Scotching Spam

March 26, 2007

Internet users are split into three categories: those that dislike spam, those that hate spam, and those few that believe that they have just won the Canadian lottery despite never having entered it.  Most people, therefore, will be happy that a spammer in the UK has been sued and ordered to pay £1,368.66 to Mr Gordon Dick, who received two copies of a single spam from them.

So can we all retire and make our fortune by suing spammers? Sadly no. This case was unusual because it involved e-mail sent from an identifiable UK company which admitted sending the e-mail (and some 72,650 others), but it helps remind us what is possible.

The ‘anti-spam’ regulations

The law on spam in the UK is not much used – Mr Dick was only the second person to bring a case under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) (SI 2003 No. 2426), and the first to do so in Scotland or have the value fixed by the court.
PECR has clearly not been the answer to spam, but what it does say is quite clear: s 22 prohibits the ‘transmission of unsolicited communications by means of electronic mail to individual subscribers’ unless they have consented, or a three-part test is met. That test requires that (a) the address was obtained in the ‘course of the sale or negotiations for the sale of a product or service to that recipient’, (b) that it is in respect of ‘similar products and services only’ and (c) that there was a simple means of refusing mail at the time the address was collected and on each subsequent occasion (usually as an opt-out link).

Both Transcom and Mr Dick had been subscribed to a members-only Nominet mailing list, and Mr Dick’s e-mail address had been included in Transcom’s Microsoft Outlook e-mail address file. Transcom sent their bulk e-mail to everyone who appeared in that file. Mr Dick had never been in contact with them as a client, so he argued that the first two parts of the test in PECR had not been met (he accepted that there was an opt-out link in the e-mail). Transcom disagreed, although never really explained why.

Mental distress and personal data

Mr Dick also made claims under the Data Protection Act (DPA) claiming that his personal e-mail address was personal data, which had been processed without a registration with the Information Commissioner and without a valid reason under the Act; he also claimed that such use was causing him mental distress (ie annoyance and anger) – as the DPA is one of the few situations in which distress can be claimed for.

Ask the Sheriff

Mr Dick is based in Edinburgh, Transcom are in Henley-on-Thames, and both PECR and the DPA are UK-wide. Transcom had refused to apologise or refrain from doing it again, and challenged him to sue, so Mr Dick did. We thought it would be interesting to bring the first case in the Scottish courts and he sued in Edinburgh Sheriff Court (as the place of ‘damage’ was on his PC at home). Transcom instructed lawyers and agreed to the court mediation, but then pulled out almost immediately on leaving the court. There were offers to settle (although they refused to offer an undertaking not to spam again), but the money never came. In the end, Transcom’s lawyers stopped acting for them.

Mr Dick therefore asked the court at the next proof hearing (which was unopposed) for judgment – a Decree by Default – which was set at £750 + interest (the maximum level for a Small Claim in Scotland). A date was set for a hearing on expenses, and Transcom refused to discuss these in advance. At the hearing the Sheriff agreed that Transcom’s conduct had been such that rather than receive the maximum Small Claim expenses of £75, Mr Dick should be entitled to expenses on the scale prescribed for higher value cases, and, following a detailed assessment, awarded him £618.66.

Mr Dick is now seeking to enforce the Decree (which can be converted into a judgment for execution in England), but Transcom claim that the company involved has no assets and was only set up for promotion. Mr Dick has not given up.

Transcom’s view

Throughout Transcom maintained that they were entirely entitled to do what they did, that they had done nothing wrong and that Mr Dick was being ‘vindictive’. In the press they now appear to present themselves as the wronged party – a victim of a litigant with questionable motives and a court case that was too expensive to defend. Having seen the process (and their various allegations and assertions) from start to finish, and their conduct of it, that is a view that is hard to endorse.

So what has this case shown?

This case shows that the law does prohibit some sorts of spam, that cases are not impossible, and that awards can be high. However, the number of special circumstances in this case which allowed it to happen also show why the law is normally ineffective:

• Both users of the PECR have been IT professionals with legal knowledge or advice, bringing the cases on principle – the legal protection remains too complex for the average person.
• The spam was sent to various people subscribed to a Nominet list – yet Nominet and the other recipients (at business addresses) were not ‘individual subscribers’ and could not sue, nor could they ‘pool’ their right to sue to make it worthwhile.
• The sender of the spam was readily identifiable (and admitted to it). While PECR separately prohibits spam where the identity of the sender is faked, the senders of most ‘problem’ spam go to great lengths to hide the source. The data is forged, and sent from ‘zombies’ – home PCs infected with Trojans. In practice, the average person would have far more impact on spam if they turned their broadband off than by resorting to law because the time and technical investigation required is beyond their reach.
• Although Transcom were represented for part of the process, in the end this was a default judgment and not a decision on the merits, so we have no guidance on the strength of the claims under the DPA or of the court’s view of the costs of a single spam and the resultant damages. Since the actual harm from a single spam may be low (it’s getting lots of them that is a problem), the absence of statutory punitive-type damages is a disincentive. Mr Dick relied on a principle of Scots law (used in anti-discrimination cases: Purves v Joydisc Ltd sc 694/01) that damages should not be so low as to diminish respect for the policy principle at stake.
• The requirement to give an opt-out in unsolicited e-mails has a sensible purpose, but is discredited in the minds of most users as anti-spam organisations caution that these opt-out links provide spammers with confirmation that your address is live, and lead to more spam.
• Finally, the huge press interest in this case, and the positive attitude of the Sheriff to Mr Dick’s claim, suggest that people would love spam to be dealt with, but the countries where spammers have been stopped are countries where authorities have been given wide powers to act centrally – such as Australia.

And finally…

What did the spam advertise? Transcom’s anti-spam e-mail verification product – it was a spam about stopping spam…

Edward Phillips was Company Solicitor for Nominet UK at the time of the case, when he helped Gordon Dick. He has since moved to Fujitsu.
Andrew Lothian is Chief Executive and co-founder of Demys Limited.