26

So, I've been receiving a lot of spammails recently and I'm pretty fed up with them. I've also been wondering, how they got access to my mail-address, so I sent a request of information so I can see, what data they store about me, where they got it from and whom they sent it to. Could I sue the company behind the scam, if they don't comply the GDPR?

(Please excuse the bad English, I'm not a native speaker)

Florian F.
  • 363
  • 3
  • 6
  • 6
    Your English isn't bad so no need to apologize for it. – Lasse Meyer Feb 01 '21 at 09:28
  • 3
    When creating an account you can use the '+' trick from gmail to know when it's leaked/sold. If you create an account using "yourmail+sketchyWebsite@gmail.com" and then later receive a spam email with that exact email address, you know it's been leaked from sketchyWebsite. – SirDuckduck Feb 01 '21 at 14:46
  • 1
    I have been doing that for a decade or two, ever since my partner did her masters thesis on spam, back when it was relatively new. Actually, I have my own domain, let's call it mawg.com. Despite my fears of sites selling my email address to list or other sellers, the only spam I get is from ebay@mawg.com and jobserve@mawg.com. In both cases, the spread of my email address is more likely from harvesters or users than from the site itself (I guess). That's my experience, but I would like to hear from others – Mawg says reinstate Monica Feb 02 '21 at 09:42

2 Answers2

58

Sure, you can make such a request, but its not likely to help you.

  • Scammers are criminals and don't generally care about GDPR compliance.
  • Scammers are criminals, and won't just publish their real world identity. Serving them with a lawsuit will be difficult, especially if they are from outside the EU.
  • GDPR lets you sue data controllers, but it's not worth it. You can sue for compliance (e.g. to compel fulfillment of your access request), and you can sue for damages stemming from GDPR violations. Compared to the damages you have suffered, a lawsuit is very expensive.
amon
  • 23,930
  • 3
  • 44
  • 76
  • 19
    @Dave Mailchimp is a service provider; unless there's an extra service I'm unaware of, they're not harvesting and selling addresses, only delivering mail to addresses at someone's instruction. They certainly have obligations as a "data processor", but it is their customer who is the "data controller", i.e. the party who has improperly acquired and used your e-mail address. – IMSoP Jan 30 '21 at 23:27
  • @IMSoP I don't think you get to duck out of GDPR by, say, creating a fictional holding company to be the “data controller” – so I don't think this applies. – wizzwizz4 Jan 30 '21 at 23:32
  • 23
    @wizzwizz4 MailChimp aren't anybody's "fictional holding company"; they're a delivery service: you give them an address and a message, and they send it for you. It's like suing UPS because somebody sent you a mail bomb. Sure, maybe UPS were negligent in their processes for preventing someone doing that (the "data processor" obligations I mentioned), but it's not them who were trying to kill you. – IMSoP Jan 30 '21 at 23:35
  • @IMSoP No, I mean: I don't think Facebook could get out of the GDPR subject access requirement by saying “oh, we aren't the data controller, Fakebook is; you'll have to find a way to contact them”. I haven't seen a rule that prevents that, but a rule that prevents that would probably prevent MailChimp from going “yes, we do have your data, but we're not the data controller, sorry, don't need to give it to you”. – wizzwizz4 Jan 30 '21 at 23:46
  • 16
    @wizzwizz4 I think we're talking past each other here. I was responding to an earlier comment that suggested that MailChimp were spammers, not claiming that they were immune to all requests for data. You might be able to compel them to say which customer account had sent e-mail to you via their platform, but that's about the limit of MailChimp's knowledge about you. If it is a criminal, they'll have made sure that trail runs cold pretty quickly, and we're back to the point this answer is making: the actual spammer doesn't care about your amateur legal threats. – IMSoP Jan 30 '21 at 23:57
  • @wizzwizz4 If you have questions about how to determine the data controller, or whether a data processor has any duties regarding data subject access requests, that might be good material for a separate question :) – amon Jan 31 '21 at 10:35
  • Any mail routed through mailchimp has an unsubscribe option. But I doubt there's any way for you to tell mail chimp to not allow your address to be added or re-added by any of their customers. – WGroleau Feb 01 '21 at 07:27
  • 3
    As a business user of MailChimp, I can confirm that spam reports cause the reporting address to be blacklisted for the sender (i.e. MC will no longer send mail on behalf of the owning account to that email address). Furthermore, spam/undeliverable reports count against the accounts' reputation, which is used to limit send rates, amongst other things. So an account routinely racking-up spam reports and undeliverable mails to non-existent accounts very quickly gets rate-limited and ultimately choked-off completely. Of course, the spammer then creates a new MC account... – Eight-Bit Guru Feb 01 '21 at 14:28
32

I've also been wondering, how they got access to my mail-address,

Probably just randomly generated. Or, maybe bought from an address seller.

so I sent a request of information

This is great! Now they know that there is an actual human being behind that email address, which makes the address much more valuable. Now, the address sellers can charge a higher price for your address, and the spammers know to focus on your address.

so I can see, what data they store about me, where they got it from and whom they sent it to. Could I sue the company behind the scam, if they don't comply the GDPR?

Yes, you can sue them if they don't comply, IFF you can figure out who they actually are.

Provided that you can figure out whom to sue, you will probably win the lawsuit. However, unless they are a EU citizen or have assets within the EU, there is nothing the courts or authorities can do to force them to comply.

Jörg W Mittag
  • 2,253
  • 15
  • 15