-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
With a little encouragement from Nigel :) even though this isn't entirely on topic -- but this is an area I know a bit about (though I do stress that IANAL!) and where I can offer some links to useful documents which may assist: - -=-=-=-=- In message <[EMAIL PROTECTED]>, Matthew Byng- Maddick <[EMAIL PROTECTED]> writes > If I'm feeding information about every message (spam/ham) and source to > you (which I presumably need to do in order to make your statistics > useful), and you obviously know the destination, because it's your peer > host, then suddenly you have some quite powerful mail-flow information, > too, which could come under some of the otherwise dreadful RIPA in this > country at least. Passing "traffic data" would NOT come under the UK RIP Act (assuming you weren't sending copies of the message itself, or substantive information such as subject lines -- when of course it would). However, as others have indicated, it would come under the UK Data Protection Act 1998, which is a transposition of an EU Directive, so the law will be similar (in theory identical) all over the European Union. Although some IP addresses are not personal data -- in other cases where there is a clear link between IP address and identity (eg a static IP address used by an individual) then the information "IP address X sent email which was/wasn't spam" is quite clearly personal data. Think about it: you are reporting on the email sending activity of an individual! and though that's not the same as discussing, say, their health, it's still personal data about their activities. It CAN be entirely lawful to pass this data to others -- and in the current context, it can be lawful for an ISP to do so in order to protect their network. However some hoops do need jumping through. Probably relevant (and giving a good indication of the sort of hoops) would be the recent LINX BCP on a closely related matter: <URL:http://www.linx.net/www_public/community_involvement/bcp/bcp_report Abuse-v1/view> though it is important to note that this BCP does NOT cover sending personal data _outside_the_EU -- you'd need specialist advice on that, and I expect that your legal advisor would suggest that you cover this with a contract along the lines of the one recommended by the EU for external transfers: http://ec.europa.eu/justice_home/fsj/privacy/modelcontracts/index_en.htm I suspect Marc Perkel (or others) will not be interested in signing such a contract; the terms are onerous :( and of course publishing the data that is received (without further processing) would probably break the terms of the contract. Of course your jurisdiction (even within the EU) may impose extra constraints on data transfers :( even though the Directive should produce a uniform arrangement -- it does not entirely do so. In the rest of the world, the first place to look will be your privacy policy.... - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBRMOZmJoAxkTY1oPiEQLXewCghRdsS/5Ki54xwe/N7sCC6a+sHqYAn1hK IC44S4+13aVFByWIQkEeBEbE =kgXA -----END PGP SIGNATURE----- -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
