Question

Cork Printing Supplies stock a wide range of computer print and ink cartridges, which they
sell at their shops throughout the Munster Region.  They supply both individual consumers
and business customers.  They have recently been approached by Direct Marketers Ireland,
who offer to sell them a list of over 100,000 e-mail addresses within *.ie domains, with a
view to sending out advertisements for their products.  Cork Printing Supplies are eager to
reach more potential customers, but have seen various newspaper articles about legal control
of spam and are anxious about the legal risks they may be running.  

Write a memorandum advising Cork Printing Supplies as to:- 

a) What guarantees it would be prudent to request from Direct Marketers Ireland as to the
origins of the list   
b) Their obligations under data protection law if they send out advertising to those addresses
c) The legal consequences if they were subsequently found to be in breach of data protection
law.   

Answer

MEMORANDUM

To:

From:

Re: Cork Printing Supplies on the purchase of email list from Direct Marketers Ireland

Date:

a) Assignment

To comprehensively advice Cork Printing Supplies on the legal and regulatory aspects of

online direct marketing in order to insulate themselves from adverse effects of engaging in

that marketing model.

b) Issues to be deliberated on

Should Cork Printing Supplies be guaranteed on the source of the potential email customer

list that the Direct Marketers Ireland would like to hand over for advertisement purposes?
What are the obligations of Cork Printing Supplies as ascribed by the Data Protection Law if

they opt to use the potential email list obtained from Direct Marketers Ireland?

Consequently, what are the potential legal repercussions for contravening data protection

laws pertaining to direct marketing?

c) Legal perspective

i. Guarantee on the source of the emails

According to the Data Protection Act, which is the principal legislation governing direct

marketing,1 stipulates that the information obtained and intended for direct marketing must

satisfy a set of principles outlined herein in the statute. To begin with, institutions whether for

commercial purposes or otherwise must obtain and handle personal data in an equitable and

legal manner. Consequently, these institutions are obligated to adequately inform persons

they intend to use their information for marketing purposes. Equally, the institution must be

the concerned individuals that they intend to transmit such information to third parties and

consequently obtain consent before commencing.2 Importantly, these institutions must desist

from acts that may unreasonably cause harm to the persons whose information they are

handling.

Uniquely, after obtaining consent, the concerned institution must confine itself to the

intended purposes.3 Markedly, they must not abuse the consent given and proceed to use the

information in a manner inconsistent with the intended purpose.4 Therefore, if the

1
Section 11(3) of the Data Protection Act 1998 see also regulation 2(2) of Privacy and Electronic
Communications Regulations 2008
2
Nancy King, “Direct Marketing, Mobile Phones, and Consumer Privacy: Ensuring Adequate Disclosure and
Consent Mechanisms for Emerging Mobile Advertising Practices” (2008) 60:2 (4) Federal Communications
Law Journal, 229, 233
3
Steven Johnson, “Legal Aspects: The Impact of Privacy and Data Protection Legislation of the Sharing of
Intrusion Detection Information” in Wenke Lee, Ludovic Me and Andreas Wespi (eds.) Recent Advances in
Intrusion Detection: 4th International Symposium, RAID 2001 Davis, CA, USA, October 10-12, 2001
Proceedings (Springer, 2003) 162
4
Davinia Brennan, “Unsolicited Marketing Rules —How to Comply” (2015) 7:1 DATA PROTECTION
IRELAND, 1,1
information was collected for a different purpose other than marketing, they should not be

used in such context. Similarly, the undertakings must guarantee that the personal

information collected is not only precise but updated. Dealing with data that is considered

obsolete and inaccurate directly contravenes Data Protection Act.

Expressively, Data Protection Act5 empowers concerned individuals to object to the use of

their personal information from being processed with the aim of being utilized for direct

marketing.6 Equally, such an individual needs to issue a written notice prohibiting the use of

their personal data for direct marketing purposes. Thereupon, undertakings are under strict

liability to cease the use of any private data obtained for direct marketing. In addition, the

undertakings are not under any legal obligation to reply but acknowledging that they will

cease using such data for direct market purposes will signify good conduct.

Even though the legislation does not give time frames as to when the undertakings are

supposed to cease on the use of private data, the common law principle of reasonableness

shall apply (Ian Lloyd(2) 146).7 With this in mind, the legislation proposes a limit of twenty-

eight (28) days. Conversely, Data Protection Act will be inapplicable if the personal data has

been obtained randomly and the undertaking is unaware of whom this information belong to.

However, as a caveat, the Privacy, and Electronic Communications Regulations will still be

applicable even if the details were randomly obtained and its owners unknown.

As stated above, Privacy and Electronic Communications Regulations is pari materia with

the Data Protection Act when dealing with issues of direct marketing (Regulation 4 of

PECR). Additionally, Privacy and Electronic Communications Regulations adopts a broader

spectrum in matters of direct marketing as illustrated in the case of Scottish National Party v

5
Sec 11 Data Protection Act 1998
6
Ian Lloyd, Information Technology Law (Oxford University Press, 2011) 110
7
Ian Lloyd, Cyber Law in the United Kingdom (Kluwer Law International, 2010) 146
Information Commissioner8. For instance, Privacy and Electronic Communications

Regulations will regulate both inter-business marketing and those to final consumers.

Thereupon, commercial institutions are under strict liability to comply with Privacy and

Electronic Communications Regulations if they intend to handle personal data intended for

direct marketing.9

As a matter of fact, institutions are barred from electronically sending unsolicited marketing

information. The prohibition assumes a higher degree if an objection has been tendered.

Notably, the commercial undertakings must obtain express consent before electronically

transmitting such information. Concurrently, the institution that is handling such data must

also furnish contact details to individuals who may wish to opt out of the direct marketing.

Additionally, there are other legal instruments that govern the practice of direct marketing.

To illustrate, the Communication Act 2003 stipulates that public electronic communications

must be used fairly. Correspondingly, the Direct Code of Practice published by the Direct

Marketing Association outlines the ethical conduct governing direct marketing and advocates

for fair usage of information obtained. Similarly, the UK Code of Non-broadcast and Direct

Marketing also regulate direct marketing on the aspect of advertisement. Identically, the

Consumer Protection from Unfair Trading Regulations 2008 prohibits the use of certain

marketing practices that are not equitable such as such as unsolicited advertising.

ii. Obligations of Cork Printing Supplies on the use of emails

Fundamentally, the third party must first determine that the personal information presented to

them must have been solicited for a specific purpose. Equally, Data Protection Act allows

undertakings to use solicited personal information for direct marketing purposes. Whereas,

8
[2006] EA/2005/0021
9
Sushma Mishra and Amita Chin “Assessing the Impact of Government Regulation on the IT Industry: A Neo
Institutional Theory Perspective” in Ramesh Subramanian (ed.) Computer Security, Privacy, and Politics:
Current Issues, Challenges, and Solutions (Idea Group Inc (IGI), 2008) 44
Privacy and Electronic Communications Regulations demands that such solicitation must be

specifically obtained for it to be valid. Moreover, Privacy and Electronic Communications

Regulations will still apply even if there was a voluntary ‘opt in’ and messages are sent that

are inconsistent with the earlier intended use.

Notably, if such information is obtained from another institution, it is critical for the recipient

of the personal data to ascertain if a valid consent was obtained in the creation of the list. To

determine the validity of the consent the recipient of such information must ensure that the

consent was obtained freely without undue coercion, incentives or threat of being penalised

for not ‘opting in’. Thus, the recipient must confirm that the information obtained was as a

result of free subscription.10

In addition, the recipient of such information must ensure that the information was obtained

for the purposes of direct marketing and not any other use that is contrary to the expectations

of the information owners. Additionally, the subscribers must have been clearly informed and

they must have consequently and consciously consented. A mere acceptance is not sufficient

as the recipient must look into how the information was decimated. Similarly, the recipient

must weigh the options that were available to the subscribers of whom he intends to use their

data. If the concerned individuals were not presented with a viable option during the ‘opting

in’ and the ‘opting out’ has not been made easy then the consent has not been obtained freely.

iii. Legal consequences for contravention of data protection law

When it comes to enforcement of both Data Protection Act and Privacy and Electronic

Communications Regulations the Information Commissioner’s Office is tasked with the

enforcement of the provisions of these two fundamental legal instruments. Firstly, once a

direct marketing has been contravened and reported to the Information Commissioner’s
10
Thomas Maronick, “Do Consumers Read Terms of Service Agreements When Installing Software? A Two-
Study Empirical Analysis” (2014) 4:6 International Journal of Business and Social Research, 137, 144
Office, it would issue an Enforcement Notice. The issuance of the enforcement notice is to

enable the alleged offender to reverse the action that led to the contravention. Consequently,

if the Enforcement Notice does not comply with then criminal sanctions will be preferred.11

Correspondingly, Information Commissioner’s Office may impose fines up to £500,000 for

severe contraventions. Nevertheless, such punitive penalties are reserved for those

undertakings that consistently elect to blatantly disregard objections to their direct marketing

practices such as direct contravention of the principles outlined in Data Protection Act.

d) Recommendations

In order for Cork Printing Supplies to insulate itself from the adverse effects of contravening

legal instruments that govern direct marketing, it must ensure that the email list they purchase

from Direct Marketers Ireland is compliant. To begin with, Cork Printing Supplies need to

make sure that the owners of the email addresses were sufficiently informed that their emails

would be used for direct marketing and could be sold to third parties.

Equally, Cork Printing Supplies after establishing that the owners of the email address have

consented to the use of their email addresses for purposes of direct marketing and

subsequently to be sold to third parties. Further, Cork Printing Supplies must ensure that

email address that Direct Marketers Ireland intends to sell to them is not only accurate but

also updated as anything short of this is inconsistent with the Data Protection Act.

In the same fashion, Cork Printing Supplies must take cognisance of any objections filed by

the owners of any email address supplied by Direct Marketers Ireland. Oversight should be

exercised especially if there is an existence of written objection pertaining to the use of any

Law Commission of United Kingdom, Law Commission: Data Sharing Between Public Bodies - A
11

Consultation Paper No 214 :(The Stationery Office, 2013) A Consultation Paper 37

email address presented. Cork Printing Supplies must ensure that the use of such email

addressed has been suppressed or ceased.

Equally important the buyer must ensure that cessation and suppression to the use of email

address have been objected. Cork Printing Supplies must realize that the legal instruments do

not necessarily provide for immediate cessation and suppression opting to rely on the

Common Law principle of reasonableness. Thereupon, Cork Printing Supplies must ensure

that objections are addressed in good time. Moreover, there is no legal obligation to reply in

case there is an objection, but it shall be considered a good practice to acknowledge

compliance to the objection.

Likewise, the intention of wanting to buy the email addresses from Direct Marketers Ireland

is immaterial as it does not have to be for commercial purposes. Notably, Privacy and

Electronic Communications Regulations provisions shall apply in inter-business transactions

that involve handling of personal information such as email addresses.

Fundamentally, Cork Printing Supplies must ensure it takes upon itself to determine how

Direct Marketers Ireland handled the list. Importantly, Cork Printing Supplies must ensure

that there was voluntary ‘opt in’ and consistent with the prescribed intended use.

Critically, Cork Printing Supplies must ensure that owners of the email address that Direct

Marketers Ireland intends to sell must have validly consented. Therefore, to determine this,

Cork Printing Supplies must ensure that the email owners were neither unduly coerced nor

incentives were offered for them to give their email address. Equally, Cork Printing Supplies

must ascertain that threats of being penalised for not ‘opting in’. Moreover, Cork Printing

Supplies must ensure that conscious consent was freely rendered and Direct Marketers

Ireland has not acted inconsistently with the expectations of the email subscribers.
Uniquely, Cork Printing Supplies is under strict obligation to comply with the governing

provisions of direct marketing. Thus, they must ensure Direct Marketers Ireland has fully

complied. It is of great importance that Cork Printing Supplies must adhere to any

Enforcement Notice issued by the Information Commissioner’s Office regardless of the

origin. This is because dire consequences could befall Cork Printing Supplies for failing to

comply. Information Commissioner’s Office often prefers criminal sanctions to undertakings

that contravene direct marketing provisions as stipulated under the relevant legal instruments

e) Conclusion

Having taken into considerations the legal and regulatory framework regarding direct

marketing, Cork Printing Supplies must endeavour to vet the email addresses it seeks to buy

from Direct Marketers Ireland. Significantly, Cork Printing Supplies must ensure that the

email address was obtained validly and handled with utmost reasonableness. Additionally, it

must not abuse the consent given therein by the email address owners. Furthermore, they

should endeavour to update such information in order to comply with the relevant legal

provisions.

Remarkably, Cork Printing Supplies must adhere to subsequent objections from the email

subscribers and Enforcement Notices originating from the Information Commissioner’s

Office. Blatantly ignoring such objections and Enforcement Notices would make Cork

Printing Supplies to be criminally liable for contravening direct marketing regulations.

 Bibliography

Primary sources

Cases

Scottish National Party v Information Commissioner [2006] EA/2005/0021

Statutes and statutory instrument

Data Protection Act (chapter 29) 1998

The Consumer Protection from Unfair Trading Regulations 2008

Communication Act 2003

Secondary sources

Books

Hedley, S., The Law of Electronic Commerce and the Internet in the UK and Ireland

(Psychology Press, 2006)

Johnson, S., “Legal Aspects: The Impact of Privacy and Data Protection Legislation of the

Sharing of Intrusion Detection Information” in Wenke Lee, Ludovic Me and Andreas Wespi

(eds.) Recent Advances in Intrusion Detection: 4th International Symposium, RAID 2001

Davis, CA, USA, October 10-12, 2001 Proceedings (Springer, 2003)

Lloyd, I., Information Technology Law (Oxford University Press, 2011)

Lloyd, I., Cyber Law in the United Kingdom (Kluwer Law International, 2010)
Mishra, S. and Chin, A., “Assessing the Impact of Government Regulation on the IT

Industry: A Neo Institutional Theory Perspective” in Ramesh Subramanian (ed.) Computer

Security, Privacy, and Politics: Current Issues, Challenges, and Solutions (Idea Group Inc

(IGI), 2008)

Journals

King, N., “Direct Marketing, Mobile Phones, and Consumer Privacy: Ensuring Adequate

Disclosure and Consent Mechanisms for Emerging Mobile Advertising Practices” (2008)

60:2 (4) Federal Communications Law Journal, 229-324

Brennan, D., “Unsolicited Marketing Rules —How to Comply” (2015) 7:1 DATA

PROTECTION IRELAND, 1-3

Maronick, T., “Do Consumers Read Terms of Service Agreements When Installing

Software? A Two-Study Empirical Analysis” (2014) 4:6 International Journal of Business

and Social Research, 137-145

Policy and command papers

Designated Market Area (DMA)Direct Code of Practice 2014

United Kingdom Code of Non-broadcast and Direct Marketing 2014

Law Commission of United Kingdom, Law Commission: Data Sharing Between Public

Bodies - A Consultation Paper No 214 :(The Stationery Office, 2013) A Consultation Paper