell the ICO has never done so”.

“Hopefully this will encourage organisations to take their obligations seriously”, he said adding that he has sent the ICO a further complaint. He also points out that instructions on how to do this yourself are now available on the regulator's website.



What’s Hot on Infosecurity Magazine?