Saturday 2 July 2011

Recent SPAM campaigns – fair obtaining, or dodgy dealing?

Some of Fleet Street’s finest journalists are writing about a data protection story that could shake some of the more established tenants of data protection law to its core. Lots of people have received messages suggesting that they have had a recent accident and might wish to seek compensation. This British SPAM saga, which has given me plenty of material to blog about recently, is reaching an interesting stage. More and more details of the people behind the recent campaigns are coming to light. And, from what I can tell, the investigative journalists have been trying hard to understand just who benefits from these practices. I bet that not a single voicemail was hacked as the journalists tracked their suspects. Good, old fashioned techniques seem to be paying off, instead.

There are some rumours that it is people within the insurance industry itself who may be behind some of the messages, inviting people to claim compensation for injuries they may recently have received. How can this be the case? When I studied for my professional insurance qualifications, the first lesson I learnt was that insurance law incorporated the concept of uberrima fides – they were contracts of utmost good faith. This means that all parties to an insurance contract are to observe the highest ethical standards. It’s not like a normal contract, where the concept of caveat emptor (let the buyer be aware), figures.

So, if it is the case that the details of potential victims of an accident have had their details shared with third parties, just how have they given their explicit consent to the sharing of this sensitive personal data? I’m sure that teams of highly paid lawyers have been on hand to advise how this is the case - even though the victims themselves may not have been aware of having given any consent.

Let’s be clear about this. Insurers know what their data protection obligations are. They have a well resourced trade body (the Association of British Insurers), and its Data Protection Panel has always been comprised of some of the most highly experienced and ethical people in the business. If any advice offered by the ABI’s Data Protection Panel has been wilfully ignored by others in the insurance business, well then we’ll soon see whose going to be accountable for that.

Communication service providers don’t condone these practices, and try to do whatever they can to prevent it. They’ll all be taking a good look at their current systems soon, to work out whether any other form of collaboration is required to protect their customers from such mischief.

The journalists have a great sense of timing – in just over a week, many of the usual data protection suspects will be gathering at St John’s College, Oxford for the 24th annual conference organised by Privacy Laws & Business. Representatives from the insurance industry, consumers, European and International regulators will gather for 3 days of intensive and stimulating debate. Statements will be made, either on the conference floor, in the college bar or on a punt (I kid you not, this conference includes complementary punting) about this mischievous practice. Those behind these dodgy campaigns will soon realise how foolish it was to behave in this way, just at a time when the European Commission was trying to identify popular targets to hit when tweaking the Data Protection Directive.

If the current rules and remedies don’t appear to be sufficiently capable of deterring such shoddy behaviour, it’s possible that the new ones will. But just what else the new rules snare as the Commission strains to catch this particular type of mischief won’t be clear for some time.

I don’t think these dodgy dealers could have picked a worse time (for them) to misbehave.