ARCHIVED—Part I: Overview of Questionnaires on Cross-Border Enforcement of Anti-Spam Laws

International Spam Measures Compared
Task Force on Spam
May 2005

---

In April 2004 Australia enacted spam legislation to be enforced via the Australian Communications Authority (ACA). The Spam Act 2003 provides civil and administrative powers to address the prohibition against sending unsolicited commercial email. The Act uses an opt-in system and requires that commercial electronic messages include accurate sender identification and a functional unsubscribe system. It also prohibits the use of address-harvesting software and harvested-address lists for spamming purposes. The Act applies to electronic messages of various kinds that have an "Australian link," and applies to even a single violating electronic message. The ACA has investigatory powers and has the power to seek and levy fines and penalties. Spammers in Australia are subject to penalties of up to A$1.1 million per day for repeat corporate offenders. The Act provides that compensation can be paid to a victim or to the Commonwealth. Fines of up to A$220 000 are available for individuals.

The Act includes an exemption for Internet service providers (ISPs) for their role in the delivery of spam. There is also an exemption for purely factual information, allowing vendors to send unsolicited newsletters that do not solicit the recipients' business. In the case of factual information, the legislation enforces an opt-out regime.

The Telecommunications Act 1997 also contains useful provisions regarding industry codes and standards. Australia has also developed an interesting co-regulatory regime with industry.

The Australian Competition and Consumer Commission and the Australian Federal Police have criminal powers that can be used to address certain classes of unsolicited email.

The Spam Act 2003 makes express provision for making and giving effect to international conventions. Australia has so far entered into international agreements with the U.K., the U.S., Korea and Thailand.

Canada has not enacted any spam-specific legislation, but is currently examining the need for it, based on the effectiveness of existing measures available in various statutes, including the Competition Act, the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Criminal Code of Canada. Those statutes include some, although not all, of the measures that are generally available in spam-specific legislation. It remains to be seen whether they can be used as effective tools against spammers.

The Competition Bureau can take action on spam that includes information that is false or misleading in a material respect, and both civil and criminal processes are available under the Competition Act. In order to successfully prosecute a criminal case, the requisite intent must be proven. On the civil side, administrative fines of C$50 000 for an individual and C$100 000 for a corporation are available for first offences. These amounts double for subsequent offences. Amendments to the Competition Act to significantly increase those penalties are currently being considered by Parliament.

The Office of the Privacy Commissioner of Canada can address the use or collection of personal information without consent, as well as failure to respect opt-out requests. An application can also be made to the Federal Court of Canada, either by the Office of the Privacy Commissioner of Canada or by complainants, for damages arising from a breach of PIPEDA.

The Criminal Code of Canada can address spam involving fraud or other illegal activities, and also includes provisions prohibiting the unauthorized use or abuse of computers.

Canada, arguably, has an opt-in regime, pursuant to the requirements of PIPEDA, which requires commercial bulk emailers who establish or acquire lists of email addresses to ensure that their recipients have given some form of consent to receive commercial solicitation. Email addresses can only be used for the purpose for which they are collected, and can only be put to secondary uses if the owners of these email addresses consent. While PIPEDA was not designed to address spam, it has, this way, effectively established an opt-in regime in Canada. Furthermore, PIPEDA requires that unsubscribe functions be operative and respected in such emails.

In fall 2004 the Czech Republic enacted spam-specific legislation in the form of the Certain Information Society Services Act. The Act provides for fines where the Act has not been followed, and designates the Office for Personal Data Protection as the authority having responsibility for the Act. The Act uses an opt-in regime and requires sender identification and an effective unsubscribe function. The Act also requires that commercial messages be identified as such, and that the identity of the senders not be concealed. Fines of up to CZK10 million or CZK1 million are available for various contraventions of the Act.

Denmark has passed the Marketing Practises Act (MPA), which established an opt-in scheme according to European Commission Directive 2002/58/EC (Directive on privacy and electronic communications). Under the MPA, the Danish Consumer Ombudsman is responsible for the enforcement of Danish anti-spam rules, although the police are responsible for the prosecution of spammers. The MPA provides civil, criminal and administrative powers. The Ombudsman can take legal action if marketing activities do not meet the opt-in requirements, and if they are directed at Danish consumers or email users. Denmark has also cooperated with the U.S. Federal Trade Commission (FTC) on open proxies, which are proxy servers left open in a way that anyone can find them and use them to shroud their identity or the source of spam.

Effective September 2004, Finland passed the Act on Data Protection in Electronic Communications. The Act implements European Commission Directive 2002/58/EC, regarding spam, and also gives ISPs the right, in certain circumstances, to block spam without the recipient's consent. Directive 2002/58/EC provides an opt-in regime for personal data processing involved in electronic communication in direct marketing (Chapter 7). Where there is a pre-existing commercial relationship it requires an unsubscribe mechanism. The legislation is enforced by the Data Protection Ombudsman and the Finnish Communications Regulatory Authority. Penalties for failing to comply include orders to rectify the error or omission, fines, and termination of the offending business. When fraudulent and deceptive marketing is directed toward Finnish consumers from spammers outside the country, the Consumer Ombudsman can take action against the foreign spammers.

France has several legislative provisions that can be used in the fight against spam. In June 2004 it passed the Loi pour la confiance en l'économique numérique, which contained spam-specific provisions, including an opt-in regime for natural persons, and was intended to implement Directive 2002/58/EC. France's National Data Processing and Liberties Commission is responsible for enforcing the country's spam laws. It began collecting evidence of spam through a "spam box" in July 2002, and has since taken legal action against spammers.

Japan has passed the Law on Regulation of Transmission of Specified Electronic Mail. The Law establishes an opt-out regime, but requires sender identification and that unsubscribe instructions be followed. Various Japanese enforcement agencies have administrative powers that can be used if the Act is not followed. Failure to abide by administrative orders can result in criminal sanctions for spammers.

The Netherlands implemented European Commission Directive 2002/58/EC with its Telecommunications Act, which established an opt-in regime. The Act requires sender identification and valid unsubscribe functions. The Dutch Personal Data Protection Act also provides some protection against spam. While criminal prosecution powers are available, the Netherlands primarily uses administrative powers to enforce anti-spam legislation, with various administrative agencies being responsible for the enforcement of anti-spam laws. Violators of the Telecommunications Act can face administrative penalties of up to €450 000.

In March 2001 Norway passed amendments to the Marketing Control Act, which established an opt-in regime in that country. Norway mostly uses administrative powers in dealing with spammers. Prohibitions, fines and imprisonment are all available penalties, although penal cases are rarely investigated. Norway has entered into an agreement with the Nordic Consumer Ombudsmen.

South Korea has not enacted spam-specific legislation, but does have several pieces of legislation that include anti-spam measures and have resulted in an opt-out regime. Korean laws require that commercial messages be identified as such, that their sender's identity be evident and that they include a functional unsubscribe option. The Korea Fair Trade Commission (KFTC) operates a system through which consumers can register their refusals to receive any advertising emails or phone calls. Administrative orders and fines are available penalties, and cases can also be transferred to the Public Prosecutor's Office to be pursued criminally. Legislation also prohibits using address-generating software, as well as sharing, selling, exchanging or providing harvested-email address lists. ISPs have expressly been given the power to deny service if there is reasonable suspicion of spam. The Korea Information Security Agency (KISA) has also entered into memorandums of understanding (MOUs) with Australia.

The U.K. enacted The Privacy and Electronic Communications (EC Directive) Regulations 2003 in order to address spam. The Regulations provide an opt-in regime for individuals, but implied consent is sufficient to stay within the law. A valid email address must be provided to which recipients can send requests to opt out. The Regulations also prohibit the transmission of marketing email that conceals the identity of the sender. The Information Commissioner's Office is responsible for the enforcement of the law. Failure to comply with an enforcement notice issued by the Office can attract a potentially unlimited fine in Crown Court. Individuals have a private right of action under the Regulations, and can recover quantifiable damages.

The U.S. passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act) in January 2004, providing an opt-out regime. While many U.S. states have also passed laws addressing spam, they are pre-empted by CAN-SPAM except to the extent to which they address falsity or deception in commercial email messages. CAN-SPAM applies to commercial electronic messages, but not to messages relating to transactions and existing business relationships. It requires all commercial electronic messages to include an indication that the message is a solicitation, opt-out instructions and the physical address of the sender. False or misleading information in commercial email is forbidden, including in headers, subject lines and the message text.

ISPs are exempt from liability under the CAN-SPAM Act. Further, the Act provides a private right of action for ISPs. Violators of the Act can be fined up to US$250 per violation, to a cap of US$2 million, for non-wilful noncompliance; and up to US$6 million for intentional violations, plus unlimited punitive damages for fraud and abuse. In the most severe cases, prison sentences of up to five years are available as penalties.