Information Society Communications Services
FOR INTERNAL USE ONLY
|Practical follow-up to the opt-in approach regarding unsolicited electronic mail for direct marketing as included in Directive 2002/58/EC
This document is addressed to the Communications Committee, and has also been submitted to the Article 29 Working Party of national data protection authorities, for the purpose of initiating an exchange of views and ideas regarding the practical implementation of the new opt-in rule for unsolicited electronic mail for direct marketing purposes. This document is without prejudice to the different ways in which tasks and competencies with regard to the Telecommunications privacy directive have been divided between Data Protection Authorities (DPAs), National Regulatory Authorities (NRAs) (for telecommunications) and Ministries, in the various Member States. The Commission will also ask the providers of e-mail services (including mobile operators) for input and comments, especially with regard to points 5 and 6 of this paper.
Depending on the outcome of the discussion, a list of action points will be established including follow up by the relevant authorities in the Member States, the Commission and market players such as e-mail service providers. In addition, the Commission may elaborate guidelines to assist Member States in their efforts to establish an effective opt-in system as required by Directive 2002/58/EC on Privacy and Electronic Communications.
Member States' administrations and / or national regulatory authorities are invited to submit replies to the questions in the attached paper and any comments, views or suggestions on the issues addressed, to the secretariat of the Communications Committee (email@example.com) by 28 February at the latest.
1. Awareness raising
By 31 October 2003 at the latest, all EU Member States must have transposed the new opt-in regime for unsolicited e-mail in national law. While this new approach has had a fair amount of publicity in the press during the debate in Council and European Parliament, there still appears to be little awareness among market players and citizens about what the opt-in will actually mean in practice. In order to achieve a high level of understanding about the new do's and don'ts with regard to commercial e-mail, sustained action will be needed in all Member States. This action should reach the following target groups: a) companies involved in or making use of direct marketing, b) consumers who subscribe to e-mail services, including SMS services and c) providers of e-mail services, including providers of mobile services.
To emphasise the pan-European dimension of the new regime, the Commission intends to create a page on the Europa website explaining the basics of the opt-in and referring via hyperlinks to national implementation aspects of the system.
Questions1.1 Do you envisage to undertake awareness raising activities concerning the new opt-in regime? If so, which? Which authorities will be involved?
1. Complaints mechanism
Policing of the new opt-in approach will be crucial to ensure its credibility. Some Data Protection Authorities have set up mailboxes to which users can forward unsolicited commercial e-mail and have committed themselves to undertake action in targeted cases. The Federal Trade Commission in the USA is operating a similar mailbox and uses the input for prosecution on the basis of the unfair and deceptive trade practices law. The content of the FTC mailbox can also be searched by any interested party (lawyers, civil liberties organisations, consumer associations etc.) via a special multi-criteria search programme. This approach has much to commend itself as it encourages users to report infringement and provides Data Protection Authorities with a practical instrument to assess volume and seriousness of specific infringements against which action must be taken. Moreover, the mailbox will provide useful insights for designing preventive action. On the other hand, the volume of mail submitted to such boxes may be quite substantial and difficult to manage unless sufficient resources are made available for that purpose.
It will in any case be very important to ensure that the national complaints mechanisms, whatever their modalities, can be linked to ensure that complaints from users in one Member State regarding messages originating in another Member State will also be dealt with efficiently.
2.1 How have you handled user complaints regarding unlawful unsolicited communications until now? (e.g. regarding unsolicited commercial faxes under existing legislation) How effective has this method shown to be?
2.2 Do you intend to create an e-mailbox for unsolicited commercial e-mail? If yes, which follow-up will you be able to give to complaints? If not, which alternative do you envisage to deal with complaints?
2.3 Do you have a procedure in place for handling cross border complaints? If yes, describe please. If not, do you envisage such a procedure under the new rules for unsolicited commercial e-mail?
1. Redress / Judicial and non-judicial remedies and penalties
Following Article 15(2) of Directive 2002/58/EC, Member States must ensure that sanctions and judicial remedies are in place for infringement of any of the provisions of the directive and create possibilities for victims of illegal processing of personal data to claim damages, in accordance with the general data protection Directive.
Furthermore, for privacy infringements like sending unsolicited e-mail, an out-of-court redress mechanism may be rather important to achieve a satisfactory level of compliance with the new rules. Various initiatives were launched at national and EU level for alternative dispute resolution (ADR) mechanisms to deal with disputes in relation with on-line transactions and communications. The Commission will examine, on the basis of replies received to the questions below, which existing or new ADRs could cover disputes regarding unsolicited e-mail and how EU wide coverage can be achieved.Finally it would be useful to examine whether National Regulatory Authorities or Data Protection Authorities can be empowered to impose administrative fines in cases of infringement of the opt-in requirement. This would certainly represent a fast and efficient instrument to enforce the new rules.
3.1 Which penalties exist for infringement of your current opt-in or opt-out legislation regarding various forms of unsolicited communications?
3.2 Have there been any court cases regarding infringements of current opt-in or opt-out law? Do you expect that enforcement of the new opt-in rule can be ensured by judicial means only?
3.3 Does your national legal framework allow for administrative fines in cases of infringement of existing opt-in or opt-out rules? Are such fines envisaged to enforce the new provisions on unsolicited commercial e-mail?
3.4 Are there any existing out-of court redress mechanisms at national level that could also cover complaints regarding unsolicited communications? If not, would you see a role for such a mechanism? Who could set it up?
While every effort has been made to achieve a harmonised approach within the new provisions for unsolicited commercial e-mail in Article 13 of Directive 2002/58/EC, political and practical realities have still left some margin for divergence in the adopted text. Various aspects regarding the coverage of the new opt-in rule could lead to difficulties in view of the single market in the absence of an agreed harmonised interpretation and thus merit closer examination.
- Definition of e-mail : the new definition of electronic mail is rather broad by design in order to ensure technological neutrality. For this reason it does not mention any specific technologies that will be caught in its scope. While a recital in the Directive clarifies that e-mail includes SMS messages, various other technologies are also included such as messages left at answering machines or voice mail service systems and instant messaging systems. Some form of guidance/explanation may be needed for the benefit of businesses, users of e-mail services and direct marketers, but it will be important to ensure a consistent approach throughout the EU.
- Legal vs natural persons : Member States are only required to ensure the protection afforded by Article 13 to natural persons. They remain free to determine appropriate safeguards for the legitimate interests of legal persons. However, making such a distinction may not be easy in practice. Various questions need to be addressed such as How can a sender determine whether a recipient is a natural or a legal person? Should an e-mail address consisting of the name of an individual working for a company be considered as belonging to a natural or a legal person? Which efforts will a sender be required to make to verify whether the number /address really belongs to a legal person? What to do with an e-mail originating in a Member State not affording safeguards for legal persons received in a Member State offering the same level of protection for legal and natural persons? Clearly practical rules will need to be developed in those Member States who want to distinguish between legal and natural persons, taking account of cross-border effects.
- Concept of direct marketing : There is no definition of direct marketing, only a description in recital 30 of Directive 95/46/EC, which states that messages by charities and political parties are also covered by the definition.
- Concept of 'similar products and services' : While this description leaves some room for interpretation, it would not be desirable to include further specification of this concept in national law as this may undermine the harmonised approach. The use of this clause is already restricted to a) the same company that collected the data, b) the context of a sale and c) the obligation to continue to offer an opt-out. These restrictions would appear to provide sufficient safeguards against possible widening of the 'similar products and services' concept in individual cases. If there is a need for further detail the best way to proceed would seem to be through guidelines at EU level.
4.1 Do you expect any of the above points or any other aspects of the legal provisions regarding unsolicited communications in the new directive to cause problems of interpretation? Would you favour an EU guidelines approach to ensure a higher level of harmonisation?
4.2 Do you have any additional remarks from your national legal perspective with regard to the above points?
1. Contractual safeguards / outgoing e-mail
While providers of electronic communications services cannot be held liable for unsolicited commercial e-mail sent over their networks, they are likely to continue to be a (first) port of call for users complaining about unsolicited commercial e-mail. Many ISPs already include obligations in contracts with their customers prohibiting the use of the service for sending spam.
The definition of spam as used in contracts between ISPs and their customers, is likely to be different from that used in the new Directive and subsequent national transposition law. While there is no legal obligation on ISPs to adapt any definitions in contractual law, some convergence would probably be useful for all parties concerned. Since the new definition of e-mail will also cover SMS and MMS it is important to encourage other service providers to adopt a similar pro-active approach towards unsolicited commercial e-mail as ISPs have done. Mobile operators would in any case need to modify their current practice of sending unsolicited SMS messages ('welcome to the network') to GSM users roaming within their network.
5.1 Is there any information you could add from your national perspective regarding the role of contract law (contracts between service providers and their customers regarding unsolicited (bulk) mail) in combating unsolicited e-mail?
5.2 Do you intend to encourage active involvement of all service providers concerned, including mobile operators?
1. Filtering techniques / incoming e-mail
It is an agreed practice within the ISP community to block all incoming mail from servers that are used for sending spam (black listing) until the source of the spam is blocked from using the server. In addition, filtering products for spam can be employed by individual users within their own terminal equipment or by electronic communications service providers within their servers. In the latter case, it is important for the service provider to ensure a solid legal basis for employing filtering techniques, especially since filtering may occasionally block legitimate e-mail as well as creating a risk that either a sender or an intended addressee undertakes legal action against the ISP. Some ISPs therefore offer filtering as a service to their users and require permission for activating it.
These measures will not become superfluous with the new legal provisions on unsolicited commercial email. On the contrary, they will provide additional safeguards for the user and allow service providers to undertake direct action against spammers.
6.1 Are you aware of any legal problems service providers have encountered with regard to employing filtering devices against unsolicited commercial e-mail? Do you expect that the new opt-in approach will solve such problems?
1. E-mail originating in third countries
The new Directive applies to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community. As a consequence, Article 13 establishing the opt-in rule is applicable to all unsolicited commercial communications received on and sent from networks in the Community. This implies that such messages originating in third countries must also comply with EC rules, as must messages originating in the EC and sent to addressees in third countries.
The actual enforcement of the rule with regard to messages originating in third countries will clearly be more complicated than for messages from inside the EU. A mix of various instruments will be needed, including filtering techniques, enforcement through contract law and international cooperation.
7.1 Do you have experience with enforcement of an existing opt-in or opt-out rule for communications originating outside the EU? Have you attempted to obtain cooperation from authorities abroad in cases of non-compliance? What were the results?
In order to evaluate how the opt-in system works in practice and to address specific problems with suitable measures, both the Commission and the national administrations concerned will need up to date information on trends in unsolicited commercial e-mail, user complaints and difficulties encountered by service providers. Sources and type of information could be statistics about the use of a complaints mailbox, trends in nature, origin and volume of unsolicited commercial e-mail as detected by filtering software providers and service providers and national (regulatory) initiatives.
For the purpose of exchanging information, an informal on-line newsgroup could be created including national administrations, data protection authorities, service providers or their associations and the Commission.
8.1 Would you favour an informal on-line newsgroup to exchange information on trends, statistics and particular problems and solutions regarding unsolicited commercial e-mail?Contact person : Marian Grubben, DG INFSO/B/1,
tel.+32.2.2990079 ; e-mail : firstname.lastname@example.org
Questions/Comments to: email@example.com
last update: Sunday, 26-Mar-2006 11:58:42 CEST