Aerlingus Spam - Twelve Horses

oscarBravo

I suspect we're going to end up having to agree to differ here, but...

Originally posted by BrianD
Well you have found the paragraph that exactly sums up my point! 12 Horses are a "data processor" and not a "third party" and it is not unreasonable to assume that such a company may be employed to process the data that a company collects from the customers.

Data Processors are third parties. They just happen to be third parties with specific responsibilities under the Act.

Therefore the airline has NOT handed their list over to a "third party" - by this I mean another company who would actively use this list for their own marketing purposes.

With respect, Brian, it doesn't matter what you mean by "third party". Besides:

You should also note that, even though such transfers would not involve "disclosure" of personal data, the data controller might also have to consider whether the data have been "fairly obtained" for these purposes.

I have repeatedly stated that the airline were wrong to send Butch marketing material when he expressly stated otherwise.

This we agree on.

It does raise an interesting topic of debate. Butch's personal data is going to be stored somewhere at the airline - he is a customer after all. In most businesses it is not unreasonable for the supplier to contact their customers with new offers, product news etc.. A fair use of the data - I think so. It is quite simply, rude but not illegal for the airline to send Butch data when he doesn't want it!

For various values of "illegal", maybe.

Sloppy data entry is probably why Butch received a mailing from a company of whom he is a customer. However, as long as Butch points this out to the airline and they rectify the situation then the airline are acting according to best practice (they have to confirm that they have removed you in writing within 40 days).

If through "sloppy data entry" I accidentally disclose details of someone's mental health or sexual orientation to a third party, do I make it OK by correcting my database? (Note that I am a registered Data Controller, and I take the responsibility seriously.)

Much of the DPA legislation is aimed at "direct marketing companies" i.e companies who market on behalf of others. The airline in question is not a direct marketing company. Note that the airline does not need to register as a Data Controller.

The DPA is aimed at anyone who holds personal information about anyone else on a computer. Not being required to register in no way relaxes your obligations under the Act:

All data controllers must comply with certain important rules about how they collect and use personal information on computer.

Some data controllers must register annually with the Data Protection Commissioner, in order to make transparent their data handling practices.

BrianD

Personally, I believe that Butch was grossly irresponsible and reckless with the posting that he originally made. The implication of the posting that he made and subsequently made was that aer lingus were passing on his details to other companies for spamming. Just read the first line of the posting:

Today I received a dodgy spam email - supposedely sent on behalf of Aerlingus.com. The company behind the mass emailing is called Twelve Horses.

From other posts it became evident that this other company (12 horses) was in fact a data processor contracted by Aer Lingus. He states that mail was supposedly from Aer Lingus when in fact it was overtly from Aer Lingus, referred to Aer Lingus offers and also contained an unsubscribe method. Very much above board. Only with expert knowledge would you be aware from the message header that 12 horses were employed to pprocess the data. Nothing dodgy about this what so ever. It was very reckess to suggest reporting Aer Lingus to spamcop.

We are splitting hairs over the definition of a "third party". Yes, 12 horses is a "third party" but I was loosely using this term to describe another company that might use his information for their own purposes. Sorry if my use of the term caused confusion. I think there is a massise difference between 12 Horses processing the data on behalf of Ael Lingus and Aer Lingus renting the data to, say, a credit card company. Butch's key concern and bug bear was a disclosure of his data - clearly this is not the case here where 12 horses is a procesor

The "dodgy spam email" that Butch referred to was in fact a customer offer from an airline that he has conducted business with in the past. It does raise issues of how companies can communicate with there customers in this age. We are told to know our customers and assist them. At the same time as a customer, especially a regular customer, we expect our suppliers to know our needs and respond to them. How can we achieve this when the customer says don't contact me? Butch would be rightly annoyed if he found he could buy his Aer Lingus tickets cheaper - "Why the hell didn't you tell me!!".

I would maintain that Butch's personal data was fairly obtained as he is a customer of the aforementioned airline. It is also a fair use of the data.

I accept the point about disclosure of higly personal data (religion. sexual orintation etc.) However, this is not strictly relevant in this case as we are dealing with a business to consumer situation. It is essential that all data controllers - registered or not - secure their data and only allow relevant data to be used in appropriate ways.

I don't believe that Aer Lingus have breached the DPA by sending him an e-mail with a customer offer. I doubt if Butch could bring a complaint to the Data Commissioner. What aer lingus have done is angered a customer who did not want them to communicate with him. A far cry from spamming!

Our man in Havana

If Butch asked Aerlingus not to send him email then they should not send him email. They did. Breach of Data Protection Act 1988-2003.

Butch, Have you contacted the Data Protection Commisioner?
website

Butch

Originally posted by Bond-James Bond
Butch, Have you contacted the Data Protection Commisioner?
website

Not yet. I decided firstly to raise my concerns to Aer Lingus Marketing Department, and to give them a fair chance to explain themselves, i.e.

- Written acknowledgment that Aer Lingus is outsourcing their Marketing campaigns to a Third Party Company (12H or any other).
- Full disclosure on which information out of my personal record has been produced to this third party and for which purposes.
- Full explanation on how this third party is commited to keep my data private.
- Explanation on measures taken to avoid this "mistake" to happen again (i.e. passing on my data, despite I opted-out)

Then I will evaluate my course of action, which may probably involve the DPC.

Regards,
Butch

BrianD

Not as simple as that James Bond. Where's the breach? Detail please. Check the data commissioners web site and words such as "should have their wishes respected" are used. Hardly what you'd call stern legal stuff. Doubt if you'd get much more than that if you wrote to the commissioner especially when Butch there is an explicit opt out method in the mail Butch received.

Just like the instant and ridiculous cry to contact Spamcop ...butch would want to review the situation before he contacts the Commissioner.

However, it appears that Butch is now taking the reasonable approach to dealing with something that has clearly annoyed him. I just don't see the relevance of the first two questions he is asking. Why not ask are you sure that your employees won't flog the list to someone else on the QT? Who operates your web site? What controls have the credit card companies have you in place? What measures have your check in agents go in place .... Will you post the reply that you get from Aer Lingus?

ArphaRima

This is hilarious.

One e-mail is erroneously sent to a customer.
Customer explodes.


Come on lads. Who really cares. Its a single Irish company that asked for your e-mail address; they didnt pass on your information to third parties for their own marketing uses, only hired another company to do the e-mailing for them.

Butch is probably one of those people that when someone is smoking in the same building as him he waves his hands in front of his face, grumbles something to himself and makes the most disgusting face, just to make a point. Enjoy your rant.

BrianD

well, I might be doing the same as Butch then while arguing the finer points of the DPA!

oscarBravo

Originally posted by BrianD
It does raise issues of how companies can communicate with there customers in this age. We are told to know our customers and assist them. At the same time as a customer, especially a regular customer, we expect our suppliers to know our needs and respond to them. How can we achieve this when the customer says don't contact me? Butch would be rightly annoyed if he found he could buy his Aer Lingus tickets cheaper - "Why the hell didn't you tell me!!".

http://www.dataprivacy.ie/97cs9.htm

I would maintain that Butch's personal data was fairly obtained as he is a customer of the aforementioned airline. It is also a fair use of the data.

This is our major area of disagreement: it's not a matter for either you or Aer Linugs to decide what's a fair use of the data. If I tell them I don't want them to do <whatever> with my data, they are explicitly prohibited by the DPA from so doing.

I accept the point about disclosure of higly personal data (religion. sexual orintation etc.) However, this is not strictly relevant in this case as we are dealing with a business to consumer situation. It is essential that all data controllers - registered or not - secure their data and only allow relevant data to be used in appropriate ways.

I don't believe that Aer Lingus have breached the DPA by sending him an e-mail with a customer offer. I doubt if Butch could bring a complaint to the Data Commissioner. What aer lingus have done is angered a customer who did not want them to communicate with him. A far cry from spamming!

To be fair, I wouldn't call it spamming either. It does seem to be a breach of the DPA, however, and that shouldn't be taken lightly.

BrianD

I don't see the exact relevance of the Data Privacy case that you have quoted in your posting. This suggests that it is OK to contact people who have indicated that they don't want to be contacted. The case suggested that another set of options be put to each individual that are essentially the same as what would have been on the form they completed in the first place. Furthermore, many people who receive mails are bothered one way or the other and may not actively respond to it. I'm not sure of the logic that was behind the Commissioners decision on this one!

The mail was straightforward special offer from Aer Lingus that does contain an opt-out method. I don't think it falls into the same category as the situation detailed in the case that you linked to as it also concerns a business that was emailing on behalf of other clients.

oscarBravo

You suggested that people who (like Butch) asked not to be contacted by the airline might be annoyed at not being contacted, because of missing out on special offers etc.

In the cited case, the Data Controller

• had received explicit complaints from people who had opted out about not being contacted;
• contacted the DPC to see if it would be OK to contact people with the sole purpose of clarifying their choice to opt out.

In this case, the DPC allowed a once-off communication for that sole purpose, and was prepared to accept complaints about that communication on their merit.

If Aer Lingus are afraid of offending their opted-out customers, that's how they should handle it - not by mailing them against their explicitly stated wishes.