The Varsity newspaper reports a scandal in academia, as Julian Huppert stands accused of spamming Cambridge’s students with crass emails about revenge porn. As well as reflecting the understandable annoyance of students at the spam and its triggering content, Varsity links Huppert’s spam to a similar incident at Bath University in April. Bath students received unwelcome missives from the outgoing LibDem MP Don Foster (who based on the photo in the Bath Chronicle is presumably stepping down to spend more time running Gringotts Bank).
The question raised by Varsity is whether Huppert, Foster and the LibDems have breached Data Protection and wider privacy law. There is an entirely separate question about election law which I am not qualified to answer, so I won’t. Two piece of legislation could impinge on the LibDem spam – Data Protection and the Privacy and Electronic Communications Regulations. As the emails are plainly marketing, aimed at encouraging students to take the yellow pill, it’s tempting to assume that the more important law is PECR. This is not the case. PECR does require the sender of marketing emails to have consent from the recipient, but only if that recipient is an ‘individual subscriber’. As long as the spam was sent to a student’s university email address (which appears to be the case in both incidents), they are not individual subscribers. The university is a corporate subscriber, and so the requirements of Regulation 22 (which covers email and text marketing) do not apply. So, game over, but only for PECR.
I cannot see a sensible argument that the email addresses that contain a student’s name are not personal data, so even if PECR is off the table, Data Protection is still in play. It’s impossible to tell exactly how the LibDems obtained the addresses in either case, but given that they can’t deny that masses of emails were sent, and there is no suggestion that consent was obtained (which would clear up most of the DP problems at a stroke), I’d be fascinated to hear how Huppert, Foster and their party ensured that the Data Protection requirements were met.
The first Data Protection principle requires that data be obtained fairly, lawfully and according to a set of conditions. If they wanted to harvest the emails for marketing purposes, the LibDems at either university would need to do so fairly. The only hint about how the data was obtained comes in the Bath story, where the LibDems state that the email system was not accessed without university authorisation, and that emails addresses were “all in the public domain”. The public domain issue would be irrelevant if the university had provided the emails to the party, so I assume that the emails were harvested by a LibDem supporting student or staff member from the University address book (any member of the LibDems is welcome to correct me, but only if they’re willing to tell me what happened if this didn’t). The Information Commissioner recently told the Samaritans that data on Twitter was still personal data even though tweets really are in the public domain, but email addresses held in a University address book or similar source are not in the public domain. They’re available to staff and students, but I’m not a Bath or Cambridge student, so I can’t get them. The universities are the Data Controllers for the email addresses, and while I’m sure that it is true that whoever hoovered them up had legitimate access to the system, their use of the data was problematic. Section 55 of the Data Protection Act states that it is a criminal offence for a person to ‘obtain or disclose’ personal data ‘without the consent of the data controller’. I’d be keen to see evidence that the LibDems had consent from the universities to use the emails, and will happily publish it here if it is provided to me.
To use the email address for political marketing is a new purpose, so the LibDems would either need to tell students that their email addresses were being harvested (which they didn’t), they would need an exemption from fair processing (which they don’t have) or they would need to claim that telling students that their email addresses were being harvested for unsolicited marketing purposes involved disproportionate effort (I believe the technical term for that is ‘bollocks’). Moreover, the LibDems would need a condition for processing the email addresses for marketing. They don’t claim that they had consent, so they must think that the use of the email addresses was necessary for a legitimate interest, and their use of the email addresses did not cause any unwarranted prejudice to the rights and freedoms of the students, which is the only available condition. If that’s their argument, they should say so, and be willing to defend it against an equally legitimate argument that sending unsolicited political messages is a breach of students’ privacy. Of course, what I think really happened was that they snorted up the email addresses without any consideration of the DP implications, which is shameful, especially as Huppert claims to be in favour of privacy.
The sense of entitlement here is overwhelming. Cambridge LibDems limply defended their spam with the following: “We have sent a number of emails to students over the last two years to keep them informed of Julian’s activities. All of these have included the appropriate opt-outs“, while the Bath contingent had already said that they would stop sending emails after a previous incident in February. All the political parties are guilty of the same arrogance (although the LibDems have recently been warned off by the ICO, and were the only political party who outright refused to stop sending me marketing). The rules are simple. You cannot obtain personal data and use it for your own purposes just because the data is available or easy to obtain. You have to tell people that you are obtaining and processing their data unless you have an exemption. You cannot send unsolicited marketing to people and justify it purely on the basis that they can opt-out. The subject does not have to do the work: you have to do the work. The sight of political parties who seek to make the law acting as if it does not apply to them is one of the worst aspects of the election season, and whatever happens after May 7th, at least we might enjoy a period of being left alone.