Workshop to be held in Brussels on 16 October 2003
EUROPEAN COMMISSION
Information Society Directorate-General
I risultati del seminario, al quale parteciperanno rappresentanti
degli Stati membri, del mondo dell’impresa e delle associazioni
dei consumatori, saranno utilizzati per il testo della Comunicazione
che la Commissione sta preparando in materia di spamming, la
cui pubblicazione è attesa entro la fine del 2003.
Brussels, 1 October 2003
Note: This is a working document of DG Information Society which
does not necessarily reflect the official position of the Commission.
No inferences should be drawn from this document as to the precise
form or content of future measures to be submitted by the Commission.
The Commission accepts no responsibility or liability whatsoever
with regard to any information or data referred to in this document.
TABLE OF CONTENTS
Background and purpose of the document.......................................................
1
Structure of the document........................................................................................
1
1. Awareness....................................................................................................................
2
1.1. Issue
2
1.2. Proposed actions..................................................................................................................
3
2. Effective application of the opt-in
regime................................................. 4
2.1. Issue
4
2.2. Proposed actions..................................................................................................................
5
3. Complaints mechanisms........................................................................................
6
3.1. Issue
6
3.2. Proposed actions..................................................................................................................
7
4. Effective enforcement..........................................................................................
7
4.1. Issue
7
4.2. Proposed actions..................................................................................................................
9
5. Effective remedies and penalties.....................................................................
9
5.1. Issue
9
5.2. Proposed actions................................................................................................................
11
6. Cooperation with third countries................................................................
11
6.1. Issue
11
6.2. Proposed actions................................................................................................................
12
7. technical issues......................................................................................................
13
7.1. Issue
13
7.2. Proposed actions................................................................................................................
13
8. Monitoring.................................................................................................................
14
Background and purpose of the document
On 25 July 2003, European Commissioner for Information Society
Erkki Liikanen said: "Combating spam has become a matter for
us all and has become one of the most significant issues facing
the Internet today. It is a fight over many fronts. The EU,
Member States, industry and consumers all have a role to play
in the fight against spam both at the national and international
level. We must act before users of e-mails or SMS stop using
the Internet or mobile services, or refrain from using it to
the extent that they otherwise would"[1].
This working document outlines elements of a possible Commission
Communication on various legal, technical and educational facets
of unsolicited commercial communications (UCC) or spam, building
on the ‘opt-in’ regime to be introduced in all Member States
by the end of October 2003. It will be discussed at a one day
workshop which will take place in Brussels on 16 October 2003.
The Working Document builds on previous discussions in the context
of the Communications Committee (COCOM)[2] and with the Article
29 Data Protection Working Party[3]. In response to a questionnaire,
information was provided by members of the COCOM and of the
Article 29 Data Protection Working Party. A number of industry
associations or individual companies also reacted, from ISPs
and communications operators (mobile and fixed) through direct
marketeers and advertisers, to computer and software manufacturers.
Structure of the document
To serve discussions, the issues and proposed actions identified
so far are presented according to the following structure:
- Awareness
- Effective application of the opt-in
regime
- Complaints mechanisms
- Effective enforcement
- Effective remedies and penalties
- Cooperation with third countries
- Technical issues
- Monitoring
These issues and the proposed actions are related to each other
in several ways. They may also be implemented in an integrated
fashion.
Each section starts with a short summary of the issue to facilitate
discussion. The document has been deliberately kept short in
view of its purpose and it should therefore not be considered
as exhaustive on any of the subjects covered.
Some ‘best practices’ have been singled out whenever considered
useful.
1. Awareness
1.1. Issue
By 31 October 2003 at the latest, all EU Member States must
have transposed the new opt-in regime for unsolicited e-mail
into national law. While this new approach has had a fair amount
of publicity in the press, there may still be hesitations among
market players and citizens about what the opt-in will actually
mean in practice[4].
Users will be empowered by the opt-in regime and they have to
take their responsibility when using services and passing personal
data. To enable this however, they must be aware of the basic
rules applicable to unsolicited communications. In addition,
users need to know how they can prevent spam by adapting
their behaviour. Finally, they need to know what filtering
software in on the market and what service and software providers
can do for them.
While awareness raising activities concerning the new opt-in
regime have been undertaken, or are envisaged, in most Member
States, they can differ widely in terms of timing, nature of
information provided, target audience and parties involved.
Some Member States however wait until national laws are in place.
Public consultation on the implementation of Directive 2002/58/EC
has contributed to a fair degree of awareness whenever it has
been organised.
Best practice
The ‘Commission National Informatique et Libertés’ (‘CNIL’),
i.e. the French Data Protection Authority has put on its website
a quite substantial information package on various aspects
of spam: the results of its e-mailbox experience and the
cases referred to judicial authorities (see below), basic
guidance on how to prevent spam, information on how to report
spam, references of users’ associations active in this area,
etc.
Information provided
In particular as regards the nature of information provided,
activities targeted at businesses and/or consumers can include:
basic information on the new rules;
practical information on acceptable marketing practices under the opt-in
regime including clarification of legitimate collection of personal
data;
practical information on how to avoid unsolicited commercial communications
(UCC) /spam (e.g. filtering, use of personal data, etc.);
information on practical steps when confronted with UCC/spam, including
on complaints mechanisms and possible alternative dispute resolutions
systems (ADR) systems.
Parties involved
Various authorities can be responsible for these activities
depending on their respective powers in a given Member State
(e.g. data protection authorities (DPAs), national regulatory
authorities for the electronic communications sector (NRAs),
consumer protection agencies, ombudsmen).
Coordination among the various competent authorities does not
appear to be the rule in all Member States. Ministries appear
to be involved in some Member States. Industry associations
are often involved. Sometimes consumer or user associations
are also taking part in these activities.
Some parts of the industry as well seem to have undertaken awareness
raising activities at national, EU or global level, although
here again, these activities can differ widely. These include:
practical guides to direct marketeers, or campaigns directed
at the communications sector in particular;
general guidance to customers on codes of conduct, complaint
mechanisms and filtering;
platform/working group to develop best practices for commercial
communications (see also below).
1.2. Proposed actions
In order to achieve a high level of understanding about the
new do’s and don’ts with regard to commercial e-mail, sustained
action is needed in all Member States on both prevention and
enforcement.
All parties are invited to play their role in awareness raising
activities, from Member States and competent authorities, through
businesses, to consumers/user associations.
In particular, practical information on prevention, acceptable
marketing practices, and on technical and legal solutions available
to users is encouraged.
Information to users on their rights and on complaints mechanisms
is also important.
These actions should reach the following target groups:
a) companies involved in or making use of direct marketing,
b) consumers who subscribe to e-mail services, including SMS
services and
c) providers of e-mail services, including providers of mobile
services.
Awareness activities should be carried out through different
channels (not only web-based), with a view to effectively reaching
the various audiences targeted. In this regard, involvement
of industry and consumer associations is important.
Actions listed below should also refer to effective industry
codes of conduct, complaints mechanisms, trustmarks and/or certification
schemes where available.
In addition, the Commission services will provide information
on its EUROPA website including:
-
the basics of opt-in;
-
references via hyperlinks to national implementation aspects;
-
basic figures and trends on spam in the EU where available.
2. Effective application
of the opt-
in regime
2.1. Issue
Combating spam is a matter for all interested parties. Industry
can play a specific role since it can turn the opt-in regime
into day-to-day business practice. Day-to-day practice includes
not only terms and conditions for end-users, but also relations
with business partners.
In many cases, better coordination through industry associations,
and involvement of sector-specific self-regulatory bodies and
consumer/user associations is needed, including involvement
of data protection authorities or other competent national authorities.
Service providers’ contractual practices towards subscribers
Contracts can help in the fight against UCC/spam, subject to
safeguards with respect to individual rights. Many ISPs already
include obligations in contracts with their customers prohibiting
the use of the service for sending spam. Such ISPs already prohibit
the sending of unsolicited e-mail, or bulk e-mail, from their
e-mail accounts. Such clauses are sometimes based on the need
for ISPs to take all measures to prevent inappropriate usage
of their services. Other ISPs refer to existing codes of conduct
as regard bulk e-mails or, indeed, to self-regulatory principles
(e.g. ‘netiquette’).
The concepts as used in contracts between ISPs and their customers
are likely to be different from those used in the new Directive
and subsequent national transposition law.
In terms of customer service, there is also a need for a more
pro-active filtering policy by providing information on anti-spam
filters, and by providing filtering services or facilities to
subscribers as an option.
Service Providers’ contractual practices towards business partners
The same is valid whenever ISPs or mobile operators enter into
contracts with third parties and in particular with direct marketeers.
This does not only concern for instance, direct relationship
with companies offering mobile premium rate services. It also
includes operators with whom a given service provider has interconnection
agreements.
Direct marketeers’ own practices
Opt-in has implications on several marketing activities, such
as:
- the methods for collecting e-mail addresses and other electronic
contacts details to the new regime (Needless to say, harvesting
of e-mail addresses will remain incompatible with Community
law);
- the adaptation of existing lists to the new regime upon entry
into force in Member States;
- the prohibition to use and sell non-compliant lists after
the entry into force of the national provisions.
Best practice
As an illustration, the Dutch Ministry of Economic Affairs has
provided in 2003 funding for a platform called ‘Basic Principles
for Commercial e-Mail’ grouping different branches of the industry
and competent authorities (Ministry, DPA, NRA, Advertising Committee).
The intention is to develop practical implementation of the
opt-in principle. This practical implementation will be tested
with the data protection authority. Results will be widely advertised.
(see http://www.ecp.nl/projecten.php#32 )
2.2. Proposed actions
Industry involvement and self-regulation or, indeed, co-regulation,
could be promoted in areas where legislation and enforcement
by public authorities alone may not be sufficient. All interested
parties should play their part in this area, including consumer
associations and/or users’ associations.
Various initiatives have already been announced by industry
associations such as the drafting of codes of conduct and the
dissemination of good marketing practices. A Europe-wide online
code of conduct for direct marketeers would be welcome, according
to the European Federation of Direct Marketing (FEDMA).
In order to promote greater awareness among users, tools such
as trustmarks/webseals could be used where appropriate. As often,
effective application of self-regulatory solutions will depend
on the structure put in place to oversee respect for
them, including effective sanctions.
Generally speaking, codes of conduct and other self-regulatory
initiatives, and contracts should conform the opt-in rules.
Involvement of the competent regulatory authority could be helpful
in this regard.
On the substance of such initiatives, adaptation of terms and
conditions of subscriber contracts could be useful for all parties
concerned. This is not only applicable to internet service providers
but also to providers of SMS and MMS. As a complementary measure,
provision of information on fiters and on filtering software
or services could be provided as optional customer service (on
filtering, see also section 7.1, below).
Clauses in contracts with business partners (e.g. interconnection,
premium rate services) should aim at reflecting opt-in compliant
marketing practices and provide for adequate penalties in case
of breach.
Adaptation of direct marketeers’ practices would also be helpful.
Marketing practices compliant with the opt-in regime should
not only be promoted, but also, practices should be adapted
in day-to-day practice. Direct marketeers could in particular
agree on specific, opt-in compliant methods to collect personal
data (e.g. double opt-in systems). Labelling of opt-in compliant
users’ databases and e-mails, could be envisaged (e.g. ADV label).
It should be recalled in that context that the Article 29 Data
Protection Working Party can approve EU-wide codes of conduct
(see Article 30 of the General Data Protection Directive 95/46/EC)
The Commission services have invited the Article 29 Data Protection
Working Party to consider approving such EU-wide codes of conduct.
3. Complaints mechanisms
3.1. Issue
Enforcement of the new opt-in approach will be crucial to ensure
its credibility. This includes adequate complaints mechanisms.
Some Data Protection Authorities (DPAs) have set up mailboxes
to which users can forward unsolicited commercial e-mail and
have committed themselves to undertaking action in targeted
cases.
France and Belgium have used such dedicated e-mailboxes and
results are quite interesting. Reports on these initiatives
are available to the public[5]. The Federal Trade Commission
in the USA is operating a similar mailbox and uses the input
for prosecution on the basis of the existing unfair and deceptive
trade practices rules.
Among the advantages of e-mailboxes is the fact that e-mailboxes
appear to encourage consumers to report infringements and hence
make enforcement of adopted legislation more effective.
In addition, they can provide essential statistics about the
size and the nature of the problems encountered in a given country
or region. This, in turn, constitutes a valuable tool for setting
enforcement priorities or, indeed, adapting them.
Moreover, prevention actions can be built on the basis of the
knowledge acquired. As an illustration, the CNIL, i.e. the French
DPA has used information gathered during the ‘boîte à spams’
operation to build preventive information packages targeted
at users or at marketeers.
The usefulness of an e-mailbox to monitor and measure the scale
and scope of spam understandably depends on the ability to investigate
the complaints made in a useful and rapid manner.
While there is generally an interest in learning from other
Member States’ experience with e-mailboxes, only some Member
States appear to plan or consider the possibility to use a dedicated
e-mailbox. The reasons indicated are generally:
- the existing possibility to complain by e-mail via e.g. the
DPA’s website;
- the need for additional dedicated staff and equipment according
to some respondents;
- or the need to change existing legal procedures.
Some Member States seem to prefer normal administrative procedures
and/or contacts with ISPs, or Computer Emergency Response Teams
(CERTs) in case of network disruption. Other Member States favour
more traditional procedures (damage claims under civil law/administrative
proceedings). Co-regulation or self-regulation are sometimes
invoked as best alternatives.
3.2. Proposed actions
Member States and competent authorities are invited to consider
the use of dedicated e-mailboxes, supported by information campaigns.
Information on e-mailbox experiences could be shared with Member
States and competent authorities and with the Commission services.
These dedicated e-mailboxes would have to be designed in a way
that enables easy search and analysis for reasons of better
understanding of the problem and in order to allow priorities-setting
in terms of enforcement.
The Commission will work with Member States on how coordination
on complaints handling could be achieved throughout the EU.
4. Effective enforcement
4.1. Issue
Despite its deterrent effect, legislation may not be enough
for the new rules to have a sufficient impact. Effective enforcement
of the opt-in does still not appear as a priority in all Member
States. This implies adequate enforcement mechanisms, including
cross-border mechanisms. (Cooperation with third countries is
analysed under Section 6, below.)
Enforcement mechanisms
The way procedures regarding unlawful unsolicited communications
are organised and handled has been quite diverse until now[6].
The very instrument of an EU Directive implies that Member States
keep some margin of manoeuvre in implementing its provisions.
At the same time, effective enforcement is needed whatever method
is used.
Diversity in Member States
Except in a few Member States, complaints do not necessarily
lead to investigation. Pre-infringement contacts have sometimes
been used, including directions and guidelines to companies,
reportedly with some success. Sometimes this pre-complaint phase
is left to the consumer who should contact the company before
filing a complaint. Self-regulation is in place in some countries
(e.g. the UK) to organise this first phase of action. Industry
respondents refer to existing, more or less self-regulatory
complaints mechanisms already in place. Authorities often act
also on their own initiative. Specific entrustment to an administrative
authority such as the DPA would normally not preclude direct
access to the judicial system.
Not all DPAs can act against legal persons. Not all DPAs have
(yet) the possibility to impose sanctions. An alternative solution
is for these authorities to lodge a complaint with judicial
authorities. In France, the ‘success’ of the e-mailbox
has led the DPA to select a few specifically characterised cases
and refer them to judicial authorities. In Belgium, a similar
experience has led an exchange of views with the suspected senders
and, in cross-border cases, to their referral to EU counterparts
or to the US FTC.
A number of factors seem to influence the effectiveness of enforcement
mechanisms:
–
the possibility to enforce legislation with effective fines
or other penalties. Some regulatory authorities apparently still
lack (effective) enforcement powers;
–
the nature of complaints mechanisms and remedies available to
individuals and companies;
–
the need for clarity and coordination among national authorities
in view of their sometimes overlapping duties (e.g. NRAs, DPAs)
in this area;
–
the level of awareness among users about their rights - and
the consequent lack of clarity of their complaint. This would
include information on what will be investigated or not, what
types of enforcement may be taken, and what information is needed
in order to pursue an investigation;
–
coordination and cooperation among Member States and between
Member States and third countries on the national law applicable
to given cases;
–
the level or resources to track down ‘spammers’ operating off
shore and hiding their identity including by using others’ identity,
addresses or servers.
Cross border complaints and cooperation on enforcement
inside the EU
Dealing with cross-border complaints is an important requirement
to successfully protect consumers in this area. It will be very
important to ensure that the national complaints mechanisms,
whatever their modalities, can be linked to ensure that complaints
from users in one Member State regarding messages originating
in another Member State will also be dealt with efficiently.
At present not all Member States have a formal procedure to
deal with cross-border complaints. It is also not obvious to
Member States what possible general, international cooperation
instruments can be used to trigger EU-wide cooperation.
Current solutions include contacts with the relevant authority
in another Member State and the possible transfer of the complaint
to the relevant authority where the message(s) originate.
Work is being done by DPAs at the European level (including
EEA and candidate countries) to exchange information on cross
border complaints, by way of an informal group called ‘Complaints
handling workshops’. The opportunity exists to use it for cross-border
complaints related to UCC/spam including work on the determination
of the law applicable to given cases.
4.2. Proposed actions
Member States and competent authorities are invited to assess
the effectiveness of their legal system to cope with user complaints
and envisage adaptations if needed.
Coordination among competent national authorities is encouraged.
This includes coordination and exchanges of information among
DPAs, NRAs and other competent authorities in charge of certain
forms of UCC/spam (e.g. fraudulent UCC/spam or ‘scams’, pornographic
UCC/spam, messages on illegally distributed health-related products).
Member States and competent authorities are also invited to
assess the effectiveness of their existing procedures for handling
cross-border complaints (e.g. mutual assistance agreements).
In view of the cross-border nature of the subject matter, coordination
of national initiatives is important. Complaints from users
in one Member State regarding messages originating in another
Member State should also be dealt with efficiently. Member States
are invited to investigate ways of removing existing barriers
to information exchange and cooperation and the possibility
of seeking and obtaining action from their counterparts in other
Member States. In practical terms it could be useful to have
a liaison mechanism (see the DPAs’ initiative mentioned above)
by which national regulators could cooperate in pursuing cross-border
cases.
5. Effective remedies and penalties
5.1. Issue
Member States must ensure that penalties and remedies are in
place for infringements of the provisions of the Directive on
Privacy and Electronic Communications, and create possibilities
for victims of illegal processing of personal data to claim
damages, in accordance with the general data protection Directive
95/46/EC.
Article 15 of Directive 2002/58/EC refers to Chapter III of
Directive 95/49/EC on Judicial remedies, liability and sanctions:
Article 22
Remedies
Without prejudice to any administrative remedy for which provision
may be made, inter alia before the supervisory authority referred
to in Article 28, prior to referral to the judicial authority,
Member States shall provide for the right of every person to
a judicial remedy for any breach of the rights guaranteed him
by the national law applicable to the processing in question.
Article 23
Liability
1. Member States shall provide that any person who has suffered
damage as a result of an unlawful processing operation or of
any act incompatible with the national provisions adopted pursuant
to this Directive is entitled to receive compensation from the
controller for the damage suffered.
2. The controller may be exempted from this liability, in whole
or in part, if he proves that he is not responsible for the
event giving rise to the damage.
Article 24
Sanctions
The Member States shall adopt suitable measures to ensure the
full implementation of the provisions of this Directive and
shall in particular lay down the sanctions to be imposed in
case of infringement of the provisions adopted pursuant to this
Directive
At present, remedies generally include fines or an ‘injunction’
to cease the unlawful data processing, and sometimes the ‘blocking’
of websites involved. In many Member States, ‘injunctions to
cease’ the unlawful processing can be awarded, possibly prior
or concomitantly to fines in case of non-compliance. However,
not all authorities have jurisdiction over the complete set
of infringements around UCC/spam, neither have they the same
tools in their hands. Cases are also often referred to judicial
authorities.
Not all Member States provide for remedies and penalties under
administrative law, or under criminal law. Criminal sanctions
vary, up to terms of imprisonment in certain Member States.
In addition, there is generally the possibility to claim damages
under civil law.
While there is often a distinction between ‘light’ and ‘serious’
offences (e.g. massive mailings, misleading or fraudulent advertising
and trade practices), penalties themselves vary greatly among
Member States.
In many cases, spam activities may also lead to remedies provided
under general data protection legislation (e.g. breach of the
obligation to notify, of the right of access, of the obligation
to appoint a representative in an EU Member State etc.) or under
specific legislation (e.g. misleading advertising, fraudulent
marketing, etc.). Prior to the opt-in regime in particular,
various legal grounds have been used to tackle certain forms
of UCC/spam (e.g. bulk e-mails campaigns, purpose-limitation,
network disruption, abuse of e-mail accounts, fraud, misinterpretation
of contracts).
Generally speaking, judicial means are not considered as sufficient
to ensure enforcement. Not all Member States have judicial
sanctions in place for infringements. In general, administrative
fines can be imposed, by the DPA and/or the NRA. Amounts vary.
Member States with no such possibility are generally considering
their introduction. Compared to judicial sanctions, administrative
sanctions are said to be particularly adequate for such a dynamic
sector. DPAs and NRAs often offer complementary tools for enforcement.
Administrative procedures may in particular be both affordable
and speedy (e.g. reportedly within 50 days by the Italian DPA).
For privacy infringements like sending unsolicited e-mail, an
out-of-court redress mechanism may be rather useful to achieve
a higher level of compliance with the new rules. Various initiatives
were launched at national and EU level for alternative dispute
resolution (ADR) mechanisms to deal with disputes in relation
with online transactions and communications. The Commission
has adopted Recommendations on ADR in 1998 and 2001, thereby
setting out principles to be applied to such systems. Several
initiatives are underway regarding consumer protection-related
ADR systems (e.g. EEJ-NET)[7].
Out-of court redress mechanisms exist in some countries, sometimes
established by legislation, though they vary in many regards,
such as origin (branch-specific e.g. direct marketing, e-mail
marketing), ‘jurisdiction’, powers and sanctions (e.g. damage
claims), involvement of specific authorities (e.g. DPAs, advertising
standards bodies) etc.
For those mechanisms to be sufficiently efficient, certain conditions
need to be met e.g. how they are organised and promoted, and
how compliance with rulings is ensured. Setting them up would
also require cooperation between authorities and industry.
5.2. Proposed actions
A balanced approach including legislation, enforcement and self-regulation
is often identified as the best approach to enforce the opt-in
system.
Member States are invited to assess the effectiveness of their
system of penalties and remedies for infringements and create
adequate possibilities for victims to claim damages.
Member States and competent authorities with no administrative
remedies are invited to consider adopting such remedies against
UCC/spam, as a tool to ensure a fast, affordable and efficient
procedure to enforce the opt-in regime.
The creation and use of effective self-regulatory complaints
mechanisms and alternative dispute resolution mechanisms (ADR)
is also encouraged , building on existing initiatives whenever
possible. They could be particularly useful with respect to
cases where international cooperation would be less effective.
6. Cooperation with third
countries
6.1. Issue
The new rules apply to the processing of personal data in connection
with the provision of publicly available electronic communications
services in public communications networks in the Community.
As a consequence, Article 13 of Directive 2002/58/EC establishing
the opt-in rule is applicable to all unsolicited commercial
communications received on and sent from networks in the Community.
This implies that such messages originating in third countries
must also comply with EC rules, as must messages originating
in the Community and sent to addressees in third countries.
The actual enforcement of the rule with regard to messages originating
in third countries will clearly be more complicated than for
messages from inside the EU. Still it is important since much
spam comes from outside the EU.
While a mix of various instruments will be needed, including
prevention, filtering techniques, self-regulation, contracts,
international cooperation, the present section covers in particular
the latter issue.
The first objective of international cooperation is to promote
the adoption of effective legislation in third countries. The
second objective of international cooperation is to cooperate
with third countries to ensure effective enforcement of legislation.
There is not much experience on enforcement of existing opt-in
or opt-out rules for communications originating outside the
EU. Besides the fact that UCC/spam is a relatively new phenomenon,
difficulties often quoted include the difficulty to identify
the senders of such UCC/spam or the amount of efforts required
to do so; the lack of (appropriate) international cooperation
mechanisms; the lack of jurisdiction of some authorities on
international matters.
6.2. Proposed actions
At the multilateral level, Some Member States already participate
actively in forums such as the OECD, where work on spam has
started. Active participation in this work is encouraged in
particular as regards the identification of possible solutions
at the international level.
The Commission will host an OECD workshop on spam in February
2004 which is intended to contribute to a better understanding
of the problem created by spam and its possible solutions. Concrete
follow-up actions at OECD level would depend on the results
of the workshop.
At the UN level, the Commission has raised the issue of spam
in the context of the forthcoming World Summit on the Information
Society (Geneva, 10-12 December 2003) in order to promote awareness
and international cooperation on this issue.
Member States and competent authorities are also invited to
promote bilateral cooperation with third countries. This does
not only include the promotion of effective legislation but
also cooperation on enforcement, including police and judicial
cooperation where appropriate.
The Commission services will continue to be active in international
fora (e.g. OECD, WSIS) and through their bilateral meetings
and discussions (e.g. the USA and Canada, Australia, Asian countries
(e.g. ASEM)).
7. technical
issues
7.1. Issue
As regards traditional e-mail, it is a common practice within
the ISP community to block incoming mail from servers that are
used for sending spam (black listing) until the source of the
spam is identified and prevented from using the server. In addition,
filtering software can be employed by individual users within
their own terminal equipment or by electronic communications
service providers within their servers. In short, there appears
to be many solutions being developed to counter spam on the
technical front.
However not all filtering practices and techniques offer the
same level of user control. Nor do they offer the same guarantees
for data protection and privacy, e.g. respect for the confidentiality
of communications. They may also not yet be adapted to the new
opt-in regime applicable in EU countries for marketing communications
(prior consent-based, marketing related, bulk and non-bulk).
Also, more differentiation between legitimate marketing (e.g.
opt-in compliant) and unsolicited communications or spam may
lead to filtering software becoming more efficient.
While the new legal provisions on unsolicited commercial e-mail
provide additional safeguards for the user and greater security
for service providers to undertake action on request against
‘spammers’, filtering may occasionally block legitimate e-mail
(‘false positive’) or allow spam to get through (‘false negatives’).
In some cases, this can create a risk that either a sender or
an intended addressee undertakes legal action against an ISP.
Some ISPs therefore offer filtering as a optional service to
their users and require permission for activating it. Other
issues have been raised, such as: filtering vs. freedom of expression;
filtering vs. the contractual obligation to transmit e-mails
addressed to customers.
As regards filtering in mobile services, the different business
model environment for mobile services compared to fixed internet
services may justify different solutions. In particular, the
former model would normally include per-message delivery charges
which make UCC/spam more costly. However, some new services
entail charging based on retrieval. Filters and viewing facilities
could then be provided to subscribers.
Finally, attention is needed on open relays. Open relays are
SMTP servers that can be used for relaying messages that sent
by users other than users local to the said server. In the past,
most relays were open. When open however, relays can be (ab)used
by spammers to send unsolicited communications quite easily.
Simple preventive measures would reduce the possibilities for
abuse. The same is true for open proxies.
7.2. Proposed actions
Member States and competent authorities are invited to clarify
the legal conditions in their country under which different
types of filtering software can operate, including privacy requirements.
Filtering software providers may need to adapt their filtering
systems in order to ensure the compatibility with the opt-in
regime and other requirements under Community law, including
requirements linked to the confidentiality of communications.
Users should be given the opportunity to manage the way in which
incoming UCC/spam is handled, according to individual needs.
Filtering software providers need to take into account the consequences
for users of ‘false positives’, ‘false negatives, and of certain
forms of content-based filtering.
Filtering companies are also encouraged to cooperate with interested
parties to develop techniques recognising marketing e-mails
corresponding to accepted marketing practices under Community
law, including webseals, labels, etc.
Providers of e-mail services (and of mobile services where appropriate)
are encouraged to offer filtering facilities or services to
their customers as an option available on request, as well as
information on third party filtering services and products available
to end-users.
Owners of mail servers are invited to make sure that their servers
are properly secured so that those servers are not in ‘open
relay’ mode (if this is not justified). The same could apply
to open proxies.
8. Monitoring
In order to evaluate how the opt-in system works in practice
and to address specific problems with suitable measures, Member
States will need objective and up to date information on trends
in UCC/spam, user complaints and difficulties encountered by
service providers. Sources and type of information would include:
trends in nature, origin and volume of unsolicited commercial
e-mail as detected by filtering software providers, service
providers and national (regulatory) initiatives; statistics
about the use of a complaints mailbox where applicable.
Article 18 of the Directive on Privacy and Electronic Communications
provides for a report in 2006 on the application of the Directive
and its impact on economic operators and consumers, with specific
emphasis on unsolicited communications. Monitoring would be
very helpful in that context.
With the support of Member States and data protection authorities,
the Commission services have created an informal online group
to facilitate and coordinate exchanges of information and best
practices on trends, statistics and particular problems and
solutions regarding unsolicited commercial e-mail such as: awareness,
enforcement (complaints, remedies, penalties), interpretation,
filtering, international cooperation. It may also determine
benchmarking criteria for the various measures to be proposed.
The online group includes competent national administrations
and data protection authorities, and the Commission. The online
group will determine how to ensure the participation of interested
parties e.g. service providers or their associations.
Documents drafted following group discussions would generally
be submitted to the Communications Committee (COCOM) created
under the regulatory framework for electronic communications
networks and services and/or to the Article 29 Data Protection
Working Party for appropriate action.
[1] See corresponding press
release at the following URL address: http://europa.eu.int/information_society/topics/ecomm/highlights/current_spotlights/spam/index_en.htm.
[2] See COCOM documents
No 03-06 and 03-33, available at the following address:
http://forum.europa.eu.int/Public/irc/infso/cocom1/library.
More information on the COCOM is available at the following
URL address: http://europa.eu.int/
[3] More information on
the Article 29 Data Protection Working Party is available at
the following URL address: http://europa.eu.int/comm/internal_market/privacy/workingroup_en.htm.
[4] Background
information on the rules applicable to unsolicited
communications under Directive 2002/58/EC is available at
the following URL address:
http://europa.eu.int/information_society/
[5] - The report of 24 October 2002 adopted
by the ‘Commission National Informatique et Libertés’ (CNIL),
the French DPA is available at the following URL address: http://www.cnil.fr/frame.htm?http://www.cnil.fr/thematic/internet/spam/spam_sommaire.htm
- The July 2003 report by the ‘Commission de
Protection de la Vie Privée’, the Belgian DPA, can be accessed
at the following URL address: http://www.privacy.fgov.be/publications/spam_4-7-03_fr.pdf
[6] Note that complaints often also concern
related issues e.g. the right of access to personal data and
the right to object to data processing.
[7] More information is
available at:
http://europa.eu.int/comm/consumers/redress/out_of_court/index_en.htm
RITORNA
ALLA
SEZIONE DIFESA DELLA
PRIVACY PERSONALE