This article has been produced in three parts. Part I, below, looks looks at anti-spam legislation in the UK, France and Sweden. Part II looks at The Netherlands and Italy and Part III looks at Germany and Belgium.

Introduction

By 31 October 2003, all EU Member States, together with Norway, Iceland and Liechtensteinshould have implemented new, anti-spam legislation, to comply with the European Directive on Privacy and Electronic Communications.

The Directive introduces a mandatory prior consent, i.e. opt-in, rule for marketing and promotional e-mails sent to individuals. E-mails can still be sent on an opt-out basis by an organisation to its own customers in some limited circumstances. Member States may also choose to extend the opt-in procedure to e-mails sent to corporates.

Organisations that send marketing or promotional e-mails across the EEA will need to look at the rules in each country in which they are established and to which they send promotional e-mails. This may mean that organisations need to have different approaches to e-mail marketing for different countries; this may cause practical difficulties for anyone who has a central marketing database.

The new legislation will require most EU businesses to redesign their e-mail marketing campaigns. However, despite imposing a compliance burden on EU businesses it seems unlikely that it will have much practical impact on spam. Most spam originates in the US or in South East Asia; outside the jurisdiction and practical reach of EU data protection authorities.

United Kingdom

Implementation

The Directive on Privacy & Electronic Communications was implemented by The Privacy and Electronic Communications (EC Directive) Regulations 2003 S.I. 2003/2426 which came into force on 11 December 2003. The Information Commissioner, the UK’s data protection authority, issued authoritative guidance on the new Regulations on 13 November 2003 which is available at http://www.informationcommissioner.gov.uk/eventual.aspx?id=96.

Individual subscribers

The Regulations have introduced an opt-in regime for individual subscribers. Direct marketing material may not be sent by e-mail to individual subscribers unless recipients have previously notified their consent.

There is a limited exception to this (referred to as a “soft opt-in”), which allows the continued use of an opt-out provided that the direct marketing is:

  • only applied to marketing contacts with whom there has already been a sale or a negotiation for a sale (as opposed to pure contacts)
  • carried out by the same legal entity that obtained the individual’s details
  • limited to similar products and services
  • to an individual who was offered an opt-out when their details were first obtained.

Third party, bought-in lists cannot be used on the basis of the soft opt-in.

Direct marketers should note that the opt-in rule is not limited to “consumers”. It applies to all non-corporates, i.e. partnerships and sole traders have the same rights as private individuals. Accordingly, the Regulations do apply to B2B marketing.

The opt-in rule applies to “unsolicited” communications and calls. There is, therefore, scope to side-step the Regulations if marketing material can be classified as “solicited”, i.e. if the individual has actively invited the contact. Direct marketing statements can sometimes be worded so as to fall into this category and hence, to fall outside the opt-in rule.

Corporate subscribers

The opt-in rule does not apply to corporate subscribers. These include companies, corporations and Scottish partnerships (not English partnerships) or other entities that have no separate legal existence to their members.

However, where the sending of marketing material to the employee of a company includes the processing of personal data (as it would where the direct marketer knows the name of the person they are contacting, i.e. fred@acorporate.com, not dataprotection@acorporate.com), then that individual has a right under general data protection legislation to request that the marketer cease sending him marketing material.

E-mail opt–out registers

Article 7 of the Electronic Commerce Directive (2000/31/EC) allowed for a possible “opt-out” register for unsolicited commercial e-mails. The UK Government considers that industry opt-out schemes are sufficient and so did not include the “opt-out” register in the Regulations transposing the E-Commerce Directive, the Electronic Commerce (EC Directive) Regulations 2002 (SI 2002/213) or in these new Regulations. In any event, most spam originates outside the EEA and EEA e-mail registers are peripheral to that traffic (and possibly even counter-productive since unscrupulous spammers may harvest the registers for active e-mail addresses).

The Direct Marketing Association provides a link on its web site to the E-mail Preference Service operated by the American DMA which allows individuals to register their e-mail address so as not to receive unsolicited sales and marketing email messages (http://www.dma.org.uk/Shared/Consumer.asp).

No concealed identities

Marketers must not conceal their identity when they send or instigate the sending of marketing e-mails, whether to corporates or individuals. Marketers must also always provide a valid address to which the recipient can send an opt-out message.

Historic data

The Regulations apply equally to new data collected after 11 December 2003 and e-mail data collected before that date, i.e. to historic or “legacy” data. Organisations may only continue to use such legacy data for direct marketing to individual subscribers if they fall within the provisions of the soft opt-in exemption. If they cannot rely on the soft opt-in then, strictly speaking, such organisations would need to re-approach these legacy contacts to obtain opt-in consent with the risk of getting very few positive returns. However, the Commissioner has taken a relaxed approach to this in his guidance. His view is that provided such legacy data was obtained in accordance with privacy legislation in force prior to 11 December 2003 and has been used recently, organisations may continue to use it on an opt-out basis.

Territorial application

The Commissioner applies the Regulations to data controllers either established in the UK or to data controllers from outside the EEA who use equipment in the UK. This is not stated in the Regulations but is the position, under general data protection legislation, which the Commissioner applies to the Regulations.

Enforcement

Individuals may seek compensation from the marketer for breach of the Regulations if they have suffered “damage”. Since this entails proving physical or economic loss for unsolicited direct marketing, it is going to be of limited application. A competitor that has complied with the Regulations may also bring a claim if it can show that it has lost sales to an organisation that has not complied.

The Commissioner may take enforcement action on his own initiative or as a result of a complaint by a person affected or by OFCOM. The Commissioner is seeking stronger enforcement powers, such as “stop-now” orders or powers to levy direct fines. Although such provisions were not incorporated into the Regulations, the UK Government is committed to holding further discussions on the issue of enforcement.

Breach of the Regulations may also mean that an organisation breaches the Advertising Standard Authority’s CAP Code; this could lead to adverse publicity, loss of advertising space and discounts.

The UK section of this article was written by Ruth Boardman, Bird & Bird London.

France

Implementation

The Privacy and Electronic Communications Directive 2002/58/EC has not yet been implemented under French law, but the process is currently underway. The provisions concerning spam are the subject of article 12 of the draft law relating to “confidence in the digital economy” (“Loi sur la confiance en l’économie numérique”, hereafter the “Draft Law”). The first reading of the Draft Law was adopted by the Legislative Council (Assemblée Nationale) on January 2004.

The Draft Law, as amended by the Assemblée Nationale, must be submitted for a second reading to the Senate in April 2004. At that stage of the legislative process, the Senate shall accept, reject or amend the provisions adopted by the Assemblée Nationale.

The provisions described below are, therefore, still subject to completion of the legislative process.

Individual subscribers

The current French rule regarding the use of e-mail addresses for direct marketing to individual subscribers is an opt-out system. An opt-in system is only required for direct marketing by fax or automated calling systems.

However, article 12 of the Draft Law, which amended the French consumer code and the French telecom code, introduces an opt-in regime for direct marketing by e-mail to individual subscribers. Direct marketing material may not be sent via e-mail to individual subscribers unless recipients have previously expressed their consent.

There is limited exception to this rule, which allows the continued use of an opt-out regime provided that the following conditions are satisfied:

  • the personal data relating to the concerned individual has been collected directly from him/her in the context of a sale or a service
  • direct marketing is limited to similar products and services provided by the same individual or legal entity that obtained the individual’s details
  • the individual concerned was offered an opt-out when his/her details were first obtained and each time a marketing e-mail is sent.

It must be noted that the recorder of the Economic Affairs Commission (“Commission des affaires économiques”) specified in his report relating to the Draft Law that the choice of opt-in/opt-out depends on the nature of the recipient of the commercial e-mail:

(i) if the recipient is an individual, then an opt-in regime is required

(ii) if the recipient is a professional, then an opt-out regime is required

Corporate subscribers

The opt-in rule does not apply to corporate subscribers.

No concealed identities

Marketers must not conceal their identity when they send or instigate the sending of marketing e-mails, whether to corporations or to individuals. Marketers must also always provide a valid address to which the recipient can send an opt-out message.

Historic data

Data obtained in accordance with the French data protection regulation in force prior to the publication of the Draft Law (historic data) may continue to be used on an opt-out basis for marketing purposes during the six months following the publication of the Draft Law.

At the end of these six months, the data may only continue to be used if the individuals concerned have given their express consent to such use.

Territorial application

The provisions relating to spam should be applied to data controllers established in France, or to data controllers from outside the EEA who use equipment in France. This is not stated in the Draft Law, but this is the rule adopted under the general data protection regulation and the position applied by French Data Protection Authority.

Enforcement

The French Data Protection Authority will ensure that the provisions relating to spam are respected. In this regard, the Authority may investigate any complaint relating to the infringement of these provisions and then communicate such complaints to the Director of Public Prosecutions, if required.

Furthermore, any electronic communications service operator whose equipment has been used in an infringement of the provisions relating to spam can apply to join proceedings brought by the Director of Public Prosecutions or the injured party and can sue for civil injury.

The French section of this article was written by Nathalie Lambert, Bird & Bird Paris.

Sweden

Implementation

Article 13 of the EU Directive on Privacy & Electronic Communications (2002/58/EC) regarding integrity and electronic communication, was implemented in Sweden on 3 March 2004 when the Parliament passed a bill on amendments to the Swedish Marketing Practices Act (1995:450) concerning unsolicited marketing via e-mail. The amendments will enter into force on 1 April 2004.

Individual subscribers

The new regulations introduce an opt-in regime for individual subscribers. Direct marketing material may not be sent by e-mail to individual subscribers unless recipients have previously notified their consent.

There is an exception to the opt-in regime, which allows the continued use of an opt-out (can be referred to as a “soft opt-in”) provided that the direct marketing is:

  • only applied to marketing contacts with whom there has already been a sale
  • carried out by the same legal entity that obtained the individual’s details
  • limited to similar products and services
  • to an individual who has not opposed the use of the e-mail address for direct marketing via e-mail and who was offered an opt-out when their details were first obtained and for each occasion the details are used for direct marketing.

(Consequently all above mentioned criteria must be met for the soft opt-in alternative to be applicable.)

Registers and lists that have been purchased from third parties do not qualify to fall under the soft opt-in exemption.

Direct marketers should note that the opt-in rule is not limited to “consumers”. It applies to all non-corporates, i.e. partnerships and sole traders have the same rights as private individuals. Accordingly, the new regulations do to some extent apply to B2B marketing.

The opt-in rule applies to “unsolicited” direct marketing via systems without personal contact. The Swedish Legislator has chosen to keep the opt-out rule for other methods of remote communication, e.g. telemarketing, in the new regulations.

Corporate subscribers

The opt-in rule does not apply to corporate subscribers. These include companies and other entities that are legal entities.

However, the new regulations prescribe that all direct marketing must contain a valid address to which the receiver, whether a physical or legal entities, can send a request that the marketer cease sending him/it marketing material. Where the sending of marketing material to an employee of a company includes the processing of personal data (as it would where the direct marketer knows the name of the person they are contacting e.g. fred@acorporate.com, not dataprotection@acorporate.com), then that individual also has a right under the Swedish Personal Data Act to request that the marketer cease sending him marketing material.

E-mail opt–out registers

Article 7 of the Electronic Commerce Directive (2000/31/EC) allowed for a possible “opt-out” register for unsolicited commercial e-mails. Although the Swedish Legislator included a rule stating that marketers must check e-mail addresses against existing “opt-out” registers in the regulations transposing the Electronic Commerce Directive, no such opt-out register was ever created. Since all individuals have to opt-in according to the new regulations and it is considered that industry opt-out schemes are sufficient, the new regulations do not prescribe an opt-out register. In any event, most spam originates outside the European Economic Area (EEA) and EEA e-mail registers are peripheral to that traffic (and possibly even counter-productive since unscrupulous spammers may harvest the registers for active e-mail addresses).

No concealed identities

According to the new regulations marketers must not conceal their identity when they send or instigate the sending of marketing e-mails – whether to corporates or individuals. Marketers must also always provide a valid address to which the recipient can send an opt-out message.

Historic data

The new regulations will apply equally to new data collected after 1 April 2004 and e-mail data collected before that date i.e. to historic or “legacy” data. Such legacy data for direct marketing to individual subscribers may only continue to be used if it falls within the provisions of the soft-opt in exemption. If the soft opt-in exemption cannot be relied on then, strictly speaking, the marketer would need to re-approach the legacy contacts to obtain opt-in consent with the risk of getting very few positive returns.

Territorial application

The Swedish Consumer Agency is the supervisory authority for the Swedish Marketing Practices Act of which the Proposed Regulations will form a part. The Consumer Agency and its Director General, the Consumer Ombudsman, will apply the Proposed Regulations on all marketing activities directed to the Swedish market in accordance with a position statement regarding e-commerce and marketing on the Internet made in October 2002. The Position Statement on E-commerce and Marketing on the Internet can be found by clicking here.

It should also be noted that all data controllers compliance with the Swedish Personal Data Act regarding data processed in Sweden or transferred from Sweden is monitored by the Swedish Data Inspection Board.

Enforcement

Both individuals and legal entities, may seek remedy from the marketer for breach of the Proposed Regulations. There are three types of remedies:

  • injunction against the continuance of the marketing activities under penalty of a conditional fine
  • compensation for damages
  • a fine for disruptive marketing practices.

The Consumer Ombudsman may take enforcement action on his own initiative or as a result of a complaint by an affected person. The Consumer Ombudsman can demand an order for the marketer to provide information or an injunction against the continuance of the marketing activities under penalty of a conditional fine in the Swedish Market Court. The Consumer Ombudsman can also demand, in the District Court of Stockholm, that the marketer is ordered to pay a fine for disruptive marketing practices if the marketer or any person acting on behalf of it intentionally or negligently breaks e.g. the proposed rule on a valid address in all marketing e-mails.

Orders and injunctions combined with a conditional fine may be issued by the Consumer Ombudsman himself in cases of minor importance. What constitutes cases of minor importance is not defined in the Marketing Practices Act. All orders and injunctions issued by the Consumer Ombudsman can be appealed to the District Court of Stockholm, except orders to submit information.

The Swedish section of this article was written by Jim Runsten and Ida Smed Sorensen, Bird & Bird Stockholm.


Important - The information in this article is provided subject to the disclaimer. The law may have changed since first publication and the reader is cautioned accordingly.

Authors