Receiving emails that are not for you

seamus

Just curious on this and whether it falls into any existing legislation.

For postal mail that is incorrectly delivered to you, you have an obligation to send it on its way. Failure to do so, and reading that mail is an offence, to the best of my knowledge.

But what about emails? I've just received an email from the passport office warning me to upload a new photo or my application will be cancelled. Of course, I haven't submitted an application, someone has entered my email address by accident.

Over the years I've received mundane correspondence from clubs about memberships that aren't mine, tickets to football matches that I never booked and loads of other stuff.

I've also received some more serious stuff such as an accountant's emails about financial matters and correspondence from Revenue about someone's outstanding tax affairs.

What is my obligation, if any, in this regard? Do I have a legal obligation to notify the sender of their error? Do I have a legal obligation to delete the email?

coylemj

I doubt if you have any legal obligation to forward it - to who?

A lot of these e-mails are fishing (not phishing) expeditions. If you reply, then you are proving that your's is an active and valid e-mail address which makes the spam list that you will be added to all the more attractive to the people who buy that sort of thing.

seamus

coylemj wrote: »

I doubt if you have any legal obligation to forward it - to who?

A lot of these e-mails are fishing (not phishing) expeditions. If you reply, then you are proving that your's is an active and valid e-mail address which makes the spam list that you will be added to all the more attractive to the people who buy that sort of thing.

Indeed, I forgot to mention that none of these were phishing expeditions, as I want to explore whatever obligations might be there for legitimate emails.

Like receiving mail at your house for someone else, you've an obligation to ensure that it gets delivered, either to its intended recipient or back to the sender.

For emails, one could reply to the mail saying, "Hey, you've sent this to the wrong person". Which I did for the financial ones, pointing out the potential data protection mess up they just made...

If we were to say, for example, that I received an email, ignored it, and someone lost millions of euro because they didn't get it, would there be any avenue of litigation they could use against me? Assuming that is, that they could track me down based on my email (which isn't that hard).

coylemj

seamus wrote: »

Like receiving mail at your house for someone else, you've an obligation to ensure that it gets delivered, either to its intended recipient or back to the sender.

Says who?

seamus wrote: »

If we were to say, for example, that I received an email, ignored it, and someone lost millions of euro because they didn't get it, would there be any avenue of litigation they could use against me? Assuming that is, that they could track me down based on my email (which isn't that hard).

Why on earth would they sue the recipient who got the e-mail by mistake? How does the injured party prove that it didn't get dropped in the recipient's spam folder so he never saw it? And why not sue the bank or solicitor who fcuked up in the first place?

Instead of suing a complete stranger, you sue the professional who owes you a duty of care and is probably covered by professional indemnity insurance.

brian_t

seamus wrote: »

If we were to say, for example, that I received an email, ignored it, and someone lost millions of euro because they didn't get it.

If you made a lot of money on an investment based on information gleaned from such an email from a complete stranger. Does this still count as Insider trading?

my3cents

Why not look at it another way?

If a financial institution sends me someone else's confidential information am I then responsible in anyway if that information is further disseminated.

Hitman3000

seamus wrote:

Like receiving mail at your house for someone else, you've an obligation to ensure that it gets delivered, either to its intended recipient or back to the sender.

As far as I'm aware your only obligation is to give it back to the postman/woman or to the post office.

Victor

brian_t wrote: »

If you made a lot of money on an investment based on information gleaned from such an email from a complete stranger. Does this still count as Insider trading?

It seems it's more market manipulation than insider trading, as presumably, you aren't an insider.

my3cents wrote: »

If a financial institution sends me someone else's confidential information am I then responsible in anyway if that information is further disseminated.

If you do the further dissemination, then possibly.

Tar.Aldarion

I have actually been paid a few times by accident by people trying to pay somebody else before. They just send money to my paypal and I have to refund it. Often get emails that are meant for other people with the same name as me. People need to be more careful.

GDPR legislation coming in in May 2018 may have an impact?

you're now in the possession of "data". Assuming these emails are from a company, you'll most definitely (or should) receive an email asking you to delete the email they sent you.

On the practical side, there's probably no way of the sender knowing if the email address they sent it to is even active anymore- i.e. you may have long ago, abandoned that email address but it's still live as an address- but that's all.

I'd say it's unlikely- in fact impossible that you could be held liable for a company sending you something that you didn't action- the person who missed out on the "deal" would sue the company as they couldn't prove they sent the information to them- the fact they sent it to someone else or the rest of the world, for that matter, is irrelevant.

4ensic15

coylemj wrote: »

Says who?

Post Office Act 1908. The duty is not to impede delivery, which is done by not retaining it or destroying it.

seamus

coylemj wrote: »

Says who?

Communications Regulation (Postal Services) Act 2011

53.— (1) A person commits an offence if he or she, without the agreement of the addressee and, in the case of a person who is a postal service provider or an employee or agent of a postal service provider, contrary to his or her duty, intentionally—

(a) delays, detains, interferes with or opens, a postal packet addressed to another person or does anything to prevent its delivery or authorises, suffers or permits another person (who is not the addressee) to do so,

Why on earth would they sue the recipient who got the e-mail by mistake? How does the injured party prove that it didn't get dropped in the recipient's spam folder so he never saw it? And why not sue the bank or solicitor who fcuked up in the first place?

Instead of suing a complete stranger, you sue the professional who owes you a duty of care and is probably covered by professional indemnity insurance.

it's a hypothetical. They've lost loads and they're livid, and looking to sue as many people as possible.

Franz Von Peppercorn

[Deleted User] wrote: »

GDPR legislation coming in in May 2018 may have an impact?

you're now in the possession of "data". Assuming these emails are from a company, you'll most definitely (or should) receive an email asking you to delete the email they sent you.

On the practical side, there's probably no way of the sender knowing if the email address they sent it to is even active anymore- i.e. you may have long ago, abandoned that email address but it's still live as an address- but that's all.

I'd say it's unlikely- in fact impossible that you could be held liable for a company sending you something that you didn't action- the person who missed out on the "deal" would sue the company as they couldn't prove they sent the information to them- the fact they sent it to someone else or the rest of the world, for that matter, is irrelevant.

You are probably compliant with the GDPR by deleting the email.

@Seamas

The decent thing would be to reply (if possible) that the address is incorrect. Then delete. There may be nothing the company can do though as the email is incorrect.

It might be possible to guess the email but I’m not sure most people would bother.

Vetch

Not sure why someone who received an email in error would have GDPR responsibilities? They're neither data controller nor data processor.

Victor

Vetch wrote: »

Not sure why someone who received an email in error would have GDPR responsibilities? They're neither data controller nor data processor.

They have data in their possession. Many of the things they do with is could constitute processing. Being a data controller nor data processor is a matter of fact, not law.

my3cents

Victor wrote: »

...

If you do the further dissemination, then possibly.

Here is a scenario....

I keep getting sent sensitive stock market information and because I think the purpose of the email is phishing - to make me think its a genuine email that has been misdirected to get me to invest - I publish it online to warn others its a scam.

What could happen if its not a scam?

(Remember its only a scenario)

Another point is that some official correspondence has lengthy footers that say in essence if you received this email in error please delete it immediately and notify the sender, do they have any legal standing?

Vetch

Victor wrote: »

They have data in their possession. Many of the things they do with is could constitute processing. Being a data controller nor data processor is a matter of fast, not law.

I don't understand your point. Are you saying that someone who receives personal data in error has GDPR responsibilities? Which ones?

hullaballoo

Victor wrote: »

They have data in their possession. Many of the things they do with is could constitute processing. Being a data controller nor data processor is a matter of fast, not law.

FWIW, I disagree with this assertion. Of course it's a matter of law. The definitions are not exactly hard and fast. They are purposefully drafted in a very broad way to cast a wide net but that doesn't mean it's not at least arguable that not everyone who possesses personal data for whatever reason is a controller/processor.

Glass fused light

brian_t wrote: »

If you made a lot of money on an investment based on information gleaned from such an email from a complete stranger. Does this still count as Insider trading?

You would be in possession of material, nonpublic information which if made public would move the market price so if you trade on the basis of the information it would classed as insider trading.

Glass fused light

hullaballoo wrote: »

FWIW, I disagree with this assertion. Of course it's a matter of law. The definitions are not exactly hard and fast. They are purposefully drafted in a very broad way to cast a wide net but that doesn't mean it's not at least arguable that not everyone who possesses personal data for whatever reason is a controller/processor.

https://www.dataprotection.ie/docs/General/1237.htm

1.2 What is a Data Controller?

A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files.

1.5 Do the Acts apply to information kept by an individual in their personal capacity?

The processing of personal data kept by an individual and concerned solely with the management of his/her personal, family or household affairs or kept by an individual for recreational purposes is exempt from the provisions of the Acts. For example, this exemption would generally apply to the use of CCTV in a domestic environment.

This suggests that the possessing of the data would initially fall under the personal capacity exemption (ie as it was accidently sent to your email, is sitting in your inbox and you just did not bother to delete it), but if you start disseminating the personal data of a stranger it would up to you to justify why you should retain the exemption.

hullaballoo

Glass fused light wrote: »

https://www.dataprotection.ie/docs/General/1237.htm


This suggests that the possessing of the data would initially fall under the personal capacity exemption (ie as it was accidently sent to your email, is sitting in your inbox and you just did not bother to delete it), but if you start disseminating the personal data of a stranger it would up to you to justify why you should retain the exemption.

This is not directed at you personally.

But.

:rolleyes::rolleyes::rolleyes::rolleyes::rolleyes::rolleyes::rolleyes::rolleyes::rolleyes::rolleyes::rolleyes::rolleyes::rolleyes::rolleyes::rolleyes:

Carawaystick

Getting an email is not the same as a letter arriving at your home intended for someone else. the email has your address. a better analogy would be for a letter addressed to you arriving but on opening, has contents intended for someone else.

lifeandtimes

hullaballoo wrote: »

FWIW, I disagree with this assertion. Of course it's a matter of law. The definitions are not exactly hard and fast. They are purposefully drafted in a very broad way to cast a wide net but that doesn't mean it's not at least arguable that not everyone who possesses personal data for whatever reason is a controller/processor.

I feel this would fall under if you were aware or unaware you were in possesion of the data.

Unaware how could you be liable for being a data posseser without knowledge.

If you are aware you have the data then you would have obligations under the GDPR as you are then the posseser of the data, deleting it will be fine, keeping it opens up a whole can of worms, ironically being unaware of the GDPR does not obsolve you of this responsibility

Its going to be very interesting to see the case studies that come and are tested when this act hits the streets as it were

Skedaddle

Realistically, you can't reply to bizzare emails as there's a huge likelihood they're a scam attempting to get someone to respond and engage. You could easily unleash a flurry of spam as some system realises your address exists and that you're engaging.

The postal concepts were intended to deal with accidental misdelivery in a system that is hand delivered and still relies on an element of manual sorting and reading hand written addresses.

Even in that system, a % of mail will end up misdelivered and never returned.

All I do if I get wrong post sent to me is put it back into the post box and write "delivered to wrong address" on the front.

I live in a city but in an area that uses a lot of house names and I constantly get letters for wrong addresses and a good % of my mail never arrives.

On a typical week I get about 4 letters to the wrong address. The funniest one wasn't even to the correct county! The address wasn't even remotely similar, other than a similarly spelled house name. The city and county on the address were the other side of the country!

coylemj

Skedaddle wrote: »

Realistically, you can't reply to bizzare emails as there's a huge likelihood they're a scam attempting to get someone to respond and engage. You could easily unleash a flurry of spam as some system realises your address exists and that you're engaging.

+1 Bizarre content or not, if I get an e-mail that's obviously intended for someone else, I delete it.

The suggestion that some kind of legal obligation has landed in my lap is rubbish.

Vetch

This is Recital 18 of GDPR. A person going about their personal affairs has zero legal obligations under GDPR:

'(18) This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.

Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.

However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.'

skallywag

I regularly receive email intended for three namesakes, this has been going on for maybe 5 years or more. I've actually built up quite a bit of knowledge at this stage about these guys. In the beginning I would reply to the sender to let them know that they have the wrong person, but at a certain stage I just gave up on it. It happens a lot to friend of mine as well. If you got on board Gmail relatively early and have a firstname.lastname@gmail.com address, then it's very common it seems. It's also the case that you then get mail addressed to firstnamelastname@gmail.com. Usually the intended recipient is firstname.lastname2@gmail.com, etc, and the sender has just made a typo.