This article has been produced in three parts. Part I looks looks at anti-spam legislation in the UK, France and Sweden. This article - Part II looks at The Netherlands and Italy and Part III looks at Germany and Belgium.
Perhaps unsurprisingly, the Dutch government did not succeed in implementing the Directive on Privacy & Electronic Communications on time. On 28 October 2003 the Lower House of the Dutch parliament adopted legislative proposal that is to amend the Dutch Telecommunications Act of 1998 (the “Proposal”). With this amendment the new EC Telecommunication Directives including the Directive on Privacy and Electronic Communications (the “Directive”) will be implemented. Before the new law can enter into force the Proposal will have to be adopted by the Upper House as well. This is expected to happen early in Q2 of 2004. The issue of spam was discussed extensively during the public hearing of the proposal prior to its adoption by the lower house. Article 13 of the Directive, about spam, will be implemented in article 11.7 of the new Telecommunications Act.
The Proposal introduces an opt-in regime for individual subscribers. Direct marketing material (which includes non-commercial and charitable advertising) may not be sent by Electronic-message, e.g. e-mail, SMS, fax or automatic calling systems to individual subscribers unless recipients have previously notified their consent. The sender has the burden of proving subscriber’s consent.
Answers to Parliamentary questions made clear that consent must be sought by the person wishing to carry out the marketing; it is not possible, or in line with the goal of the Directive, to ask for consent to forward the personal data to another sender.
As an exception to the opt-in rule, an opt-out regime can be used with respect to messages sent to individuals with whom the sender has had prior contact in the context of selling its goods or services, if:
the individual was offered an opt-out (free of charge) when his details were first obtained
the individual is offered the possibility to opt-out under the same conditions in each message sent to him
the marketing material is about the sender’s own similar products or services.
In relation to the last point the minister stated that the interpretation of ‘similar products and services’ should be based on the objective expectations of the person buying the product or services. Given this it is useful to provide, at the time of selling, information to the buyer about similar, or not so similar products and services about which he might receive messages in the future. For example, if you tell your wine-buying customer that you also offer packaged holiday trips to Bordeaux, it is more likely that these will qualify as ‘similar’.
Both the opt-in rule and the opt-out rule are limited to natural persons. However, this does include natural persons within companies.
E-mail opt–out registers
In The Netherlands there are several industry organised opt-out registers for most types of direct marketing material, including traditional post. Since these self-regulating initiatives seem to be working rather well, the government does not feel the need to organise such a register itself. The respective organisations are the ‘Stichting Zelfregulering DM’ () and the so-called ‘Dutch Dialogue Marketing Association’ ().
No concealed identities
In all cases the messages must include information on the true identity of the entity sending marketing information, as well as a valid address to which a request not to receive future messages can be sent.
Since no transition period exists, the new rules will also apply to data collected under the old regime. It is not entirely clear how strictly this will be applied; it will probably depend on circumstances. By way of example, an organisation may have collected customer data at the point of sale without offering an opt-out opportunity at that time. If the individual hasn’t objected to receiving e-mail marketing, one would reasonably argue that e-mail marketing should be allowed to continue on an opt-out basis, as long as future messages to these persons are limited to one’s own similar products and services and contain an unsubscribe option. If however, the legacy data was collected under different circumstances, the direct marketer might be required to approach these legacy contacts to obtain opt-in consent.
There are no specific rules relating to this. Based on the objective of the legislation we expect that the rules will at least apply to all messages sent to Dutch citizens and probably also to all Dutch organisations sending such messages.
Sending messages without obeying these rules is not a criminal offence, with the exception of the rules which prohibit concealing one’s identity and require provision of a valid opt-out address (which are punishable by fine). The other rules are to be enforced by both the telecom-regulator OPTA and the Dutch Data Protection Authority, using means of administrative coercion. In addition OPTA will establish a spam hotline. Of course, the Dutch Civil Code also provides for remedies.
The Dutch section of this article was written by Gerrit-Jan Zwenne and Louwrens Phoelich, Bird & Bird, The Hague.
The Directive on Privacy & Electronic Communications was implemented by the Personal Data Protection Code (legislative decree no. 196 dated 30 June 2003) which came into force on 1 January 2004. However, the basic principles contained in the Directive have been in force in Italy since May 1998, under a legislative decree (no. 181) which governed marketing contacts in the telecommunications sector. Last year (29 May 2003) the Garante, Italy’s data protection authority, issued authoritative guidance on spamming, affirming a general “opt-in” principle.
Individual and corporate subscribers
According to Art. 130 of the Code, any “unsolicited” marketing activity, such as direct marketing, carrying out market surveys or interactive business communication, addressed either to individuals or corporate entities, is allowed only on an “opt-in” basis. This applies to “unsolicited” electronic communications by e-mail, fax, SMS or MMS.
This also applies also to promotional and marketing e-mails sent:
- to e-mail addresses created and used automatically by software without human intervention or any previous check of the activation of the e-mail address, or of the identity of the recipient even when such e-mail addresses prove not to exist
- to e-mail addresses harvested from the Internet (e.g. newsgroup or chat room) and to e-mail addresses available to the public for purposes other than promotional, e.g. e-mail addresses of university professors published only for institutional purposes
- by individuals for personal purposes on both a systematic and occasional basis.
The recipients, before giving their consent, must be duly informed of the purposes for which their data will be used: it is not permitted to ask for consent by e-mail if that e-mail itself contains promotional or advertising material/information or only gives the recipients an opt-out right. Consent must be free, specific and separate from other consents: it must also be express and evidenced in writing.
The Garante also recommends that the e-mails make clear that they are promotional.
A limited exception to the “opt-in” rule is granted to data controllers if all of the following conditions are met:
- the data controller only markets its own products and services
- e-mails are only sent to prospects with whom there has already been a sale or a negotiation for a sale
- prospects must not have objected to such use either initially or in connection with subsequent communications
- the marketing must be carried out by the same legal entity/individual that obtained the data subject’s details
- to data subjects who were offered an opt-out option, free of charge when their details were first obtained.
This exception only applies to third parties carrying out marketing for clients if they are appointed as a data processor. It cannot be used in conjunction with bought-in lists. Here, the buyer must verify whether prospects have actually provided their consent to receive marketing materials.
E-mail opt –out registers
The Code does not establish a central register for registration of objections to direct marketing. However, such a register would serve little purpose under Italian law, as all e-mail marketing requires prior consent.
The Garante has welcomed an initiative by some operators to adopt an “opt-in” register, which allows subscribers to enter consent to receive different categories of commercial messages. Consent to receive commercial e-mails can be withdrawn.
No concealed identities
Marketers must not disguise or conceal their identity when they send promotional e-mails and must always provide a valid address to which the recipients can send an opt-out message and a request to exercise their rights.
Data subjects’ rights
In addition to these rights that apply specifically to e-mails, any data controller must respect general data protection rights. In particular the subjects’ right to:
object to the processing of personal data for sending advertising materials or direct selling or for market/commercial communication surveys
obtain confirmation as to whether or not personal data exists and to obtain a copy of such data in intelligible form
be informed about the source/purposes/methods/logic of the processing and about the recipients of such data
require updating, rectification or integration of the data,
erasure, anonymisation or blocking of data that has been processed unlawfully.
The rules apply equally to new data collected after 1 January 2004 and e-mail data collected before that date, i.e. to historic data. Data controllers may continue to use historic data for direct marketing by e-mail only if this already complies with the new Rules, or falls within the opt-out exemption. In other cases they will need to re-approach contacts to obtain opt-in consent with the risk of getting very few positive returns.
The Code applies to data controllers established in Italy (including where data is physically held abroad), in a place governed by Italian sovereignty or to data controllers established outside the European Union to use equipment in Italy (unless such equipment is used only for purposes of transit through the European Union).
Data subjects (individuals or others) may seek compensation from the data controller marketer for breach of the Code if they have suffered “damage”. Since this entails proving physical or economic loss for unsolicited direct marketing, it is going to be of limited application.
The Garante may also require the data controller to block processing, order the data controller to take such measures as are necessary or appropriate to comply or enforce lawful data processing on its own initiative or as a result of a complaint by an affected person. In case of persistent breach of the provisions concerning electronic communications, the Garante may also order the provider to implement filtering procedures or other measures for electronic mail used send the communications.
Breach of the Code may be punished by fine (in particular, up to EUR 90,000 for providing no or inadequate information). Unlawful data processing may be punished by imprisonment.
The Italian section of this article was written by Debra Stella, Bird & Bird Milan.
Important - The information in this article is provided subject to the disclaimer. The law may have changed since first publication and the reader is cautioned accordingly.