Source: a PDF provided by European Digital Rights

Information Society   Communications Services

Brussels, 14:45







Working Document

Subject:    Practical follow-up to the opt-in approach regarding unsolicited electronic mail for direct marketing as included in Directive 2002/58/EC


This is a Committee working document which does not necessarily reflect the official position of the Commission. No inferences should be drawn from this document as to the precise form or content of future measures to be submitted by the Commission. The Commission accepts no responsibility or liability whatsoever with regard to any information or data referred to in this document.


This document is addressed to the Communications Committee, and has also been submitted to the Article 29 Working Party of national data protection authorities, for the purpose of initiating an exchange of views and ideas regarding the practical implementation of the new opt-in rule for unsolicited electronic mail for direct marketing purposes. This document is without prejudice to the different ways in which tasks and competencies with regard to the Telecommunications privacy directive have been divided between Data Protection Authorities (DPAs), National Regulatory Authorities (NRAs) (for telecommunications) and Ministries, in the various Member States. The Commission will also ask the providers of e-mail services (including mobile operators) for input and comments, especially with regard to points 5 and 6 of this paper.

Depending on the outcome of the discussion, a list of action points will be established including follow up by the relevant authorities in the Member States, the Commission and market players such as e-mail service providers. In addition, the Commission may elaborate guidelines to assist Member States in their efforts to establish an effective opt-in system as required by Directive 2002/58/EC on Privacy and Electronic Communications.

Member States' administrations and / or national regulatory authorities are invited to submit replies to the questions in the attached paper and any comments, views or suggestions on the issues addressed, to the secretariat of the Communications Committee ( by 28 February at the latest.

1. Awareness raising

By 31 October 2003 at the latest, all EU Member States must have transposed the new opt-in regime for unsolicited e-mail in national law. While this new approach has had a fair amount of publicity in the press during the debate in Council and European Parliament, there still appears to be little awareness among market players and citizens about what the opt-in will actually mean in practice. In order to achieve a high level of understanding about the new do's and don'ts with regard to commercial e-mail, sustained action will be needed in all Member States. This action should reach the following target groups: a) companies involved in or making use of direct marketing, b) consumers who subscribe to e-mail services, including SMS services and c) providers of e-mail services, including providers of mobile services.

To emphasise the pan-European dimension of the new regime, the Commission intends to create a page on the Europa website explaining the basics of the opt-in and referring via hyperlinks to national implementation aspects of the system.


1.1 Do you envisage to undertake awareness raising activities concerning the new opt-in regime? If so, which? Which authorities will be involved?

1. Complaints mechanism

Policing of the new opt-in approach will be crucial to ensure its credibility. Some Data Protection Authorities have set up mailboxes to which users can forward unsolicited commercial e-mail and have committed themselves to undertake action in targeted cases. The Federal Trade Commission in the USA is operating a similar mailbox and uses the input for prosecution on the basis of the unfair and deceptive trade practices law. The content of the FTC mailbox can also be searched by any interested party (lawyers, civil liberties organisations, consumer associations etc.) via a special multi-criteria search programme. This approach has much to commend itself as it encourages users to report infringement and provides Data Protection Authorities with a practical instrument to assess volume and seriousness of specific infringements against which action must be taken. Moreover, the mailbox will provide useful insights for designing preventive action. On the other hand, the volume of mail submitted to such boxes may be quite substantial and difficult to manage unless sufficient resources are made available for that purpose.

It will in any case be very important to ensure that the national complaints mechanisms, whatever their modalities, can be linked to ensure that complaints from users in one Member State regarding messages originating in another Member State will also be dealt with efficiently.


2.1 How have you handled user complaints regarding unlawful unsolicited communications until now? (e.g. regarding unsolicited commercial faxes under existing legislation) How effective has this method shown to be?

2.2 Do you intend to create an e-mailbox for unsolicited commercial e-mail? If yes, which follow-up will you be able to give to complaints? If not, which alternative do you envisage to deal with complaints?

2.3 Do you have a procedure in place for handling cross border complaints? If yes, describe please. If not, do you envisage such a procedure under the new rules for unsolicited commercial e-mail?

1. Redress / Judicial and non-judicial remedies and penalties

Following Article 15(2) of Directive 2002/58/EC, Member States must ensure that sanctions and judicial remedies are in place for infringement of any of the provisions of the directive and create possibilities for victims of illegal processing of personal data to claim damages, in accordance with the general data protection Directive.

Furthermore, for privacy infringements like sending unsolicited e-mail, an out-of-court redress mechanism may be rather important to achieve a satisfactory level of compliance with the new rules. Various initiatives were launched at national and EU level for alternative dispute resolution (ADR) mechanisms to deal with disputes in relation with on-line transactions and communications. The Commission will examine, on the basis of replies received to the questions below, which existing or new ADRs could cover disputes regarding unsolicited e-mail and how EU wide coverage can be achieved.

Finally it would be useful to examine whether National Regulatory Authorities or Data Protection Authorities can be empowered to impose administrative fines in cases of infringement of the opt-in requirement. This would certainly represent a fast and efficient instrument to enforce the new rules.


3.1 Which penalties exist for infringement of your current opt-in or opt-out legislation regarding various forms of unsolicited communications?

3.2 Have there been any court cases regarding infringements of current opt-in or opt-out law? Do you expect that enforcement of the new opt-in rule can be ensured by judicial means only?

3.3 Does your national legal framework allow for administrative fines in cases of infringement of existing opt-in or opt-out rules? Are such fines envisaged to enforce the new provisions on unsolicited commercial e-mail?

3.4 Are there any existing out-of court redress mechanisms at national level that could also cover complaints regarding unsolicited communications? If not, would you see a role for such a mechanism? Who could set it up?

1. Coverage

While every effort has been made to achieve a harmonised approach within the new provisions for unsolicited commercial e-mail in Article 13 of Directive 2002/58/EC, political and practical realities have still left some margin for divergence in the adopted text. Various aspects regarding the coverage of the new opt-in rule could lead to difficulties in view of the single market in the absence of an agreed harmonised interpretation and thus merit closer examination.


4.1 Do you expect any of the above points or any other aspects of the legal provisions regarding unsolicited communications in the new directive to cause problems of interpretation? Would you favour an EU guidelines approach to ensure a higher level of harmonisation?

4.2 Do you have any additional remarks from your national legal perspective with regard to the above points?

1. Contractual safeguards / outgoing e-mail

While providers of electronic communications services cannot be held liable for unsolicited commercial e-mail sent over their networks, they are likely to continue to be a (first) port of call for users complaining about unsolicited commercial e-mail. Many ISPs already include obligations in contracts with their customers prohibiting the use of the service for sending spam.

The definition of spam as used in contracts between ISPs and their customers, is likely to be different from that used in the new Directive and subsequent national transposition law. While there is no legal obligation on ISPs to adapt any definitions in contractual law, some convergence would probably be useful for all parties concerned. Since the new definition of e-mail will also cover SMS and MMS it is important to encourage other service providers to adopt a similar pro-active approach towards unsolicited commercial e-mail as ISPs have done. Mobile operators would in any case need to modify their current practice of sending unsolicited SMS messages ('welcome to the network') to GSM users roaming within their network.


5.1 Is there any information you could add from your national perspective regarding the role of contract law (contracts between service providers and their customers regarding unsolicited (bulk) mail) in combating unsolicited e-mail?

5.2 Do you intend to encourage active involvement of all service providers concerned, including mobile operators?

1. Filtering techniques / incoming e-mail

It is an agreed practice within the ISP community to block all incoming mail from servers that are used for sending spam (black listing) until the source of the spam is blocked from using the server. In addition, filtering products for spam can be employed by individual users within their own terminal equipment or by electronic communications service providers within their servers. In the latter case, it is important for the service provider to ensure a solid legal basis for employing filtering techniques, especially since filtering may occasionally block legitimate e-mail as well as creating a risk that either a sender or an intended addressee undertakes legal action against the ISP. Some ISPs therefore offer filtering as a service to their users and require permission for activating it.

These measures will not become superfluous with the new legal provisions on unsolicited commercial email. On the contrary, they will provide additional safeguards for the user and allow service providers to undertake direct action against spammers.


6.1 Are you aware of any legal problems service providers have encountered with regard to employing filtering devices against unsolicited commercial e-mail? Do you expect that the new opt-in approach will solve such problems?

1. E-mail originating in third countries

The new Directive applies to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community. As a consequence, Article 13 establishing the opt-in rule is applicable to all unsolicited commercial communications received on and sent from networks in the Community. This implies that such messages originating in third countries must also comply with EC rules, as must messages originating in the EC and sent to addressees in third countries.

The actual enforcement of the rule with regard to messages originating in third countries will clearly be more complicated than for messages from inside the EU. A mix of various instruments will be needed, including filtering techniques, enforcement through contract law and international cooperation.


7.1 Do you have experience with enforcement of an existing opt-in or opt-out rule for communications originating outside the EU? Have you attempted to obtain cooperation from authorities abroad in cases of non-compliance? What were the results?

1. Monitoring

In order to evaluate how the opt-in system works in practice and to address specific problems with suitable measures, both the Commission and the national administrations concerned will need up to date information on trends in unsolicited commercial e-mail, user complaints and difficulties encountered by service providers. Sources and type of information could be statistics about the use of a complaints mailbox, trends in nature, origin and volume of unsolicited commercial e-mail as detected by filtering software providers and service providers and national (regulatory) initiatives.

For the purpose of exchanging information, an informal on-line newsgroup could be created including national administrations, data protection authorities, service providers or their associations and the Commission.


8.1 Would you favour an informal on-line newsgroup to exchange information on trends, statistics and particular problems and solutions regarding unsolicited commercial e-mail?

Contact person : Marian Grubben, DG INFSO/B/1,
tel.+32.2.2990079 ; e-mail :

connected by Silver Server Member of GILC European Digital Rights Big Brother Awards Austria
Questions/Comments to:
last update: Sunday, 26-Mar-2006 11:58:42 CEST