Legge privacy 675 analisi dei rischi               PRIVACY E CARTE DI CREDITO: COSA FARE IN CASO DI FRODE ©CONSULENTIPRIVACY.IT

 

Home - Consulenti Privacy

CHI SIAMO - CONTATTI

Mappa del sito

 

SERVIZI CONSULENZA

 

:. QUESITI E PARERI SULLA PRIVACY

:. PARERI LEGALI

:. CONSULENZA LEGALE

:. ADEGUAMENTO-CONSULENZA

:. DOCUMENTO PROGRAMMATICO

:. VERIFICHE GRATUITE

:. FORMAZIONE

:. SICUREZZA INFORMATICA

:. NOTIFICA AL GARANTE

 

SEZIONE INFORMATIVA

:. PRIVACY IN PILLOLE

:. SANZIONI

:. CHI DEVE ADEGUARSI?

:. CONTROLLA ADEMPIMENTI

:. CODICE PRIVACY E NORMATIVA

:. PRIVATI E DIRITTO ALLA PRIVACY

 

ARCHIVIO E NEWS dal 1997

 

NORMATIVE ATTINENTI

TESTO UNICO BANCARIO

LEGGE 626/94

 

FAQ

 

SITI UTILI

 

Policy privacy

Workshop to be held in Brussels on 16 October 2003

EUROPEAN COMMISSION
Information Society Directorate-General
 
I risultati del seminario, al quale parteciperanno rappresentanti degli Stati membri, del mondo dell’impresa e delle associazioni dei consumatori, saranno utilizzati per il testo della Comunicazione che la Commissione sta preparando in materia di spamming, la cui pubblicazione è attesa entro la fine del 2003.
Brussels, 1 October 2003
 
Note: This is a working document of DG Information Society which does not necessarily reflect the official position of the Commission. No inferences should be drawn from this document as to the precise form or content of future measures to be submitted by the Commission. The Commission accepts no responsibility or liability whatsoever with regard to any information or data referred to in this document.

 
TABLE OF CONTENTS
 
Background and purpose of the document....................................................... 1
Structure of the document........................................................................................ 1
1.     Awareness.................................................................................................................... 2
1.1.    Issue         2
1.2.    Proposed actions.................................................................................................................. 3
2.     Effective application of the opt-in regime................................................. 4
2.1.    Issue         4
2.2.    Proposed actions.................................................................................................................. 5
3.     Complaints mechanisms........................................................................................ 6
3.1.    Issue         6
3.2.    Proposed actions.................................................................................................................. 7
4.     Effective enforcement.......................................................................................... 7
4.1.    Issue         7
4.2.    Proposed actions.................................................................................................................. 9
5.     Effective remedies and penalties..................................................................... 9
5.1.    Issue         9
5.2.    Proposed actions................................................................................................................ 11
6.     Cooperation with third countries................................................................ 11
6.1.    Issue         11
6.2.    Proposed actions................................................................................................................ 12
7.     technical issues...................................................................................................... 13
7.1.    Issue         13
7.2.    Proposed actions................................................................................................................ 13
8.     Monitoring................................................................................................................. 14
 

 
Background and purpose of the document

On 25 July 2003, European Commissioner for Information Society Erkki Liikanen said: "Combating spam has become a matter for us all and has become one of the most significant issues facing the Internet today. It is a fight over many fronts. The EU, Member States, industry and consumers all have a role to play in the fight against spam both at the national and international level. We must act before users of e-mails or SMS stop using the Internet or mobile services, or refrain from using it to the extent that they otherwise would"[1].

This working document outlines elements of a possible Commission Communication on various legal, technical and educational facets of unsolicited commercial communications (UCC) or spam, building on the ‘opt-in’ regime to be introduced in all Member States by the end of October 2003. It will be discussed at a one day workshop which will take place in Brussels on 16 October 2003.
The Working Document builds on previous discussions in the context of the Communications Committee (COCOM)[2] and with the Article 29 Data Protection Working Party[3]. In response to a questionnaire, information was provided by members of the COCOM and of the Article 29 Data Protection Working Party. A number of industry associations or individual companies also reacted, from ISPs and communications operators (mobile and fixed) through direct marketeers and advertisers, to computer and software manufacturers.

Structure of the document

To serve discussions, the issues and proposed actions identified so far are presented according to the following structure:
-     Awareness
-     Effective application of the opt-in regime
-     Complaints mechanisms
-     Effective enforcement
-     Effective remedies and penalties
-     Cooperation with third countries
-     Technical issues
-      Monitoring

These issues and the proposed actions are related to each other in several ways. They may also be implemented in an integrated fashion.

Each section starts with a short summary of the issue to facilitate discussion. The document has been deliberately kept short in view of its purpose and it should therefore not be considered as exhaustive on any of the subjects covered.
Some ‘best practices’ have been singled out whenever considered useful.

1.       Awareness
1.1.    Issue

By 31 October 2003 at the latest, all EU Member States must have transposed the new opt-in regime for unsolicited e-mail into national law. While this new approach has had a fair amount of publicity in the press, there may still be hesitations among market players and citizens about what the opt-in will actually mean in practice[4].
Users will be empowered by the opt-in regime and they have to take their responsibility when using services and passing personal data. To enable this however, they must be aware of the basic rules applicable to unsolicited communications. In addition, users need to  know how they can prevent spam by adapting their behaviour. Finally, they need to  know what filtering software in on the market and what service and software providers can do for them.
While awareness raising activities concerning the new opt-in regime have been undertaken, or are envisaged, in most Member States, they can differ widely in terms of timing, nature of information provided, target audience and parties involved. Some Member States however wait until national laws are in place. Public consultation on the implementation of Directive 2002/58/EC has contributed to a fair degree of awareness whenever it has been organised.

Best practice
The ‘Commission National Informatique et Libertés’ (‘CNIL’), i.e. the French Data Protection Authority has put on its website a quite substantial  information package on various aspects of spam: the results of  its e-mailbox experience and the cases referred to judicial authorities (see below),  basic guidance on how to prevent spam, information on how to report spam, references of users’ associations active in this area, etc.
 
Information provided

In particular as regards the nature of information provided, activities targeted at businesses and/or consumers can include:
   basic information on the new rules;
   practical information on acceptable marketing practices under the opt-in regime including clarification of legitimate collection of personal data;
   practical information on how to avoid unsolicited commercial communications (UCC) /spam (e.g. filtering, use of personal data, etc.);
   information on practical steps when confronted with UCC/spam, including on complaints mechanisms and possible alternative dispute resolutions systems (ADR) systems.
Parties involved

Various authorities can be responsible for these activities depending on their respective powers in a given Member State (e.g. data protection authorities (DPAs), national regulatory authorities for the electronic communications sector (NRAs), consumer protection agencies, ombudsmen).
Coordination among the various competent authorities does not appear to be the rule in all Member States. Ministries appear to be involved in some Member States. Industry associations are often involved. Sometimes consumer or user associations are also taking part in these activities.
Some parts of the industry as well seem to have undertaken awareness raising activities at national, EU or global level, although here again, these activities can differ widely. These include:
practical guides to direct marketeers, or campaigns directed at the communications sector in particular;
general guidance to customers on codes of conduct, complaint mechanisms and filtering;
platform/working group to develop best practices for commercial communications (see also below).
1.2.   Proposed actions
In order to achieve a high level of understanding about the new do’s and don’ts with regard to commercial e-mail, sustained action is needed in all Member States on both prevention and enforcement.
All parties are invited to play their role in awareness raising activities, from Member States and competent authorities, through businesses, to consumers/user associations.
In particular, practical information on prevention, acceptable marketing practices, and on technical and legal solutions available to users is encouraged.
Information to users on their rights and on complaints mechanisms is also important.
These actions should reach the following target groups:
a) companies involved in or making use of direct marketing,
b) consumers who subscribe to e-mail services, including SMS services and
c) providers of e-mail services, including providers of mobile services.
Awareness activities should be carried out through different channels (not only web-based), with a view to effectively reaching the various audiences targeted. In this regard, involvement of industry and consumer associations is important.
Actions listed below should also refer to effective industry codes of conduct, complaints mechanisms, trustmarks and/or certification schemes where available.
In addition, the Commission services will provide information on its EUROPA website including:
-                   the basics of opt-in;
-                   references via hyperlinks to national implementation aspects;
-                   basic figures and trends on spam in the EU where available.

2.       Effective application of the opt-
in regime
2.1.    Issue

Combating spam is a matter for all interested parties. Industry can play a specific role since it can turn the opt-in regime into day-to-day business practice. Day-to-day practice includes not only terms and conditions for end-users, but also relations with business partners.
In many cases, better coordination through industry associations, and involvement of sector-specific self-regulatory bodies and consumer/user associations is needed, including involvement of data protection authorities or other competent national authorities.
Service providers’ contractual practices towards subscribers
Contracts can help in the fight against UCC/spam, subject to safeguards with respect to individual rights. Many ISPs already include obligations in contracts with their customers prohibiting the use of the service for sending spam. Such ISPs already prohibit the sending of unsolicited e-mail, or bulk e-mail, from their e-mail accounts. Such clauses are sometimes based on the need for ISPs to take all measures to prevent inappropriate usage of their services. Other ISPs refer to existing codes of conduct as regard bulk e-mails or, indeed, to self-regulatory principles (e.g. ‘netiquette’).
The concepts as used in contracts between ISPs and their customers are likely to be different from those used in the new Directive and subsequent national transposition law.
In terms of customer service, there is also a need for a more pro-active filtering policy by providing information on anti-spam filters, and by providing filtering services or facilities to subscribers as an option.
Service Providers’ contractual practices towards business partners
The same is valid whenever ISPs or mobile operators enter into contracts with third parties and in particular with direct marketeers. This does not only concern for instance, direct relationship with companies offering mobile premium rate services. It also includes operators with whom a given service provider has interconnection agreements.
Direct marketeers’ own practices
Opt-in has implications on several marketing activities, such as:
- the methods for collecting e-mail addresses and other electronic contacts details to the new regime (Needless to say, harvesting of e-mail addresses will remain incompatible with Community law);
- the adaptation of existing lists to the new regime upon entry into force in Member States;
- the prohibition to use and sell non-compliant lists after the entry into force of the national provisions.
Best practice
As an illustration, the Dutch Ministry of Economic Affairs has provided in 2003 funding for a platform called ‘Basic Principles for Commercial e-Mail’ grouping different branches of the industry and competent authorities (Ministry, DPA, NRA, Advertising Committee). The intention is to develop practical implementation of the opt-in principle. This practical implementation will be tested with the data protection authority. Results will be widely advertised. (see http://www.ecp.nl/projecten.php#32 )

2.2.    Proposed actions

Industry involvement and self-regulation or, indeed, co-regulation, could be promoted in areas where legislation and enforcement by public authorities alone may not be sufficient. All interested parties should play their part in this area, including consumer associations and/or users’ associations.
Various initiatives have already been announced by industry associations such as the drafting of codes of conduct and the dissemination of good marketing practices. A Europe-wide online code of conduct for direct marketeers would be welcome, according to the European Federation of Direct Marketing (FEDMA).
In order to promote greater awareness among users, tools such as trustmarks/webseals could be used where appropriate. As often, effective application of self-regulatory solutions will depend on the structure put  in place to oversee respect for  them, including effective sanctions.
Generally speaking, codes of conduct and other self-regulatory initiatives, and contracts should conform the opt-in rules. Involvement of the competent regulatory authority could be helpful in this regard.
On the substance of such initiatives, adaptation of terms and conditions of subscriber contracts could be useful for all parties concerned. This is not only applicable to internet service providers but also to providers of SMS and MMS. As a complementary measure, provision of information on fiters and on filtering software or services could be provided as optional customer service (on filtering, see also section 7.1, below).
Clauses in contracts with business partners (e.g. interconnection, premium rate services) should aim at reflecting opt-in compliant marketing practices and provide for adequate penalties in case of breach.
Adaptation of direct marketeers’ practices would also be helpful. Marketing practices compliant with the opt-in regime should not only be promoted, but also, practices should be adapted in day-to-day practice. Direct marketeers could in particular agree on specific, opt-in compliant methods to collect personal data (e.g. double opt-in systems). Labelling of opt-in compliant users’ databases and e-mails, could be envisaged (e.g. ADV label).
It should be recalled in that context that the Article 29 Data Protection Working Party can approve EU-wide codes of conduct (see Article 30 of the General Data Protection Directive 95/46/EC) The Commission services have invited the Article 29 Data Protection Working Party to consider approving such EU-wide codes of conduct.

3.    Complaints mechanisms
3.1.  Issue

Enforcement of the new opt-in approach will be crucial to ensure its credibility. This includes adequate complaints mechanisms. Some Data Protection Authorities (DPAs) have set up mailboxes to which users can forward unsolicited commercial e-mail and have committed themselves to undertaking action in targeted cases.
France and Belgium have used such dedicated e-mailboxes and results are quite interesting. Reports on these initiatives are available to the public[5]. The Federal Trade Commission in the USA is operating a similar mailbox and uses the input for prosecution on the basis of the existing unfair and deceptive trade practices rules.
Among the advantages of e-mailboxes is the fact that e-mailboxes appear to encourage consumers to report infringements and hence make enforcement of adopted legislation more effective.
In addition, they can provide essential statistics about the size and the nature of the problems encountered in a given country or region. This, in turn, constitutes a valuable tool for setting enforcement priorities or, indeed, adapting them.
Moreover, prevention actions can be built on the basis of the knowledge acquired. As an illustration, the CNIL, i.e. the French DPA has used information gathered during the ‘boîte à spams’ operation to build preventive information packages targeted at users or at marketeers.
The usefulness of an e-mailbox to monitor and measure the scale and scope of spam understandably depends on the ability to investigate the complaints made in a useful and rapid manner.
While there is generally an interest in learning from other Member States’ experience with e-mailboxes, only some Member States appear to plan or consider the possibility to use a dedicated e-mailbox. The reasons indicated are generally:
- the existing possibility to complain by e-mail via e.g. the DPA’s website;
- the need for additional dedicated staff and equipment according to some respondents;
- or the need to change existing legal procedures.
Some Member States seem to prefer normal administrative procedures and/or contacts with ISPs, or Computer Emergency Response Teams (CERTs) in case of network disruption. Other Member States favour more traditional procedures (damage claims under civil law/administrative proceedings). Co-regulation or self-regulation are sometimes invoked as best alternatives.
 
3.2.    Proposed actions
 

Member States and competent authorities are invited to consider the use of dedicated e-mailboxes, supported by information campaigns. Information on e-mailbox experiences could be shared with Member States and competent authorities and with the Commission services.
These dedicated e-mailboxes would have to be designed in a way that enables easy search and analysis for reasons of better understanding of the problem and in order to allow priorities-setting in terms of enforcement.
The Commission will work with Member States on how coordination on complaints handling could be achieved throughout the EU.

4.     Effective enforcement
4.1.  Issue
Despite its deterrent effect, legislation may not be enough for the new rules to have a sufficient impact. Effective enforcement of the opt-in does still not appear as a priority in all Member States. This implies adequate enforcement mechanisms, including cross-border mechanisms. (Cooperation with third countries is analysed under Section 6, below.)
Enforcement mechanisms
The way procedures regarding unlawful unsolicited communications are organised and handled has been quite diverse until now[6]. The very instrument of an EU Directive implies that Member States keep some margin of manoeuvre in implementing its provisions. At the same time, effective enforcement is needed whatever method is  used.
Diversity in Member States
Except in a few Member States, complaints do not necessarily lead to investigation. Pre-infringement contacts have sometimes been used, including directions and guidelines to companies, reportedly with some success. Sometimes this pre-complaint phase is left to the consumer who should contact the company before filing a complaint. Self-regulation is in place in some countries (e.g. the UK) to organise this first phase of action. Industry respondents refer to existing, more or less self-regulatory complaints mechanisms already in place. Authorities often act also on their own initiative. Specific entrustment to an administrative authority such as the DPA would normally not preclude direct access to the judicial system.
Not all DPAs can act against legal persons. Not all DPAs have (yet) the possibility to impose sanctions. An alternative solution is for these authorities to lodge a complaint with judicial authorities.  In France, the ‘success’ of the e-mailbox has led the DPA to select a few specifically characterised cases and refer them to judicial authorities. In Belgium, a similar experience has led an exchange of views with the suspected senders and, in cross-border cases, to their referral to EU counterparts or to the US FTC.

A number of factors seem to influence the effectiveness of enforcement mechanisms:
–             the possibility to enforce legislation with effective fines or other penalties. Some regulatory authorities apparently still lack (effective) enforcement powers;
–             the nature of complaints mechanisms and remedies available to individuals and companies;
–             the need for clarity and coordination among national authorities in view of their sometimes overlapping duties (e.g. NRAs, DPAs) in this area;
–             the level of awareness among users about their rights - and the consequent lack of clarity of their complaint. This would include information on what will be investigated or not, what types of enforcement may be taken, and what information is needed in order to pursue an investigation;
–             coordination and cooperation among Member States and between Member States and third countries on the national law applicable to given cases;
–             the level or resources to track down ‘spammers’ operating off shore and hiding their identity including by using others’ identity, addresses or servers.

Cross border complaints and cooperation on enforcement  inside the EU

Dealing with cross-border complaints is an important requirement to successfully protect consumers in this area. It will be very important to ensure that the national complaints mechanisms, whatever their modalities, can be linked to ensure that complaints from users in one Member State regarding messages originating in another Member State will also be dealt with efficiently.
At present not all Member States have a formal procedure to deal with cross-border complaints. It is also not obvious to Member States what possible general, international cooperation instruments can be used to trigger EU-wide cooperation.
Current solutions include contacts with the relevant authority in another Member State and the possible transfer of the complaint to the relevant authority where the message(s) originate.
Work is being done by DPAs at the European level (including EEA and candidate countries) to exchange information on cross border complaints, by way of an informal group called ‘Complaints handling workshops’. The opportunity exists to use it for cross-border complaints related to UCC/spam including work on the determination of the law applicable to given cases.
 

4.2.     Proposed actions
Member States and competent authorities are invited to assess the effectiveness of their legal system to cope with user complaints and envisage adaptations if needed.
Coordination among competent national authorities is encouraged. This includes coordination and exchanges of information among DPAs, NRAs and other competent authorities in charge of certain forms of UCC/spam (e.g. fraudulent UCC/spam or ‘scams’, pornographic UCC/spam, messages on illegally distributed health-related products).
Member States and competent authorities are also invited to assess the effectiveness of their existing procedures for handling cross-border complaints (e.g. mutual assistance agreements).
In view of the cross-border nature of the subject matter, coordination of national initiatives is important. Complaints from users in one Member State regarding messages originating in another Member State should also be dealt with efficiently. Member States are invited to investigate ways of removing existing barriers to information exchange and cooperation and the possibility of seeking and obtaining action from their counterparts in other Member States. In practical terms it could be useful to have a liaison mechanism (see the DPAs’ initiative mentioned above) by which national regulators could cooperate in pursuing cross-border cases.

5.      Effective remedies and penalties
5.1.    Issue

Member States must ensure that penalties and remedies are in place for infringements of the provisions of the Directive on Privacy and Electronic Communications, and create possibilities for victims of illegal processing of personal data to claim damages, in accordance with the general data protection Directive 95/46/EC.
Article 15 of Directive 2002/58/EC refers to Chapter III of Directive 95/49/EC on Judicial remedies, liability and sanctions:

Article 22                                                                                     Remedies
Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question.

Article 23                                                                                           Liability
1. Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.
2. The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.

Article 24                                                                                          Sanctions
The Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive

At present, remedies generally include fines or an ‘injunction’ to cease the unlawful data processing, and sometimes the ‘blocking’ of websites involved. In many Member States, ‘injunctions to cease’ the unlawful processing can be awarded, possibly prior or concomitantly to fines in case of non-compliance. However, not all authorities have jurisdiction over the complete set of infringements around UCC/spam, neither have they the same tools in their hands. Cases are also often referred to judicial authorities.
Not all Member States provide for remedies and penalties under administrative law, or under criminal law. Criminal sanctions vary, up to terms of imprisonment in certain Member States. In addition, there is generally the possibility to claim damages under civil law.
While there is often a distinction between ‘light’ and ‘serious’ offences (e.g. massive mailings, misleading or fraudulent advertising and trade practices), penalties themselves vary greatly among Member States.
In many cases, spam activities may also lead to remedies provided under general data protection legislation (e.g. breach of the obligation to notify, of the right of access, of the obligation to appoint a representative in an EU Member State etc.) or under specific legislation (e.g. misleading advertising, fraudulent marketing, etc.). Prior to the opt-in regime in particular, various legal grounds have been used to tackle certain forms of UCC/spam (e.g. bulk e-mails campaigns, purpose-limitation, network disruption, abuse of e-mail accounts, fraud, misinterpretation of contracts).
Generally speaking, judicial means are not considered as sufficient to ensure enforcement.  Not all Member States have judicial sanctions in place for infringements. In general, administrative fines can be imposed, by the DPA and/or the NRA. Amounts vary. Member States with no such possibility are generally considering their introduction. Compared to judicial sanctions, administrative sanctions are said to be particularly adequate for such a dynamic sector. DPAs and NRAs often offer complementary tools for enforcement. Administrative procedures may in particular be both affordable and speedy (e.g. reportedly within 50 days by the Italian DPA).
For privacy infringements like sending unsolicited e-mail, an out-of-court redress mechanism may be rather useful to achieve a higher level of compliance with the new rules. Various initiatives were launched at national and EU level for alternative dispute resolution (ADR) mechanisms to deal with disputes in relation with online transactions and communications. The Commission has adopted Recommendations on ADR in 1998 and 2001, thereby setting out principles to be applied to such systems. Several initiatives are underway regarding consumer protection-related ADR systems (e.g. EEJ-NET)[7].
Out-of court redress mechanisms exist in some countries, sometimes established by legislation, though they vary in many regards, such as origin (branch-specific e.g. direct marketing, e-mail marketing), ‘jurisdiction’, powers and sanctions (e.g. damage claims), involvement of specific authorities (e.g. DPAs, advertising standards bodies) etc.
For those mechanisms to be sufficiently efficient, certain conditions need to be met e.g. how they are organised and promoted, and how compliance with rulings is ensured. Setting them up would also require cooperation between authorities and industry.

5.2.     Proposed actions
A balanced approach including legislation, enforcement and self-regulation is often identified as the best approach to enforce the opt-in system.
Member States are invited to assess the effectiveness of their system of penalties and remedies for infringements and create adequate possibilities for victims to claim damages.
Member States and competent authorities with no administrative remedies are invited to consider adopting such remedies against UCC/spam, as a tool to ensure a fast, affordable and efficient procedure to enforce the opt-in regime.
The creation and use of effective self-regulatory complaints mechanisms and alternative dispute resolution mechanisms (ADR) is also encouraged , building on existing initiatives whenever possible. They could be particularly useful with respect to cases where international cooperation would be less effective.

6.       Cooperation with third countries
6.1.    Issue
The new rules apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community. As a consequence, Article 13 of Directive 2002/58/EC establishing the opt-in rule is applicable to all unsolicited commercial communications received on and sent from networks in the Community. This implies that such messages originating in third countries must also comply with EC rules, as must messages originating in the Community and sent to addressees in third countries.
The actual enforcement of the rule with regard to messages originating in third countries will clearly be more complicated than for messages from inside the EU. Still it is important since much spam comes from outside the EU.
While a mix of various instruments will be needed, including prevention, filtering techniques, self-regulation, contracts, international cooperation, the present section covers in particular the latter issue.
The first objective of international cooperation is to promote the adoption of effective legislation in third countries. The second objective of international cooperation is to cooperate with third countries to ensure effective enforcement of legislation.
There is not much experience on enforcement of existing opt-in or opt-out rules for communications originating outside the EU. Besides the fact that UCC/spam is a relatively new phenomenon, difficulties often quoted include the difficulty to identify the senders of such UCC/spam or the amount of efforts required to do so; the lack of (appropriate) international cooperation mechanisms; the lack of jurisdiction of some authorities on international matters.

6.2.    Proposed actions
At the multilateral level, Some Member States already participate actively in forums such as the OECD, where work on spam has started. Active participation in this work is encouraged in particular as regards the identification of possible solutions at the international level.
The Commission will host an OECD workshop on spam in February 2004 which is intended to contribute to a better understanding of the problem created by spam and its possible solutions. Concrete follow-up actions at OECD level would depend on the results of the workshop.
At the UN level, the Commission has raised the issue of spam in the context of the forthcoming World Summit on the Information Society (Geneva, 10-12 December 2003) in order to promote awareness and international cooperation on this issue.
Member States and competent authorities are also invited to promote bilateral cooperation with third countries. This does not only include the promotion of effective legislation but also cooperation on enforcement, including police and judicial cooperation where appropriate.
The Commission services will continue to be active in international fora (e.g. OECD, WSIS) and through their bilateral meetings and discussions (e.g. the USA and Canada, Australia, Asian countries (e.g. ASEM)).

7.         technical issues
7.1.      Issue
As regards traditional e-mail, it is a common practice within the ISP community to block incoming mail from servers that are used for sending spam (black listing) until the source of the spam is identified and prevented from using the server. In addition, filtering software can be employed by individual users within their own terminal equipment or by electronic communications service providers within their servers. In short, there appears to be many solutions being developed to counter spam on the technical front.
However not all filtering practices and techniques offer the same level of user control. Nor do they offer the same guarantees for data protection and privacy, e.g. respect for the confidentiality of communications. They may also not yet be adapted to the new opt-in regime applicable in EU countries for marketing communications (prior consent-based, marketing related, bulk and non-bulk). Also, more differentiation between legitimate marketing (e.g. opt-in compliant) and unsolicited communications or spam may lead to filtering software becoming more efficient.
While the new legal provisions on unsolicited commercial e-mail provide additional safeguards for the user and greater security for service providers to undertake action on request against ‘spammers’, filtering may occasionally block legitimate e-mail (‘false positive’) or allow spam to get through (‘false negatives’). In some cases, this can create a risk that either a sender or an intended addressee undertakes legal action against an ISP.  Some ISPs therefore offer filtering as a optional service to their users and require permission for activating it. Other issues have been raised, such as: filtering vs. freedom of expression; filtering vs. the contractual obligation to transmit e-mails addressed to customers.
As regards filtering in mobile services, the different business model environment for mobile services compared to fixed internet services may justify different solutions. In particular, the former model would normally include per-message delivery charges which make UCC/spam more costly. However, some new services entail charging based on retrieval. Filters and viewing facilities could then be provided to subscribers.
Finally, attention is needed on open relays. Open relays are SMTP servers that can be used for relaying messages that sent by users other than users local to the said server. In the past, most relays were open. When open however, relays can be (ab)used by spammers to send unsolicited communications quite easily. Simple preventive measures would reduce the possibilities for abuse. The same is true for open proxies.

7.2.     Proposed actions
Member States and competent authorities are invited to clarify the legal conditions in their country under which different types of filtering software can operate, including privacy requirements.
Filtering software providers may need to adapt their filtering systems in order to ensure the compatibility with the opt-in regime and other requirements under Community law, including requirements linked to the confidentiality of communications.
Users should be given the opportunity to manage the way in which incoming UCC/spam is handled, according to individual needs.  Filtering software providers need to take into account the consequences for users of ‘false positives’, ‘false negatives, and of certain forms of content-based filtering.
Filtering companies are also encouraged to cooperate with interested parties to develop techniques recognising marketing e-mails corresponding to accepted marketing practices under Community law, including webseals, labels, etc.
Providers of e-mail services (and of mobile services where appropriate) are encouraged to offer filtering facilities or services to their customers as an option available on request, as well as information on third party filtering services and products available to end-users.
Owners of mail servers are invited to make sure that their servers are properly secured so that those servers are not in ‘open relay’ mode (if this is not justified). The same could apply to open proxies.

8.       Monitoring
In order to evaluate how the opt-in system works in practice and to address specific problems with suitable measures, Member States will need objective and up to date information on trends in UCC/spam, user complaints and difficulties encountered by service providers. Sources and type of information would include: trends in nature, origin and volume of unsolicited commercial e-mail as detected by filtering software providers, service providers and national (regulatory) initiatives; statistics about the use of a complaints mailbox where applicable.
Article 18 of the Directive on Privacy and Electronic Communications provides for a report in 2006 on the application of the Directive and its impact on economic operators and consumers, with specific emphasis on unsolicited communications. Monitoring would be very helpful in that context.
With the support of Member States and data protection authorities, the Commission services have created an informal online group to facilitate and coordinate exchanges of information and best practices on trends, statistics and particular problems and solutions regarding unsolicited commercial e-mail such as: awareness, enforcement (complaints, remedies, penalties), interpretation, filtering, international cooperation. It may also determine benchmarking criteria for the various measures to be proposed.
The online group includes competent national administrations and data protection authorities, and the Commission. The online group will determine how to ensure the participation of interested parties e.g. service providers or their associations.
Documents drafted following group discussions would generally be submitted to the Communications Committee (COCOM) created under the regulatory framework for electronic communications networks and services and/or to the Article 29 Data Protection Working Party for appropriate action.

 
[1]       See corresponding press release at the following URL address:  http://europa.eu.int/information_society/topics/ecomm/highlights/current_spotlights/spam/index_en.htm.
[2]       See COCOM documents No 03-06 and 03-33, available at the following address: http://forum.europa.eu.int/Public/irc/infso/cocom1/library. More information on the COCOM is available at the following URL address: http://europa.eu.int/
[3]       More information on the Article 29 Data Protection Working Party is available at the following URL address: http://europa.eu.int/comm/internal_market/privacy/workingroup_en.htm.
[4]       Background information on the rules applicable to unsolicited communications under Directive 2002/58/EC is available at the following URL address:                http://europa.eu.int/information_society/
[5] -    The report of 24 October 2002 adopted by the ‘Commission National Informatique et Libertés’ (CNIL), the French DPA is available at the following URL address: http://www.cnil.fr/frame.htm?http://www.cnil.fr/thematic/internet/spam/spam_sommaire.htm
 -      The July 2003 report by the ‘Commission de Protection de la Vie Privée’, the Belgian DPA, can be accessed at the following URL address:  http://www.privacy.fgov.be/publications/spam_4-7-03_fr.pdf
 [6]       Note that complaints often also concern related issues e.g. the right of access to personal data and the right to object to data processing.
[7]       More information is available at: http://europa.eu.int/comm/consumers/redress/out_of_court/index_en.htm

 

 RITORNA ALLA SEZIONE DIFESA DELLA PRIVACY PERSONALE