Personal data protection and SPAM

On April 7, 2006, Judge Roberto Torti from the Civil and Commercial Federal Court No 3, Secretary No 6, admitted a habeas data action filed against the defendants who sent SPAM (mass unsolicited email) because this practice infringes Law No 25,325 of Personal Data Protection (“PDPL”).

The habeas data action, regulated by the Argentine Constitution and the PDPL, is applicable to allow people to access to their personal data stored in public or private databases, and to know the purpose of such databases. In those cases where falsehood, inaccuracy or outdating of the information is presumed, or the use of such data is forbidden by the PDPL, a habeas data action can be used to demand the suppression, rectification, confidentiality or updating of the data.

In this case, the court ordered the defendants (i) to allow the plaintiffs to access their personal data controlled by the defendants, (ii) to delete the personal data from the defendants’ databases, and (iii) to cease using the plaintiffs’ personal data.  The court further awarded the plaintiffs their costs.

The plaintiffs filed the complaint in 2003 because they had not received a response from the defendants to their request to stop sending them SPAM.

Firstly, the plaintiffs obtained a precautionary measure ordering the defendants to abstain from sending messages to their mailbox as well as an order not to assign or transfer their email address or personal data to third parties.

The evidence produced in the case proved that (i) the plaintiff received SPAM; (ii) they requested to have access to their personal data and (iii) to be removed from the defendants’ database, all without any success.

The court ruled on the basis of the PDPL, since this law regulates the operation of marketing databases and allows people to request to be removed from those databases (a system known as “opt out”). It was important to the court that the defendants had not answered the plaintiffs’ requests to be removed and kept sending SPAM to their email addresses.

Furthermore, the court stated that the defendants infringed the PDPL because they offer a service to send emails without a known sender, obstructing the access to the owners of the database. On the other hand, as the defendants were using personal data with a different purpose from the original reasons for such data, they were failing to fulfill the principles of the PDPL.

Although the sentence did not award the plaintiffs damages, the court did find that the SPAM increased their costs related to downloading, identifying, selecting and deleting SPAM, as well as the receipt and processing of  emails.  The receipt of SPAM creates the need to implement systems for blocking SPAM and even get virus protection against the harm that some emails spread.  Additionally, the receipt of SPAM and the subsequent deletion causes a need to de-fragment the hardware, which increases wear and tear on the hard drive.