Many weeks ago, a BNP Activist contacted the Information Commissioner's Office, after it was revealed that Tower Hamlets Primary Care Trust had paid out £87,879 on interpreters fees for the year 07/08. Super BNP Activist, Guiseppe de Santis sent the following e-mail
I'm writing to you because there is something I want to bring to your attention. Recently it was reported that a company, has been hired to campaign against the British National Party: http://www.guardian.co.uk/politics/2009/jan/26/bnp-obama-griffin-european
THe reason I wrote to you is because of the strategy this company plans to use:
As part of the first stage of their campaign, BSD and Searchlight have sent out emails to thousands of supporters asking each one to pass on the email to five friends and make a small donation.
The software means campaigners can then track who opens the emails, where they are sent and what happens when they arrive at the other end. They can then tailor future emails to groups and individuals.
I wish to bring your attention to that software that can tracks who open those emails and can tell them if who receive them reply to other people. Now I would like to know is this technology legal?
It seems to me that they can hack on other people' computers in a way that is more similar to a giant big brother. As far as I know only the Police and the secret Services can do this, and actually there are concerns about the way this system is abused.
My request is not just of a political nature:if we allow a company to use this system for a political campaign how we can prevent other companies who want to use it to track consumers habit to do the same and prevent abuse? I hope you can look at it.
Guiseppe de Santis
Thankfully Mr de Santis got a reply from the ICO.
Case Reference Number ENQ0231619
Dear Mr Santis
Thank you for your enquiry of 26/01/09 in which you have brought our attention to the political campaign being carried out via email by Searchlight/BSD.
Please accept my apologies for the delay in replying to you, our office is currently dealing with large volumes of work. This has meant that we have been unable to deal with incoming correspondence as promptly as we would like.
As I understand it, Searchlight/BSD have sent out emails to thousands of their supporters as part of a political campaign against the BNP. These emails ask the supporters to forward the correspondence on to five other people. As the software used by Searchlight/BSD enables them to track the recipients of the forwarded emails they are then able to obtain details about those individuals.
The 1st Principle of the Data Protection Act states that personal information must be fairly and lawfully processed. In practice, fair and lawful processing means an organisation may not process an individual’s personal information in a manner which is not in the reasonable expectation of the individual.
In this case it appears that Searchlight/BSD have effectively been collecting the details of the recipients of the forwarded emails without their knowledge and consent. These individuals will not be aware that their information has been collected nor will they know the purposes for which it will be used. On the face of it this appears to be a breach of the 1st Principle. However Schedule 1, Part II of the Act also says that it is the duty of the processor of the information to provide fair processing details‘… so far as practicable…’
Where a data controller has obtained a very large number of email addresses in the course of their marketing activities then it may be that it is simply not practicable for them to be able to go back and contact each and every one of those individuals to provide them with fair processing information about how their data is going to be used.
In this case we would probably take the view that Searchlight/BSD could not be reasonably expected to contact the thousands of individuals involved to provide fair processing information as this would involve a disproportionate amount of effort. In addition, as the purposes for which Searchlight/BSD have collected the data do not appear to be, on the face of it, unlawful, (the purpose being to promote their political views) then it is unlikely that we would consider there to have been a breach of the 1st Principle in this case.
Although the purposes of Searchlight/BSD’s processing may be in line with the DPA, the method they have used to collect the data does raise issues with regards to the Privacy and Electronic Communications Regulations 2003 (PECR).
Regulation 22 of the PECR states that you cannot ‘transmit or instigate the transmission of’ marketing by email unless the recipient has previously ‘notified the sender they consent’. The specific wording of Regulation 22 makes viral marketing difficult to achieve in compliance with the Regulations.
There is a soft-opt in where organisations can send marketing without the explicit consent of the recipient. For the soft opt-in to apply the organisation will have to have obtained the contact details of the recipient in the course of a sale, the marketing must be of similar products and the recipient must be given a simple means of opting-out when their details are collected and in every subsequent correspondence. Again, it is difficult to see how the soft opt-in could apply when considering viral marketing.
As stated in our guidance* on this issue; there are two types of viral marketing. In the scenario where a marketer asks an individual to forward their emails to other people there is a strong chance there will be a breach of Regulation 22. This is because the organisation would have to trust that the person passing on the emails had obtained the consent of the other individuals. Often, this will not be the case and by sending these people marketing emails without their consent a breach of the Regulations is likely to occur.
Depending on the content of the email, but assuming that it is marketing an organisations products in some way, the organisation will still be seen as the ‘instigator’ even if they do not send the email directly. An instigator under the Regulations is defined as the organisation whose goods or services are being promoted). Therefore, even though an organisation may not be directly marketing someone they are still responsible under the Regulations. This is similar to situations where organisation employ third party marketing companies to conduct marketing campaigns on their behalf – both the marketing company and the original organisation are responsible for ensuring compliance with the Regulations.
It would have been best practice for Searchlight/BSD to ensure that when they asked individuals to send emails on to their friends they employed some form of checking procedure to ensure consent had been obtained. It may be that they could have asked the supporters to confirm their friends consent before they sent the email on to them. However, clearly it could be difficult for them to get any guarantees that consent had actually been obtained.
In summary, it appears likely that Searchlight/BSD may have breached the PECR regulations through viral marketing by instigating the sending of emails to individual subscribers who have not consented to receiving their marketing.
I hope that this information has answered your enquiry and if I can be of any further assistance please let me know.
To complain about, click here and watch The Green Arrows Blog for updates on this story