Microsoft v McDonald – loving it?

(This was going to be an edit to today’s post on wonderful spam, and a sibling to the coverage of Data Protection Day, but it turned into a longer piece, so I’m posting it as a standalone entry).

Not long after posting about spam, I picked up (via the Tech News Review feed) this story from Friday’s Times, a report of a case (Microsoft v McDonald, 12 December 2006, Levinson J in the High Court, Chancery) from the tail end of 2006…where Microsoft took on the spammers and…well, IPKat has a good summary, so over to them:

Microsoft normally protected Hotmail subscribers against spam by setting up its own ‘target accounts’, which it used as decoys to catch spammers. Throught this system, Microsoft discovered a business trading as BIZADS that operated a website offering to sell database lists containing a large number of email addresses. Information on the website indicated that the email account holders on the lists had either opted to receive marketing communications or had not indicated that they did not want to receive the communications. However, a high proportion of people who received emails from purchasers of BIZADS database lists complained that they were receiving unsolicited mail.

You can’t make this stuff up. Microsoft sues (making use of the (European) Directive on Privacy and Electronic Communication, 2002/58/EC), but apparently in its capacity as – well, we dunno. The Times indicates that the case means that ISPs (Microsoft or even MS Hotmail is hardly an ISP as the public understands the term, but that’s what the Times said..) can make use of the anti-spam provisions of 2002/58. The IPKat report is more detailed, but hints in a narrower direction. There’s no report out there, that I can find.

Matthew Arnold & Baldwin’s ‘Upload IT’ newsletter sez:

The High Court awarded summary judgment as the defendant had no real prospect of defending the claim. Interestingly, the Court clarified that Microsoft had a cause of action under the Regulations as it fell within a class of people intended to be covered by the 2003 Regulations. Microsoft was awarded damages and an injunction to stop further transmission of unsolicited emails to Hotmail accounts.

The regulations being the implementation of the Directive through the Privacy and Electronic Communications (EC Directive) Regulations 2003. Could this all be true? Is this a good thing for overspammed customers or a worrying jump towards seeing spam as a purely economic problem rather than a privacy-related one? Did the European directive really intend to cover the hassle caused to Microsoft – and if it did, should we care?


3 thoughts on “Microsoft v McDonald – loving it?

  1. In response to Keith’s question, and for general info:

    Ireland transposed the European directive (2002/58) in SI 535/2003: the relevant section is

    A person shall not use or cause to be used any publicly available electronic communications service to send an unsolicited communication for the purpose of direct marketing by means of electronic mail, to a subscriber, who is a natural person, unless the person has been notified by that subscriber that for the time being he or she consents to the receipt of such a communication. (s 13(1)(b))

    and for business addresses

    A person shall not use, or cause to be used, any publicly available electronic communications services to send an unsolicited communication for the purpose of direct marketing by means of electronic mail, to a subscriber, other than an individual, where the subscriber has notified the person that the subscriber does not consent to the receipt of such a communication on the line. (s 13(3))

    So basically it’s opt-in for individuals/natural persons (private addresses, most probably) and opt-out for legal persons.

    There are various exclusions, the main one being that a company that has collected addresses can use them for certain in-house purposes (similar to data protection law generally). The main difference between the UK and Irish situatons is that, to the best of my knowledge, no-one has sued the spammer in Ireland, although of course you can rely on the Data Protection Commissioner (who can bring summary proceedings for the offence). A couple of people have been done this way already (mobile phone spam, mainly).

    In the UK, s. 30(1) of the regulations implementing the directive says: “A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that other person for that damage.” while our regs say: “A person who suffers loss and damage as a result of a contravention of any of the requirements of these Regulations by any other person shall be entitled to damages from that other person for that loss and damage”

    Reasonably similar, and any differences are just in the peculiarities of Irish tort law rather than anything more sinister, I think. Obviously note that the DPC can go after you for a prima facie breach (but not jail you – it’s just fines for now), whereas the sue-for-damages option (which applies to anything in the regulations, ie not spam-specific) requires some actual loss/damage.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s