Email Databases for Sale – legal concerns

//Email Databases for Sale – legal concerns

Nowadays a customer email database is a very important asset to a business. Why has it become so popular?  Simply because emails are cheap and easy to distribute.  Direct marketers still phone people, but reaching people through email has become even more popular as it is more targeted. Email databases have also become much more sophisticated than in the past and vendors often make use of specific software to create and maintain their email databases.  Customers often provide personal information to a vendor in terms of a specific agreement between the vendor and customer (especially in the electronic environment) and is often dealt with by way of a privacy policy.

So, how exactly may a vendor deal with their email database?

We are not going to focus on consumer rights where there is a contract in place, as the consumer will have a right to sue on grounds of breach of contract.

The issues that we will discuss in this post are:

  1. how the “sale” of an email database may impact on a customer’s privacy rights (in the absence of a contract between the parties); and
  2. the copyright in an email database.


In South Africa, privacy has recently received a lot of attention with the Protection of Personal Information Bill (POPI) being drafted by the South African Law Commission. Although we have been waiting the last couple of years for the Bill to become law – and still no real indication as to when it will actually happen – more and more vendors realize the importance of getting compliant with POPI in the mean time.  See our post Privacy: will the wait soon be over?

We have explained the current law on privacy in previous posts (see here). The bottom line is that currently the common law and Constitution are the only laws through which privacy is regulated (unless it is regulated by way of a contract). It should be noted in passing that the Electronic Communications and Transactions Act 25 of 2002 (“ECT Act”) provides for protection of personal information in section 51. However subscription to the privacy principles is currently voluntary due to the fact that the Law Commission is in the process of developing specific data protection/privacy legislation (the intention was that consumers would prefer to only deal with only those data collectors who had subscribed to the recorded data protection principles). However, because of its voluntary nature, the uptake has not been that great.

So the way in which you deal with your email database will be judged against the common law and Constitution.

Breach of privacy in terms of the common law will occur if there is an unlawful disclosure of private facts about a person. In terms of the common law, the only question to determine an infringement of privacy is whether the invasion of privacy was unlawful. “Unlawfulness” is judged by the “general sense of justice of the community”. Will the community in general regard the sale of an email database as unlawful? In our view, probably not. Examples of privacy infringements in terms of the common law recognised by our courts in the past include the reading of private documents, listening in to a private conversation and the disclosure of private facts in breach of a relationship of confidentiality. The mere distribution or sale of general personal information has not qualified in the past.

If we then turn to the South African Constitution, section 14 guarantees (i) certain specific privacy rights and (ii) a general right to privacy. Processing of personal data is not specifically protected under section 14 (this will include the sale).  So the only thing left to consider is whether processing of personal information can in general be interpreted to infringe the general right to privacy enshrined in the Constitution – bearing in mind that the general right to privacy is not absolute and may be limited by the limitation clause (section 36) and other constitutional rights.

privacy concerns do not currently prevent
you from selling your email database

In Bernstein v Bester the Constitutional Court held that “the use of a person’s name and identity without his or her consent” may constitute a violation of the right to privacy. However, the right is not unlimited and the scope of the right is limited to a person’s “reasonable or legitimate expectation” of privacy. The Constitutional Court has defined “legitimate expectation” to mean that one must have a “subjective expectation of privacy which society recognizes as objectively reasonable”. The Court further concluded in Bernstein that:

  • “The truism that no rights are considered to be absolute implies that from the outset of interpretation, each right is always already limited by every other right accruing to the citizen. In the context of privacy this would mean that it is only the inner sanctum of a person, such as his or her family life, sexual preference and home environment, which is shielded from erosion by conflicting rights of the community.” and
  • “Privacy is acknowledged in the truly personal realm, but as a person moves into communal relations and activities, such as business and social interactions, the scope of personal space shrinks accordingly.”

In our view, personal information relating to “truly personal realm” or “the inner sanctum of a person” may qualify for protection under section 14. Examples of this may include information on a person’s medical history or sexual preferences. But personal information of commercially and socially active people generally available on customer lists, such as email addresses, will probably not qualify for constitutional protection. Once POPI gets enacted though, the situation will change. POPI includes a very wide definition for personal information – which may be processed only in very specific circumstances. On the face of it, to sell your email database will not be allowed by POPI.

Copyright in an email database

So if privacy concerns are not currently standing in your way to sell your email database, what about copyright?

The first question one must consider is whether copyright can indeed exist in an email database. The Copyright Act 98 of 1978 defines a literary work to include “tables and compilations, including tables and compilations of data stored or embodied in a computer or a medium used in conjunction with a computer“.  An email database clearly falls within this definition of a literary work.

copyright can indeed exist
in an email database

If copyright can indeed exist in an email database, when will it qualify for copyright protection? A literary work qualifies for copyright protection if it:

  1. is original;
  2. exists in a material form;
  3. is created by a qualified person (in terms of the Copyright Act) or first published in a country allowed for in the Copyright Act.

(For a general discussion on these requirements, please see our post on Who owns web site posts)

From the above it follows that, in terms of our law, an email database can qualify for copyright protection, without any creativity being a requirement, as in certain other jurisdictions. Further to this, our law does not require a great deal of effort to meet the requirement of originality.  Our Supreme Court of Appeal  – the highest authority on issues like this – has ruled in Haupt t/a Softcopy v Brewers Marketing Intelligence (Pty) Ltd. and Others that “a work is considered to be original if it has not been copied from an existing source and if its production required a substantial (or not trivial) degree of skill, judgment or labour.”  An email database may meet this requirement fairly easy.

an email database can qualify
for copyright protection

Finally we need to consider who the owner of the copyright in the email database will be. As a literary work, the author will be the first owner of the copyright in the work. The author is the person who first makes or creates the work into a material form, by applying some form of intellectual effort and skill. This means that subject to the other requirements in terms of the Copyright Act being met, the person compiling or creating the email database will be the author and first owner of the copyright in the email database. In this regard it is important to note that where the creator of the email database is an employee, the employer owns the copyright in the email database.

So how can the author (and owner) of the email database deal with it? In terms of our copyright laws, copyright must be assigned in writing. This means that the copyright owner can either licence the use of the email database to other third parties or he can assign the email database to the new copyright owner – who will then have the exclusive rights associated with copyright in a work. The author (and first owner) can however not “sell” the email database (together with the copyright) to various third parties.

By |2019-08-24T10:14:49+02:00June 20th, 2009|Categories: POPI and Data Protection|Tags: , |