[cooperation-wg] SMTP forwarding in the face of Data Protection Directive

On 18 May 2011, at 19:56, Alessandro Vesely wrote:

> How is the data subject's consent acquired?

Consent for what? Joining the list? Receiving and posting messages?  
Being moderated or cross-posted to a newsgroup?

> In response to the Data Protection Directive, operators should have  
> defined a protocol for obtaining and keeping proof of the consent.   
> It never happened.  In
> facts, it is very difficult to introduce new protocols for email.

I think we need to be careful to avoid confusing each other. For the  
purposes of this discussion, "protocol" should mean an IETF  
specification. Let's use "process" to mean "protocol for obtaining and  
keeping proof of the consent" ie not an IETF protocol. A dictionary  
definition of protocol would include this "process" definition, but  
let's not use the same word for different things. List managers may  
need a process to show they have user consent. This might but probably  
won't need a protocol such as yet another tweak to SMTP. At least I  
hope it won't need that.

With that clarification out of the way, the consent you ask about is  
probably implicit: eg your employer puts you on company mailing lists  
as a condition of employment or it's your job to join certain (public)  
lists. In other cases, the act of joining a mailing list implies  
consent. If you don't want the list to process your Personal Data  
(email address), don't join it. In other cases, consent may be  
inherited from other terms and conditions: eg your ISP or registrar  
puts you on some mailing list for management of your account or  
whatever and you agree to that as a part of doing business together.

I am not a lawyer and don't play one on TV. However I have dealt with  
Data Protection issues and had too many non-trivial discussions with a  
DPA, the UK Information Commissioner's Office. [ICANN gTLD registry  
contracts and whois, if anyone cares... The scars have nearly healed  
in case any of you are asking.] The short answer to how your SMTP  
concern plays out will depend on the view of your DPA. So ask them. Or  
ask your lawyer first and then ask the national DPA.

I would be surprised if there was unanimity or even consensus amongst  
the EU DPAs on this topic, assuming they have considered this issue in  
WP29. And yes, I realise this is underpinned by a couple of EU  
Directives. But how these get enacted and enforced in national law  
differs from country to country. Then there's the question of how the  
national DPA sees its responsibilities and priorities. I would expect  
most will either not care about electronic mailing lists or take the  
pragmatic view that since list membership is under the user's control,  
that in itself provides the required consent. However I would not bet  
money on this.

Another rat-hole to explore is what the list manager does with the  
Personal Data and if consent is needed for adding list members to  
other lists. Or lists of lists. What constitutes proportionate and  
fair usage of Personal Data then? My head is now starting to hurt...

Perhaps we could invite someone from WP29 to speak about this at the  
next WG meeting?