[exim] EU Data Protection Issues

Top Page
Delete this message
Reply to this message
Author: Richard Clayton
Date:  
To: exim-users
Subject: [exim] EU Data Protection Issues

With a little encouragement from Nigel :) even though this isn't
entirely on topic -- but this is an area I know a bit about (though I do
stress that IANAL!) and where I can offer some links to useful documents
which may assist:

- -=-=-=-=-

In message <20060722164932.GR76034@???>, Matthew Byng-
Maddick <exim@???> writes

> If I'm feeding information about every message (spam/ham) and source to
> you (which I presumably need to do in order to make your statistics
> useful), and you obviously know the destination, because it's your peer
> host, then suddenly you have some quite powerful mail-flow information,
> too, which could come under some of the otherwise dreadful RIPA in this
> country at least.


Passing "traffic data" would NOT come under the UK RIP Act (assuming you
weren't sending copies of the message itself, or substantive information
such as subject lines -- when of course it would).

However, as others have indicated, it would come under the UK Data
Protection Act 1998, which is a transposition of an EU Directive, so the
law will be similar (in theory identical) all over the European Union.

Although some IP addresses are not personal data -- in other cases where
there is a clear link between IP address and identity (eg a static IP
address used by an individual) then the information "IP address X sent
email which was/wasn't spam" is quite clearly personal data.

Think about it: you are reporting on the email sending activity of an
individual! and though that's not the same as discussing, say, their
health, it's still personal data about their activities.

It CAN be entirely lawful to pass this data to others -- and in the
current context, it can be lawful for an ISP to do so in order to
protect their network.

However some hoops do need jumping through.

Probably relevant (and giving a good indication of the sort of hoops)
would be the recent LINX BCP on a closely related matter:

<URL:http://www.linx.net/www_public/community_involvement/bcp/bcp_report
Abuse-v1/view>

though it is important to note that this BCP does NOT cover sending
personal data _outside_the_EU -- you'd need specialist advice on that,
and I expect that your legal advisor would suggest that you cover this
with a contract along the lines of the one recommended by the EU for
external transfers:

http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/index_en.htm

I suspect Marc Perkel (or others) will not be interested in signing such
a contract; the terms are onerous :( and of course publishing the data
that is received (without further processing) would probably break the
terms of the contract.

Of course your jurisdiction (even within the EU) may impose extra
constraints on data transfers :( even though the Directive should
produce a uniform arrangement -- it does not entirely do so.

In the rest of the world, the first place to look will be your privacy
policy....

- -- 
richard                                                   Richard Clayton


Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755