Annexes to COM(2004)28 - Unsolicited commercial communications or 'spam' - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2004)28 - Unsolicited commercial communications or 'spam'. |
|---|---|
| document | COM(2004)28  |
| date | January 22, 2004 |
Also, activities such as hacking or identity theft are often perpetrated in support of spam activities, in order to send spam or gain access to databases of addresses or to computers. Many such activities will be covered by the Framework Decision on attacks against information systems, which provides for criminal penalties. This Framework Decision, based on a Proposal of the Commission, has been agreed politically in February 2003 and should be soon officially adopted [23]. Many Member States can already prosecute illegal access to servers or personal computers or their abuse as a criminal offence.
[23] PROPOSAL FOR A COUNCIL FRAMEWORK DECISION ON ATTACKS AGAINST INFORMATION SYSTEMS, COM(2002) 173 FINAL, 19.4.2002.
3. EFFECTIVE IMPLEMENTATION AND ENFORCEMENT BY MEMBER STATES AND PUBLIC AUTHORITIES
This section on effective implementation and enforcement covers proposed actions targeted at governments and public authorities in particular, in areas like remedies and penalties, complaints mechanisms, cross border complaints, co-operation with third countries and monitoring.
Before turning to the discussion on enforcement however, the Commission notes that a number of Member States have not yet transposed the Directive on Privacy and Electronic Communications, including the provisions on unsolicited commercial e-mails, which is part of a new, broader regulatory framework for electronic communications [24]. The European Parliament has recently expressed its concern about this delay [25]. Following the expiry on 31 October 2003 of the deadline to transpose the Directive on Privacy and Electronic Communications, the Commission has opened infringement proceedings in November 2003 for failure to notify transposition measures against a number of Member States [26].
[24] See also the 9th Report on the Implementation of the Telecommunications Regulatory Package, available at the following URL address: http://europa.eu.int/information_society/ topics/ecomm/all_about/implementation_enforcement/annualreports/9threport/index_en.htm
[25] The importance of full, effective and timely implementation of the new regulatory framework for electronic communications, including this Directive, has been stressed by the Commission in its Communication "Electronic Communications: the Road to the Knowledge Economy (COM(2003) 65 of 11 February 2003).
[26] The letters of formal notice have been sent on the 25th of November 2003 (See IP/03/1663).
3.1. Introduction
Although legislation will deter some spam, legislation alone will not be sufficient. Effective enforcement of the opt-in must be a priority in all Member States. Next to sufficient staff and resources, this implies adequate enforcement mechanisms, including cross-border mechanisms. Co-operation with non-EU countries is also crucial. Monitoring is also important if only to determine enforcement priorities.
A number of factors seem to influence the effectiveness of enforcement mechanisms:
- the possibility to enforce legislation with effective fines or other penalties. Some regulatory authorities apparently still lack (effective) enforcement powers;
- the nature of complaints mechanisms and remedies available to individuals and companies;
- the need for clarity and co-ordination among national authorities in view of their sometimes overlapping duties in this area;
- the level of awareness among users about their rights and how to enforce them. Users need to be given information on where to complain, what will be investigated or not, what types of enforcement action may be taken, and what information they need to provide for the authorities to launch an investigation;
- co-ordination and co-operation among Member States and between Member States and third countries on the national law applicable to given cases;
- the resources available to track down 'spammers' operating within the EU or off shore and hiding their identity including by using others' identity, addresses or servers.
A description of the enforcement provisions applicable to provisions on unsolicited communications has been provided in Section 2.2, above. The way procedures regarding unsolicited commercial e-mails are organised and handled has been quite diverse until now [27]. While the very instrument of an EU Directive implies that Member States keep some margin of manoeuvre in implementing its provisions, effective enforcement is needed whatever method is used.
[27] Note that complaints often also concern related issues e.g. the right of access to personal data and the right to object to data processing.
>REFERENCE TO A GRAPHIC>
A balanced approach including legislation, enforcement and self-regulation is often identified as the most effective enforcement of the opt-in system. Member States are invited to assess the effectiveness of their enforcement mechanism, in particular in the light of the various actions proposed below (see Sections 3.2 to 3.6).
Member States are also invited to develop national strategies to ensure co-operation between data protection authorities (DPAs), consumer protection authorities (CPAs) and national regulatory authorities for eCommunications (NRAs), and to avoid overlap and duplication between the authorities.
To facilitate and co-ordinate exchanges of information and best practices on effective enforcement (e.g. complaints, remedies, penalties, international cooperation the Commission services have created an informal online group on unsolicited commercial communications, with the support of Member States and data protection authorities. The group will also facilitate and co-ordinate work on the other actions identified in this Communication such as: awareness, technical solutions.
Documents drafted following group discussions would generally be submitted to the Communications Committee (COCOM) created under the regulatory framework for electronic communications networks and services and/or to the Article 29 Data Protection Working Party for appropriate action. In particular, the group may draw up benchmarking criteria for the various measures to be proposed.
This online group includes competent national administrations and data protection authorities, and the Commission services. The online group will determine how to ensure the participation of other interested parties.
3.2. Effective remedies and penalties
3.2.1. Discussion
At present, remedies generally include fines or an injunction to cease the unlawful data processing, occasionally including the 'blocking' of the websites involved. In some Member States, 'injunctions to cease' are awarded prior to or concomitantly with fines in case of non-compliance. However, not all authorities have jurisdiction over the complete set of infringements related to spam, neither do they all have the same tools at their disposal. Cases are also often referred to judicial authorities. Not all Member States have judicial sanctions in place for infringements.
Not all Member States provide for remedies and fines/penalties under administrative law, or under criminal law. Criminal sanctions vary, including terms of imprisonment in certain Member States. In addition, there is generally the possibility to claim damages under civil law.
While there is often a distinction between 'light' and 'serious' offences (e.g. massive mailings, misleading or fraudulent advertising and trade practices), penalties themselves vary greatly among Member States.
In many cases, spam activities may also lead to remedies provided under general data protection legislation (e.g., breach of the obligation to notify, of the right of access, of the obligation to appoint a representative in an EU Member State, etc.) or under specific legislation (e.g., misleading advertising, fraudulent marketing, etc.). Prior to the opt-in regime in particular, various legal grounds have been used to tackle certain forms of spam (e.g., bulk e-mail campaigns, illegitimate use of personal data, network disruption, abuse of e-mail accounts, fraud and misinterpretation of contracts).
Generally speaking, judicial redress is not considered as sufficient enforcement. In general, administrative fines can be imposed, by the DPA, CPA and/or the NRA but amounts vary. Member States with no such possibility are generally considering their introduction. Compared to judicial remedies, administrative sanctions seem to be particularly adequate for such a dynamic sector. DPAs, CPAs and NRAs often avail themselves of complementary tools for enforcement. Administrative procedures can be both affordable and speedy (e.g. reportedly within fifty days by the Italian DPA).
3.2.2. Proposed actions
As a prerequisite, the Commission urges those Member States that have not yet transposed the Directive and in particular the provisions on unsolicited communications, to complete this task without further delay. The Commission services are willing to assist Member States if needed.
Member States are invited to assess the effectiveness of their system of remedies and penalties for infringements and create adequate possibilities for victims to claim damages.
Member States and competent authorities with no administrative remedies should consider adopting such remedies against spam, as a tool to ensure a fast, affordable and effective procedure to enforce the opt-in regime.
The Commission will look to confirm that national transposition measures provide for real sanctions in the event of breach of the relevant requirements by market players, including where appropriate financial and criminal penalties.
In this context, the Commission will also investigate how far competent authorities have the required investigation and enforcement powers.
3.3. Complaints mechanisms
3.3.1. Discussion
Effective enforcement implies adequate complaint mechanisms. Some DPAs have set up e-mailboxes to which users can forward unsolicited commercial e-mail and have committed themselves to undertaking action in targeted cases.
Some Member States seem to prefer normal administrative procedures and/or contacts with ISPs, or Computer Emergency Response Teams (CERTs) in case of network disruption. Other Member States favour more traditional procedures (damage claims under civil law/administrative proceedings). Co-regulation or self-regulation is sometimes invoked as better alternatives to direct enforcement measures.
Best Practices
France and Belgium have used dedicated e-mailboxes in late 2002 to receive specific complaints about spam and the results are quite interesting. Reports on these initiatives are available to the public [28]. It is expected that France will run an e-mailbox on a permanent basis under the new rules transposing the Directive on Privacy and Electronic Communications. The Federal Trade Commission (FTC) in the USA operates a similar mailbox and uses the input for prosecution on the basis of existing laws on unfair and deceptive trade practices [29].
[28] The report of 24 October 2002 adopted by the 'Commission National Informatique et Libertés' (CNIL), the French DPA is available at the following URL address: http://www.cnil.fr/frame.htm?http:// www.cnil.fr/thematic/internet/spam/spam_sommaire.htm
[29] See e.g. http://www.ftc.gov/bcp/conline/pubs/ online/inbox.pdf Unwanted or deceptive messages can be sent to the following URL address: uce@ftc.gov
Among the advantages of e-mailboxes is the fact that they appear to encourage consumers to report infringements and hence make enforcement of adopted legislation more effective. In addition, they can provide essential statistics about the size and the nature of the problems encountered in a given country or region giving a clear overview which, in turn, gives authorities a valuable tool for setting enforcement priorities or, indeed, adapting them. Moreover, preventive actions can be built on the basis of the knowledge acquired. As an illustration, the CNIL, i.e., the French DPA, has used information gathered during their 'boîte à spams' operation to build preventive information packages targeted at users and at marketeers.
The usefulness of an e-mailbox to monitor and measure the scale and scope of spam understandably depends on the ability to investigate the complaints made in a useful and rapid manner.
While there is generally an interest in learning from other Member States' experience with e-mailboxes, only some Member States appear to plan or consider the possibility to use a dedicated e-mailbox. The reasons indicated are generally: the existing possibility to complain by e-mail via, typically, the authority's website; the need for additional dedicated staff and equipment; or the need to change existing legal procedures.
3.3.2. Proposed actions
Member States and competent authorities should assess the effectiveness of their legal system to cope with user complaints and envisage adaptations if needed.
Member States and competent authorities are invited to set up dedicated e-mailboxes, supported by information campaigns.
These dedicated e-mailboxes would have to be designed in a way that enables simple search and analysis for reasons of better understanding of the problem and to set enforcement priorities.
The Commission services will facilitate the sharing of information on e-mailbox experiences.
3.4. Cross-border complaints and co-operation on enforcement inside the EU
3.4.1. Discussion
Dealing with cross-border complaints effectively is part of protecting consumers successfully in this area. It will be very important to ensure that the national complaints mechanisms, whatever their modalities, can be linked to ensure that complaints from users in one Member State regarding messages originating in another Member State will also be dealt with effectively (see 3.5, below for co-operation with third countries).
At present not all Member States have a formal procedure to deal with cross-border complaints. Current solutions include contacts with the relevant authority in another Member State and the possible transfer of the complaint to the relevant authority where the message(s) originate.
Work is being done by DPAs at the European level (including EEA and candidate countries) to exchange information on cross border complaints, by the 'Complaints handling workshop', a group created within the framework of the European Conference of Data Protection Commissioners. The opportunity exists to use it for cross-border complaints related to spam including work on the determination of the law applicable to given cases. At the same time, not all DPAs enforce the provisions on unsolicited communications.
In the area of consumer protection, the Commission has recently proposed a Regulation on consumer protection co-operation establishing a network of consumer protection public authorities to deal with cross-border problems [30]. It puts in place mutual assistance procedures and provides for in-depth operational co-operation between national authorities. Spam that is misleading or deceptive or breaches other consumer protection rules would be covered by the regime proposed, but not all spam banned by the Directive on Privacy and Electronic Communications. The Regulation is currently under discussion in Council and Parliament.
[30] COM(2003) 443 final.
3.4.2. Proposed actions
Member States and competent authorities are invited to assess the effectiveness of their existing procedures for handling cross-border complaints (e.g. mutual assistance agreements).
Co-ordination among competent national authorities is encouraged. This includes co-ordination and exchanges of information among authorities enforcing the new provisions, and among those and other authorities in charge of specific forms of spam (e.g., fraudulent spam or 'scams', pornographic spam, messages on illegally distributed health-related products).
As regards fraudulent and deceptive spam, the Council and the Parliament are urged to agree on the proposed Regulation on consumer protection co-operation as quickly as possible to ensure that EU consumer protection authorities are fully equipped to deal with misleading and deceptive spam. They are also invited to consider the possible extension of the scope of this Regulation to the Directive on Privacy and Electronic Communications.
Member States are invited to investigate ways of removing existing barriers to information exchange and co-operation and the possibility of requesting action from their counterparts in other Member States. In practical terms it could be useful to have a liaison mechanism (see the DPAs' initiative mentioned above) by which national regulators could cooperate in pursuit of cross-border enforcement. The establishment of a network to support the co-operation could take advantage of existing Commission programmes such as IDA [31].
[31] Information about the IDA programme is available via the following URL address: http://europa.eu.int/comm/enterprise/ida/ index.htm
The Commission intends to facilitate and promote such co-ordination efforts among competent national authorities, in particular through the newly created informal online group on unsolicited commercial communications. The Commission services have started to investigate, together with Member States and national authorities involved with enforcement, what concrete action is needed to improve the handling of cross-border complaints. Discussions with national authorities will continue throughout 2004.
3.5. Co-operation with third countries
3.5.1. Discussion
The new rules apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the European Union (and the EEA). As a consequence, Article 13 of Directive 2002/58/EC establishing the opt-in rule is applicable to all unsolicited commercial communications received on and sent from networks in the EU (and EEA). This implies that such messages originating in third countries must also comply with EU rules, as must messages originating in the EU and sent to addressees in third countries.
The actual enforcement of the rule with regard to messages originating in third countries will clearly be more complicated than for messages from inside the EU. Still it is important since much spam comes from outside the EU.
While a mix of various instruments will be needed, including prevention, filtering techniques, self-regulation, contracts, international co-operation, the present section focuses particularly on international co-operation. The first objective of international co-operation is to promote the adoption of effective legislation in third countries. The second objective is to cooperate with third countries to ensure effective enforcement of the applicable rules.
There is not much experience on enforcement of existing opt-in or opt-out rules for communications originating outside the EU. Besides the fact that spam is a relatively new phenomenon, obstacles often singled out include the difficulty of identifying the senders of such spam or the amount of effort required to do so; the lack of (appropriate) international co-operation mechanisms; and the lack of jurisdiction of some authorities on international matters.
As regards fraudulent and deceptive spam, the Commission's proposal for a Regulation on consumer protection co-operation also provides for co-operation with third countries on enforcement. The Organisation for Economic Co-operation and Development (OECD) adopted in 2003 a Recommendation designed to protect consumers from fraudulent and deceptive commercial practices across borders [32].
[32] OECD Guidelines for Protecting Consumers from Fraudulent and Deceptive Commercial Practices Across Borders, OECD, 2003.
3.5.2. Proposed actions
At the multilateral level, some Member States already participate actively in forums such as the OECD, where work on spam has started. Active participation in this work is encouraged in particular as regards the elaboration of solutions at the international level.
The Commission will host an OECD workshop on spam in February 2004 which is intended to produce a better understanding of the problem created by spam and contribute to solutions at the international level. Concrete follow-up actions at OECD level will build on the results of the workshop. The Commission services are discussing these follow-up actions with Member States, including OECD work to promote effective legislation internationally, awareness, technical solutions, self-regulation, and international co-operation on enforcement.
At the UN level, the Declaration of the World Summit on the Information Society (Geneva, 10-12 December 2003) and the associated Action Plan stress that spam should be dealt with at appropriate national and international levels. The Commission will investigate how best to follow-up the results of the 2003 World Summit in the EU, taking account of the Tunis Summit to be held in 2005.
Member States and competent authorities are also invited to reinforce, or engage in bilateral co-operation with third countries. This includes not only the promotion of effective legislation but also co-operation on enforcement, including police and judicial co-operation where appropriate.
Co-operation is also encouraged between authorities and the private sector, in particular ISPs and ESPs in order to trace back spammers, subject to appropriate legal safeguards.
The Commission services will continue to be active in international fora, including the OECD and the workshop that the Commission will host in Brussels in February 2004. It will also continue to hold bilateral meetings and discussions with third countries, inter alia to encourage third countries to take effective action against spam, and in particular the most offensive forms of spam, and to promote co-operation on enforcement
The Commission services have started to investigate, together with Member States and national authorities involved with enforcement, how best to ensure international co-operation, in particular to ensure the handling of complaints concerning spam originating in third countries. This work with national authorities will continue throughout 2004.
3.6. Monitoring
3.6.1. Discussion
In order to evaluate how the opt-in system works in practice and to address specific problems with suitable measures, Member States will need objective and up to date information on trends in spam, user complaints and difficulties encountered by service providers. Sources and type of information would include: trends in the nature of spam, origin and volume of unsolicited commercial e-mail as detected by filtering software providers, service providers and national (regulatory) initiatives; and statistics resulting from the use of a complaints e-mailbox where applicable.
The OECD has started in 2003 to work on the measurement of unsolicited electronic messages at international level and will pursue its work in 2004.
Article 18 of the Directive on Privacy and Electronic Communications provides for a report in 2006 on the application of the Directive and its impact on economic operators and consumers, with specific emphasis on unsolicited communications. In drawing up this report, the Commission will need to seek information from Member States, including relevant statistics.
3.6.2. Proposed actions
Member States should ensure that they have the information and statistics needed to target their enforcement efforts, in co-operation with industry where appropriate and taking into account the ongoing OECD work on the measurement of unsolicited electronic messages.
The Commission will use the newly created informal online group on unsolicited commercial communications to facilitate and co-ordinate exchanges of information and best practices on trends and statistics on spam.
4. TECHNICAL AND SELF-REGULATORY ACTIONS FOR INDUSTRY
This section on self-regulatory and technical issues covers proposed actions for market players in particular, in areas like: contractual arrangements, codes of conduct, acceptable marketing practices, labels, alternative dispute resolutions mechanisms. It also covers some technical solutions, e.g., filtering, security of servers.
4.1. Effective application of the opt-in regime
4.1.1. Discussion
Combating spam is a matter for all interested parties. Industry can play a specific role since it can by turning the opt-in regime into a day-to-day business practice. Day-to-day practice includes not only terms and conditions for end-users, but also dealings with business partners.
In many cases, better co-ordination through industry associations, and involvement of sector-specific self-regulatory bodies and consumer/user associations is needed, including the involvement of data protection authorities or other competent national authorities..
Best practice
As an illustration, in the Netherlands, starting in 2002, the Electronic Commerce Platform has hosted a platform called 'Basic Principles for Commercial e-Mail' that groups different branches of the industry (Direct Marketing and ISPs) as well as the Dutch Consumers' Association. The intention is to develop practical implementation of the opt-in principle. This practical implementation will be tested with the data protection authority [33].
[33] see http://www.ecp.nl/ projecten.php
32 .
Contracts can help in the fight against spam, subject to safeguards with respect to individual rights. Many internet service providers (ISPs) and e-mail service providers (ESPs) already include obligations in contracts with their customers prohibiting the use of their services for sending spam. Such ISPs and ESPs already prohibit the sending of unsolicited e-mail, or bulk e-mail, from their e-mail accounts [34].
[34] Such clauses are sometimes based on the need to take all measures to prevent inappropriate usage of their services. Other refer to existing codes of conduct regarding bulk e-mails or, indeed, to self-regulatory principles (e.g. 'netiquette').
The concepts as used in previous contracts between ISPs and their customers are likely to be different from those used in the new Directive and subsequent national transposition law.
In terms of customer service, there is also a need for a more pro-active filtering policy by providing information on anti-spam filters, and by providing filtering services or facilities to subscribers as an option.
The same is valid whenever ISPs or mobile operators enter into contracts with third parties and in particular with direct marketeers. This concerns, for instance, not just direct relationships with companies offering 'value added' services. It also includes operators with whom a given service provider has interconnection agreements, as is the case in mobile services.
The new opt-in regime has also implications on several direct marketing activities, such as:
- the methods for collecting e-mail addresses and other electronic contacts details to the new regime (As noted above, the harvesting of e-mail addresses is incompatible with Community law);
- the adaptation of existing lists;
- the prohibitions on using data without consent and on selling non-compliant lists.
4.1.2. Proposed actions
Industry involvement and self-regulation or, indeed, co-regulation, should be promoted, in particular in areas where legislation and enforcement by public authorities alone may not be sufficient. All interested parties should play their part in this area, including consumer associations and/or users' associations.
Service providers' contractual practices towards subscribers and business partners
Firstly, industry will have in particular to assess the extent to which their existing contracts are compatible with the new rules and, if not, adapt them accordingly.
This concerns adaptation of terms and conditions of subscriber contracts. This is applicable not only to ISPs and ESPs but also to providers of mobile services. As a complementary measure, provision of information on filters and on filtering software or services could be provided as optional customer service (on filtering, see also section 4.3, below). Clauses in contracts with business partners (e.g., mobile interconnection, value-added services) should also reflect opt-in compliant marketing practices and provide for adequate penalties in case of breach.
Direct marketeers' own practices
Secondly, adaptation of direct marketeers' practices to the opt-in regime may be necessary. Direct marketeers could in particular agree on specific, legally compliant methods to collect personal data (e.g., 'double' or 'confirmed' opt-in systems).
Codes of conduct
Thirdly, various initiatives have already been announced by industry associations such as the adaptation or adoption of codes of conduct and the dissemination of good marketing practices [35]. Europe-wide online codes of conduct for direct marketing will be supported by the Commission. Codes of conduct and other self-regulatory initiatives, and contracts must conform to the opt-in rules. Involvement of the competent regulatory authority could be helpful in this regard. It should be recalled in that context that the Article 29 Data Protection Working Party can approve EU-wide codes of conduct (see Article 30 of the 'general' Data Protection Directive 95/46/EC).
[35] The European Federation of Direct Marketing (FEDMA) has announced a specific online code of conduct for direct marketeers.
As is often the case, effective application of self-regulatory solutions will depend on the structure put in place to oversee respect for the agreed rules, including effective sanctions.
Labels
Fourthly, in order to promote greater awareness among users, tools such as labels (e.g. also known as 'trustmarks' or 'webseals') could be used, in particular where trusted third parties supervise and certify the compliance of market players with codes of conduct .
Visible labels can assist users in identifying ISPs, ESPs and other industry players that adhere to EU rules and/or recognised codes of conduct implementing EU rules. They could also help in making filtering systems more efficient.
Labelling of opt-in compliant users' databases could also be envisaged, as well as labelling of opt-in compliant e-mails (e.g. use of the label 'ADV' in the subject line of an email to indicate that it contains advertising).
Labels could also enable recipients to clearly identify such commercial communications in accordance with the Directive on electronic commerce (see Article 6 (a) of Directive 2000/31/EC; see also section 2, above)
4.2. Alternative dispute resolution (ADR) mechanisms
4.2.1. Discussion
For privacy infringements like sending unsolicited e-mail, an out-of-court redress mechanism may be useful in achieving a higher level of compliance with the new rules. Various initiatives have been launched at national and EU level for alternative dispute resolution (ADR) mechanisms to deal with disputes in relation to online transactions and communications. The Commission has adopted Recommendations on ADR in 1998 and 2001, thereby setting out principles to be applied to such systems. Several initiatives are underway regarding consumer protection-related ADR systems (e.g. EEJ-NET) [36]. Article 17 of the Directive on electronic commerce also encourages the development of such mechanisms.
[36] More information is available at: http://europa.eu.int/comm/consumers/ redress/out_of_court/index_en.htm
Out-of court redress mechanisms exist in some countries, sometimes established by legislation, though they vary in many respects, such as origin (branch-specific e.g., direct marketing, e-mail marketing), 'jurisdiction', powers and sanctions (e.g., damage claims), involvement of specific authorities (e.g., DPAs, advertising standards bodies) etc.
For those mechanisms to be sufficiently effective, certain conditions need to be met, such as, how they are organised and promoted, and how is compliance with rulings ensured. Setting them up would also require co-operation between authorities and industry.
4.2.2. Proposed actions
The creation and use of effective self-regulatory complaints mechanisms and alternative dispute resolution mechanisms (ADR) is encouraged, building on existing initiatives whenever possible (e.g. EEJ-NET). They could be particularly useful with respect to cases where international co-operation would be more difficult to achieve.
4.3. Technical issues
4.3.1. Discussion
Different solutions are used to counter spam on the technical front. The Internet community (e.g., RIPE, IETF) has also been taking the problem of spam seriously [37]. Longer-term initiatives, such as new technical standards for e-mail, are not covered in the present document. ISPs and ESPs often block incoming mail from servers that are used for sending spam (black listing) until the source of the spam is identified and prevented from using the server. In addition, filtering software can be employed by individual users within their own terminal equipment or by electronic communications service providers within their servers.
[37] For instance, the RIPE (Réseaux IP Européens) Anti-spam Working Group has been active since 1998 (see: The document "Good Practice for combating Unsolicited Bulk Email" can be found on the RIPE website (see: http:// www.ripe.net). More recently, the IRTF (Internet Research Task Force) has set up an Anti-Spam Research Group (see: http://www.irtf.org/charters/ asrg.html). This group may develop certain technologies that could serve as a starting point for standardisation efforts within the IETF (Internet Engineering Task Force).
However not all filtering practices and techniques offer the same level of user control. Nor do they offer the same guarantees for data protection and privacy, such as respect for the confidentiality of communications. They may also not yet be adapted to the new opt-in regime applicable in EU countries for marketing communications (prior consent-based, marketing related, bulk and non-bulk). Also, more differentiation between legitimate marketing (e.g. opt-in compliant) and unsolicited commercial communications may allow the development of more effective filtering software.
While the new legal provisions on unsolicited commercial e-mail provide additional safeguards for the user and greater security for service providers to undertake action on request against 'spammers', filtering may occasionally block legitimate e-mail ('false positive') or allow spam to get through ('false negatives'). In some cases, this can create a risk that either a sender or an intended addressee undertakes legal action against an ISP/ESP. Some ISPs/ESPs therefore offer filtering as an optional service to their users and require permission for activating it.
Although it is beyond the scope of this Communication to address them, other issues, such as filtering versus freedom of expression and filtering versus the contractual obligation of ISPs/ESPs to transmit email messages to their clients' customers, are also presented by the use of filtering techniques to combat spam.
As regards filtering in mobile services, the different business model environment for mobile services compared to fixed internet services may justify different solutions. In particular, the former model would normally include per-message delivery charges, which make spam more costly. However, some new services entail charging based on retrieval, and this means that spam increases the costs for the recipient. In addition, e-mail can now be delivered to mobile terminals. Filters and viewing facilities could then be provided to subscribers to manage mobile spam.
Attention is also needed on open relays. In short, open relays are SMTP servers that can be used for relaying messages that are sent by users other than local users of the server. In the past, most relays were open. However, when relays are open, they can be used by spammers to send unsolicited communications quite easily. Simple preventive measures would reduce the possibilities for such abuse. The same is true for open proxies, which are servers that run software allowing direct interaction with the Internet.
4.3.2. Proposed actions
Member States and competent authorities are invited to clarify the legal conditions in their country under which different types of filtering software can operate, including privacy requirements.
Filtering software providers must ensure that their filtering systems are compatible with the opt-in regime and other requirements of EU law, including requirements linked to the confidentiality of communications.
Users should be given the opportunity to manage the way in which incoming spam is handled, according to individual needs. Filtering software providers need to take into account the consequences for users of 'false positives', 'false negatives', certain forms of content-based filtering, and the possible associated liability issues.
Filtering companies should cooperate with interested parties to develop techniques recognising marketing e-mails corresponding to accepted marketing practices under Community law, including webseals, labels, etc.
Providers of e-mail services (and of mobile services where appropriate) should offer filtering facilities or services to their customers as an option available on request, as well as information on third party filtering services and products available to end-users.
Owners of mail servers should make sure that their servers are properly secured so that those servers are not in 'open relay' mode (if this is not justified). The same applies to open proxies.
5. AWARENESS ACTIONS
This section on awareness issues covers proposed actions in areas like prevention, consumer awareness, reporting.
5.1. Discussion
EU Member States should have transposed the new opt-in regime for unsolicited e-mail into national law by 31 October 2003 at the latest. While this new approach has had a fair amount of publicity in the press, some uncertainty may remain among market players and citizens about what the 'opt-in' actually means in practice [38].
[38] Background information on the rules applicable to unsolicited communications under Directive 2002/58/EC is available at the following URL address: http://europa.eu.int/information_society/ topics/ecomm/all_about/todays_framework/privacy_protection/index_en.htm
unsolicited
This new approach is based on user empowerment to consent or not to receiving commercial communications. To enable this however, they must be aware of the basic rules applicable to unsolicited communications and where to report problems.
Best practice
The UK Information Commissioner (the UK data protection authority) has published, a few weeks before the entry into force of the new regulations implementing the Directive, a guidance document explaining the new UK rules, with a specific part on marketing by electronic means. The Information Commission has also announced that complaints forms would be available online and from their offices when the rules come into force, setting out the information likely to be needed [39].
[39] See: http://www.dti.gov.uk/industries/ ecommunications/directive_on_privacy_electronic_communications_200258ec.html
guidance
Also users must understand the risks of sharing their personal data over the Internet (e.g. leaving them when visiting websites, Usenet) and should adapt their behaviour accordingly.
Finally, they need to know what filtering software is on the market and what service and software providers (e.g. ISPs, ESPs) can do for them.
Best practice
The 'Commission National Informatique et Libertés' ('CNIL'), i.e., the French Data Protection Authority has posted a substantial information package on its website relating to various aspects of spam: the results of its e-mailbox experience and the cases referred to judicial authorities (see below), basic guidance on how to prevent spam, information on how to report spam, references of users' associations active in this area, etc.
While awareness-raising activities concerning the new opt-in regime have been undertaken, or are envisaged, in most Member States, they differ widely in terms of timing, the nature of information provided, the target audience and the parties involved. Some Member States however wait until their laws are in place. Public consultation on the implementation of Directive 2002/58/EC has contributed to a certain degree of awareness whenever it has been organised.
Various authorities can be responsible for these activities depending on their respective powers in a given Member State (e.g. DPAs, NRAs, CPAs, ombudsmen). Co-ordination among the various competent authorities does not (yet) exist in all Member States. Ministries appear to be involved in some Member States. Industry associations are often involved. Sometimes consumer or user associations are also taking part in these activities.
Some parts of the industry as well have undertaken awareness raising activities at national, EU or global level, although here again, these activities can differ widely. These include:
- practical guides to direct marketeers, or campaigns directed at the communications sector in particular;
- general guidance to customers on codes of conduct, complaint mechanisms and filtering;
- platform/working groups to develop best practices for commercial communications.
5.2. Proposed actions
In order to achieve a high level of understanding about the new do's and don'ts with regard to commercial e-mail, broad and sustained action is needed in the short term in all Member States on both prevention and enforcement. Practical information on prevention, acceptable marketing practices, and on technical and legal solutions available to users should be provided.
All parties are invited to play their role in awareness raising activities, from Member States and competent authorities, through businesses, to consumers/user associations. Member States and competent authorities not yet doing so are invited to launch or support campaigns in early 2004.
In particular as regards the nature of information provided, activities targeted at businesses and/or consumers should include:
- Ensuring a basic but widespread understanding of the new rules and on their rights under these rules;
- practical information on acceptable marketing practices under the opt-in regime including clarification of legitimate collection of personal data;
- practical information for consumers to know how to avoid spam (e.g. use of personal data, etc.);
- practical information for consumers on products and services available to avoid spam (e.g. filtering, security)
- information on practical steps when confronted with spam, including on complaints mechanisms and ADR systems where available.
These actions should reach the following target groups:
a) companies involved in or making use of direct marketing,
b) consumers who subscribe to e-mail services, including SMS services and
c) providers of e-mail services, including providers of mobile services.
Awareness activities should be carried out through different channels (not only web-based), with a view to effectively reaching the various audiences targeted. In this regard, involvement of industry and consumer associations is important. Co-ordination between the possible various initiatives should be ensured.
Actions listed above should also refer to effective industry codes of conduct, complaints mechanisms, labels (e.g. 'trustmarks') and certification schemes where available.
The Commission services already provides information on the basics of opt-in on the EUROPA website [40]. It will also provide references via hyperlinks to national implementation aspects, as well as on basic figures and trends on spam where available. The Commission services will also use the Euro Info Centres to disseminate information on the new rules.
[40] http://europa.eu.int/information_society/ topics/ecomm/highlights/current_spotlights/spam/index_en.htm
Conclusion
Spam is one of the most significant challenges facing the Internet today. Addressing spam however requires action on various fronts, involving not only effective enforcement and international co-operation, but also self-regulatory and technical solutions by industry, and consumer awareness. The series of actions identified in the present Communication has been summarised in the table below.
While the Commission will support these efforts as much as possible, it will primarily be for EU Member States and competent authorities, industry, and consumers and users of the Internet and electronic communications services to play their role, both at the national and international level.
Integrated and parallel implementation of the series of actions identified in this Communication, which have the broad support of interested parties, can contribute to greatly reducing the amount of spam that is currently compromising the benefits of e-mail and other electronic communications for our societies and our economies.
The Commission will monitor the implementation of these actions during 2004, including via the informal group on unsolicited communications. It will assess by the end of 2004 at the latest whether additional or corrective action is needed.
Table of actions identified in the Communication
The table below summarises the actions identified in the Communication. For the purpose of this table, Commission/Commission services actions have been listed separately. As indicated above, actions are related to each other in several ways and should be implemented as much as possible in parallel and in an integrated fashion.
I - Effective implementation and enforcement by Member States and competent authorities
As a prerequisite, Member States should transpose the Directive on Privacy and Electronic Communications, in particular the provisions on unsolicited communications, without any further delay.
Member States and competent authorities should assess the effectiveness of their enforcement mechanisms in terms of remedies and penalties, complaint mechanisms, intra-EU co-operation and co-operation with third countries and monitoring. Member States should also develop national strategies to ensure co-operation between DPAs, CPAs and NRAs, and to avoid overlap and duplication between the authorities.
Member States and competent authorities should in particular:
(a) Effective remedies and penalties
- create adequate possibilities for victims to claim damages and provide for real sanctions, including financial and criminal penalties where appropriate;
- in Member States with no administrative remedies, consider the creation of such administrative remedies to enforce the new rules;
- equip competent authorities with the required investigation and enforcement powers;
(b) Complaints mechanisms
- establish adequate complaint mechanisms, including dedicated e-mailboxes for users to complain;
- co-ordinate the action of the various competent national authorities involved;
(c) Cross-border complaints and co-operation on enforcement inside the EU
- use existing, or if needed create, a liaison mechanism by which national authorities can cooperate in pursuit of cross-border enforcement (information exchange, mutual assistance) inside the EU. In this context, regarding fraudulent and deceptive spam in particular, the Council and the Parliament are urged to agree as quickly as possible on the proposed Regulation on consumer protection co-operation and investigate how far the Directive on Privacy and Electronic Communications should be added to the scope of the Regulation;
(d) Co-operation with third countries
- actively participate in multilateral forums (e.g. OECD) to elaborate solutions at the international level;
- reinforce, or engage in bilateral co-operation with third countries,
- investigate with the Commission what specific initiative it could take to facilitate international co-operation;
- cooperate with the private sector to trace back spammers subject to the appropriate legal safeguards.
(e) Monitoring
- ensure that they have the information and statistics needed to target their enforcement efforts, in co-operation with industry where appropriate and taking into account the ongoing OECD work on measurement.
II - Self-regulatory and technical actions by industry
Market players (e.g. ISPs, ESPs, mobile operators, software companies, direct marketeers) should seek to turn the opt-in regime into a day-to day practice, in co-operation with consumer/user associations and competent authorities whenever appropriate, and in particular:
(a) Self-regulatory actions
- assess, and if needed adapt, service providers' (ISPs, ESPs, mobile operators) contractual practices towards subscribers and towards business partners; provide information on filtering and possibly provide filtering software or services as optional customer service
- adapt direct marketing practices to the opt-in regime, and possibly agree specific, legally compliant methods to collect personal data (e.g., 'double' or 'confirmed' opt-in systems)
- develop and disseminate effective codes of practices (e.g. the FEDMA initiative) which are opt-in compliant, in co-operation with the Article 29 Data Protection Working Party or competent national authorities where appropriate
- consider the use of labels for opt-in compliant e-mails and databases to help users (and filters) recognise them, in line with the Directive on Electronic Commerce
- use, or create if needed, effective self-regulatory complaints mechanisms and alternative dispute resolution mechanisms (ADR) building on existing initiatives whenever possible (e.g. EEJ-NET).
(b) Technical actions
- (Filtering software providers) must ensure that their filtering systems are compatible with the opt-in regime and other requirements of EU law, including requirements linked to the confidentiality of communications; Member States and competent authorities are invited to clarify the legal conditions in their country under which different types of filtering software can operate, including privacy requirements
- (Filtering software providers) need to take into account the consequences for users of 'false positives', 'false negatives', certain forms of content-based filtering, and the possible associated liability issues. Users should be given the opportunity to manage the way in which incoming spam is handled, according to individual needs
- (Filtering software providers) should cooperate with interested parties to develop techniques recognising legitimate marketing e-mails legitimate (i.e. corresponding to accepted marketing practices under Community law) e.g. labels
- (Providers of e-mail services, and of mobile services where appropriate) should offer filtering facilities or services to their customers as an option available on request, as well as information on third party filtering services and products available to end-users
- (Owners of mail servers) should make sure that their servers are properly secured so that those servers are not in 'open relay' mode (if this is not justified). The same applies to open proxies.
III - Awareness actions by Member States, industry and consumer/user associations
Member States and competent authorities not yet doing so are invited to launch or support campaigns in early 2004.
All parties, from Member States and competent authorities, through businesses industry, to consumer and/or user associations should be active in practical information campaigns on prevention, acceptable marketing practices, and on technical and legal solutions available to users, and in particular:
- target actions at a) companies involved in or making use of direct marketing, b) consumers who subscribe to e-mail services, including SMS services and c) providers of e-mail services, including providers of mobile services.
- provide businesses and/or consumers with:
- a basic but widespread understanding of the new rules and on their rights under these rules;
- practical information on acceptable marketing practices under the opt-in regime including clarification of legitimate collection of personal data;
- practical information for consumers to know how to avoid spam (e.g. use of personal data, etc.);
- practical information for consumers on products and services available to avoid spam (e.g.filtering, security);
- Information on practical steps when confronted with spam, including on complaints mechanisms and ADR systems where available.
- refer to effective industry codes of conduct, complaints mechanisms, labels (e.g. 'trustmarks') and certification schemes where available.
- carry out these awareness activities through different, online and offline, channels, with a view to effectively reaching the various audiences targeted.
In this regard, involvement of industry and consumer associations is important. Co-ordination between the possible various initiatives should be ensured.
IV - Actions by the Commission /Commission services
The Commission will monitor the implementation of the actions summarise above during 2004, including via the informal group on unsolicited communications, and will assess by the end of 2004 at the latest whether additional or corrective action is needed.
As a general rule, the Commission will continue to closely monitor the implementation of the Directive. It will in particular look to confirm that national transposition measures provide for real sanctions in the event of a breach of the relevant requirements, including where appropriate financial or criminal sanctions. (The Commission has launched infringement proceedings in November 2003 against a number of Member States, which have failed to notify their national transposition measures.) The Commission services are willing to assist Member States if needed;
The Commission services have created an informal online group on unsolicited commercial communications, with the support of Member States and data protection authorities. The group will facilitate work on effective enforcement (e.g. complaints, remedies, penalties, international co-operation) and on the other actions identified in this Communication;
The Commission services will ask the Article 29 Data Protection Working Party to adopt an opinion on some concepts used in the Directive on Privacy and Electronic Communications as quickly as possible, in order to contribute to a uniform application of national measures taken under the Directive;
The Commission services have started to investigate, together with Member States and national authorities involved with enforcement, how best to ensure cross-border enforcement inside the EU and with third countries This work with national authorities will continue throughout 2004;
The Commission will support Europe-wide online codes of conduct for direct marketing, and if appropriate their approval the Article 29 Data Protection Working Party;
The Commission will host an OECD workshop on spam in February 2004 and will discuss follow-up actions with Member States, including OECD work to promote effective legislation internationally, awareness, technical solutions, self-regulation, and international co-operation on enforcement;
The Commission will also investigate how best to follow-up the results of the 2003 World Summit on the Information Society in the UE, taking account of the Tunis Summit to be held in 2005;
The Commission has published a call for proposals under the Safer Internet programme where projects could be proposed to deal with spam under various actions; the Commission is currently preparing a proposal for a follow-up programme, Safer Internet plus, which will propose funding of further measures to deal inter alia with spam;
The Commission services will continue to provide information on the basics of opt-in on the EUROPA website. It will also provide references via hyperlinks to national implementation aspects, as well as on basic figures and trends on spam where available. The Commission services will also use the Euro Info Centres to disseminate information on the new rules.