London - Paris

GDPR Is Not Shooting The Messenger

GDPR Is Not Shooting The Messenger

There has been questioning around the application of the GDPR to Royal Mail.

On his video interview with the BBC, ICO representative Steve Woods, was questioned if GDPR would apply to the RM. His answer was yes it applies. I bring up the question on Twitter asking @ICOnews if they could confirm this.

, @ICOnews hi could you possibly clarify GDPR application to the post. Is Post office liable for data protection of mails content? Let’s say in case of wrongful delivery? Is that a data breach?

The answer came shortly after from @ICOnews :

As with current DPA, it’s unlikely that the Post Office would be the data controller for information contained in post they’re delivering, and so wrongful delivery would be unlikely to be considered a breach, but their own/other rules may apply in that situation.

Two analogies that came to my mind : one is if someone borrowed a coat and a diamond ring in the pocket he had no knowledge of get damaged or lost, could he be held liable?

The second analogy is ISP immunity for third party content. As an ISP is not liable for third party content if it does not monitor or edit content, how could RM be liable for the personal data hypothetically content in the letter it delivers. If the content was to be of sensitive value, it should be registered.

I was told Tim Tuner had expressed a divergent view (Return to Sender).

James Bryce Clark

@JamieXML had an interesting reaction :

Oh, man, are we really eradicating the traditional “common carrier” doctrine? 🙁

Commerce as we know it would grind to a halt, if there were not reasonable limits on the duty to inspect the contents of third-party packages. (I’ve heard similar arguments made for limitations on the duties of ISPs and Internet content portals.)

But Jon Baines @bainesy1969 remains confident RM is in control of the personal data hypothetically inside mails.

As a wise man once said in a different context “ The…European data protection framework actually has a breath-taking scope”

I cannot see how RM could process any personal data as the data inside the mail is, in principal, out of its reach. The only processing activity I could see is by “dissemination or otherwise making available” of an hypothetical personal data RM would have no knowledge of it. In my view, RM liability is limited to the delivery, not processing the data inside the mail.

But for Jon Baines, @bainesy1969

Replying to @clarinette02 @neilneilzone @lawyermartin

Data protection law doesn’t say anything about data having to be “within the reach” of the processor.

I’ve not actually come down one way or another. I think Royal Mail must be either a controller or a processor, for the reasons in Tim Turner’s blog. But no one wants to address the implications for societal/pragmatic reasons.

Thanks to @IPnewsbe forwarded this pre-GDPR document, It seems clear to me that the ICO would agree with my interpretation.

“This means that the mail delivery service is neither a data controller nor a data processor for the clients that use its services because:

 it is a mere conduit between the sender of the mail and its recipient;

 it does not exercise any control over the purpose for which the personal data in the items of mail entrusted to it is used; and

 it has no control over the content of the personal data entrusted to it.

  1. This makes sense in practice because it would be unreasonable to expect a mail delivery service that has no control over the content of the mail items it delivers to comply with the data protection principles. For example it would not be able to ensure that personal data in its possession is accurate, up to date or held only for so long as it necessary. It cannot have data protection responsibility for personal data contained in an item of mail. It is merely responsible for the security of the letter or parcel in a physical.”

Otherwise any transporter would be deemed to GDPR liability for content. That does not make any sense to me. Could any road, rail, plane, or sea transporter become liable for the personal data content of the courrier?!

The ICO document is under the DPA. Would it be different under the GDPR ? How could the ISP benefits from mere conduit immunity while Shooting the Messenger Royal Mail, as the honourable Gavin Sutter would say.

W Kuan Hon, Christopher Millard and Ian Walden have even argued cloud provider should not be liable for the personal data they hold on behalf of their clients. I would argue this is a different situation as the actually are made in charge of saving and storing data on behalf of their clients. in paper ‘Who is Responsible for ‘Personal Data’ in Cloud Computing?The Cloud of Unknowing, Part 2

ADDENUM : At Jon Baines request, I have modified the original version of this document adding here is the link to the actual Twitter exchange.

Jon Baines :

I’ve not actually come down one way or another. I think Royal Mail must be either a controller or a processor, for the reasons in Tim Turner’s blog. But no one wants to address the implications for societal/pragmatic reasons.


“processing’ means any operation or set of operations which is performed on personal data”.

My objection to this is that RM has no control whatsoever over the content of the letter that could be personal data or any blank paper or CD.

I hope this clarification would satisfy Jon Baines who commented : “Hi Tara – I’m disappointed you misrepresent me in this post. The tweet you quote is unconnected to the position you ascribe to me, and that ascribed position doesn’t reflect my views, as I made clear in the thread”

This work is licensed under a Creative Commons Attribution 4.0 International License.