This paper considers whether the Directive on Privacy and Electronic communications (2002/58/EC) has led to a harmonised approach to e-mail marketing in seven EEA countries.
This is the third part of a three part paper. In Part I we looked at the UK and France, Part II looked at Belgium and Germany and here we look at Italy, The Netherlands and Sweden.
Italy (Debora Stella, email@example.com)
The Directive was implemented by the Personal Data Protection Code which came into force on 1 January 2004.However, the basic principles contained in the Directive have been in force in Italy since May 1998, under a legislative decree which governed marketing contacts in the telecommunications sector. Last year (29 May 2003) the Garante, Italy’s data protection authority, issued authoritative guidance on spamming, affirming a general “opt-in” principle.
Individual and corporate subscribers
According to the Code, any “unsolicited” marketing activity, such as direct marketing, sending advertising materials, carrying out market surveys or interactive business communication, addressed either to individuals or corporate entities is allowed only on an “opt-in” basis. This applies to “unsolicited” electronic communications by e-mail, fax or SMS.
This applies also to promotional and marketing e-mails sent:
to e-mail addresses created and used automatically by software without human intervention or any previous check of the activation of the e-mail address, or of the identity of the recipient, and even when such e-mail addresses prove not to exist
to e-mail addresses harvested from the Internet, e.g. newsgroup or chat room, and to e-mail addresses available to the public for purposes other than promotional purposes, e.g. e-mail addresses of university professors published only for institutional purposes
by individuals for personal purposes on a systematic basis, not only occasionally
The recipients, before giving their consent, must be duly informed of the purposes for which their data will be used: it is not allowed to ask for consent by e-mail if that e-mail itself contains promotional or advertising material/information or gives the recipients only an opt-out right. Consent must be free, specific and separate from other consents: it must also be express and proved in writing.
The Garante also recommends that the e-mails make clear that they are promotional.
A limited exception to the “opt-in” rule is granted to data controllers if all of the following conditions are met:
the data controller only markets its own products and services
e-mails are only sent to prospects with whom there has already been a sale or a negotiation for a sale
prospects must not have objected to such use either initially or in connection with subsequent communications
the marketing must be carried out by the same legal entity/individual that obtained the data subject’s details
to data subjects who were offered simple opt-out, free of charge, when their details were first obtained
This exception only applies to third parties carrying out marketing for clients if they are appointed as a data processor.It cannot be used in conjunction with bought-in lists. Here, the buyer must verify whether prospects have actually provided their consent to receive marketing materials.
E-mail opt –out registers
The Code does not establish a central register for registration of objections to direct marketing. However, such a register would serve little purpose under Italian law, as all e-mail marketing requires prior consent.
The Garante has welcomed an initiative by some operators to adopt an “opt-in” register, which allows subscribers to enter consent to receive different categories of commercial messages. Consent to receive commercial e-mails can also be withdrawn.
No concealed identities
Similar provisions apply to those described above under French law.
The rules apply equally to new data collected after 1 January 2004 and e-mail data collected before that date, i.e. to historic data. Data controllers may continue to use historic data for direct marketing by e-mail only if this already complies with the new rules, or falls within the opt-out exemption. In other cases they will need to re-approach contacts to obtain opt-in consent with the risk of getting very few positive returns.
The Code applies to data controllers established in Italy (including where data is physically held abroad), in a place under the Italian sovereignty or to data controllers established outside the European Union who use equipment in Italy (unless such equipment is used only for purposes of transit through the EU).
Data subjects (individuals or not) may seek compensation from the data controller marketer for breach of the Code if they have suffered “damage”. Since this entails proving physical or economic loss for unsolicited direct marketing, it is going to be of limited application.
The Garante may also require the data controller to block the processing, order the data controller to take such measures as are necessary or appropriate to comply, enforce lawful data processing on its own initiative or as a result of a complaint by a person affected. In case of persistent breach of the provisions concerning electronic communications, the Garante may also order the provider to implement filtering procedures or other measures for electronic mail used send the communications.
Breach of the Code may be punished by fine (in particular, up to €90,000 for providing no or inadequate information). Unlawful data processing may be punished by imprisonment.
On Wednesday 23 June 2004, there was the very first Court decision on spamming: for the first time a company has been condemned by a Court to pay damages (€1,000, plus €750 as reimbursement for legal expenses) for unsolicited commercial e-mails sent without the prior consent of the recipients.
Unfortunately the judgment is not yet available, but the principles stated (as reported by the newspapers) may be summarised as follows:such behaviour is a violation of the data protection legislation as it is improper and illicit processing as well as an illegitimate interference in the recipient’s privacy. Therefore, the company, whose employees carried out such unlawful processing, was condemned to pay both damages judgment in favour of the recipient who sued the company.
The Netherlands (Gerrit-Jan Zwenne, firstname.lastname@example.org)
The Dutch government did not succeed in implementing the Directive on time. On 28 October 2003 the Lower House of the Dutch parliament adopted a legislative proposal to amend the Dutch Telecommunications Act of 1998. This was adopted by Parliament on 22 April 2004 and entered into force on 19 May 2004. With this amendment the new EC Telecommunication Directives including the Directive have been implemented.
The amended Act introduces an opt-in regime for individual subscribers. Direct marketing material (which includes non-commercial and charitable advertising) may not be sent by Electronic-message, (e.g. e-mail), SMS, fax or automatic calling machines to individual subscribers unless recipients have previously notified their consent. The burden of proof of the subscriber’s consent is explicitly placed on the sender.
Answers to Parliamentary questions made clear that consent must be sought by the person wishing to carry out the marketing; it is not possible, or in line with the goal of the Directive, to ask for consent to forward the personal data to another sender.
As an exception to the opt-in rule, an opt-out regime can be used with respect to messages sent to individuals with whom the sender has had prior contact in the context of selling its goods or services, if:
the individual was offered an opt-out (free of charge) when his details were first obtained
the individual is offered the possibility to opt-out under the same conditions in each message sent to him
the marketing material is about the sender’s own and similar, products or services
In relation to the last point the minister stated that the interpretation of ‘similar products and services’ should be based on the objective expectations of the person buying the product or services. Given this it becomes useful to provide, at the time of selling, information to the buyer about those similar, or not so similar, products and services about which he might receive messages in the future. In other words: if you tell your wine-buying customer that you also offer packaged holiday trips to, e.g. Bordeaux, it is more likely that these will qualify as ‘similar’.
Both the opt-in rule and the opt-out rule are limited to natural persons. However, this does include natural persons within companies.
E-mail opt –out registers
In The Netherlands there are several industry-organised opt-out registers for most types of direct marketing material, including ordinary mail. Since these self-regulation initiatives seem to be working rather well, the government does not feel the need to organise such a register itself. The respective organisations are the ‘Stichting Zelfregulering DM’ () and the ‘Dutch Dialogue Marketing Association’ ().
In June 2004, a number of Dutch direct marketing organisations agreed upon a Code of Conduct regarding e-mail marketing. This code sets out specific rules regarding such e-mail messages (e.g. max size <50kb, unless the receiver has consented to larger messages). Further, the code enables receivers of the e-mail to submit complaints to an authority in charge of the dispute settlement regarding commercials and the like (“Reclame Code Commissie”).
No concealed identities
In all cases the messages must include information on the true identity of the entity sending marketing information, as well as a valid address to which a request not to receive future messages can be send.
Since no transitional provisions exist, the new rules will apply also to data collected under the old regime. It is not entirely clear how strictly this will be applied; this will probably depend on the circumstances. By way of example, an organisation may have collected customer data at the point of sale offering an opt-out opportunity at that time. If the individual has not objected to receiving e-mail marketing, one wouldreasonably argue that e-mail marketing should be allowed to continue on an opt-out basis, as long as future messages to these persons are limited to one’s own similar products and services and contain an unsubscribe option.
There are no specific rules on this. Based on the objective of the legislation we expect that the rules will at least apply to all messages sent to Dutch citizens and probably, as well, to all Dutch organisations sending such messages.
Sending messages without obeying these rules is not a criminal offence, with the exception of the rules which prohibit concealing one’s identity and require provision of a valid opt-out address (which are punishable by fines). The other rules are to be enforced by both the telecom-regulator OPTA and the Dutch Data Protection Authority. In addition, OPTA will establish a spam hotline.
In a recent case on 12 March 2004 the Dutch Supreme Court has supported Internet Service Provider XS4ALL, to rule that the property rights of the provider outweigh a direct marketing agency’s right of freedom of commercial expression, therefore permitting the provider to take measures to ban spam.
In response to concerns expressed by a number of members of parliament the Dutch Independent Post and Telecommunications Authority (“Onafhankelijke Post en Telecommunicatie Autoriteit” or “OPTA”) has been given tasks. Complaints regarding spam can be submitted through a special website ().
Sweden (Jim Runsten email@example.com)
The Directive was implemented and came into force on 1 April 2004 through a bill of changes to the Swedish Marketing Practices Act concerning unsolicited marketing via e-mail (the “New Regulations”).
The previous legal position
Until the Directive was implemented direct marketing activities were governed by the Swedish Personal Data Act, (as regards direct marketing directed at individuals), and the Swedish Marketing Practices Act(as regards all marketing performed in the course of trade).
According to the Swedish Personal Data Act, personal data may either be used with consent from the individual or, in some exceptional cases, without consent. Personal data may, however, never be used for direct marketing purposes if the individual has objected to this. The Marketing Practices Act has an opt-in rule for unsolicited direct marketing via fax or automatic calling systems and an opt-out rule for other methods of remote communication, e.g. telemarketing.
The New Regulations
The New Regulations introduce an opt-in regime for individual subscribers. Direct marketing material may not be sent by e-mail to individual subscribers unless recipients have previously notified their consent.
There is an exception to the opt-in regime, which allows the continued use of an opt-out (referred to as a “soft opt-in”) provided that the direct marketing is:
only applied to marketing contacts with whom there has already been a sale
carried out by the same legal entity that obtained the individual’s details
limited to similar products and services
to an individual who has not objected to the use of their e-mail address for direct marketing
who was offered an opt-out when their details were first obtained and then every time the details are used for direct marketing
(All these criteria must be met for the soft opt-in to be applicable). Registers and lists that have been purchased from third parties do not qualify for the soft opt-in exemption.
Direct marketers should note that the opt-in rule is not limited to “consumers”. It applies to all non-corporates, i.e. unregistered partnerships and sole traders have the same rights as private individuals. Accordingly, the New Regulations do to some extent apply to B2B marketing.
The opt-in rule applies to “unsolicited” direct marketing via systems without personal contact. The Swedish government has chosen to keep the opt-out rule for other methods of remote communication, e.g. telemarketing, in the New Regulations.
The opt-in rule does not apply to corporate subscribers. These include companies, registered partnerships and other entities that have separate legal identity.
The New Regulations prescribe that all direct marketing contains a valid address which the recipient, whether a natural or legal person, can use to request that the marketer cease sending marketing material. Where the sending of marketing material to an employee of a company includes the processing of personal data (as it would if the direct marketer knows the name of the person they are contacting, e.g. firstname.lastname@example.org, not email@example.com), then that individual also has a right under the Swedish Personal Data Act to request that the marketer cease sending him marketing material.
E-mail opt-out registers
Since all individuals have to opt-in according to the New Regulations, the New Regulations do not establish an opt-out register.
No concealed identities
Similar provisions apply to those under French law described above.
The new Regulations will apply equally to new data collected after 1 April 2004 and e-mail data collected before that date, i.e. to historic or “legacy” data. Such legacy data for direct marketing to individual subscribers may only continue to be used if it falls within the provisions of the soft-opt in exemption. If the soft opt-in exemption cannot be relied on then, strictly speaking, the marketer would need to re-approach the legacy contacts to obtain opt-in consent with the risk of getting very few positive returns.
The Swedish Consumer Agency is the supervisory authority for the Swedish Marketing Practices Act of which the New Regulations will form a part. The Consumer Agency and its Director General, the Consumer Ombudsman, will apply the New Regulations to all marketing activities directed to the Swedish market in accordance with a position statement regarding e-commerce and marketing on the Internet from October 2002.
This looks, in particular, at:
the language of the marketing
currencies and other national characteristics used
whether the goods/services are generally marketed in the territory
whether there are links to off-line marketing in the territory
whether the business will enter into contracts with consumers from the territory.
It should also be noted that data controllers’ compliance with the Swedish Personal Data Act is monitored by the Swedish Data Inspection Board. This has jurisdiction where data is processed in or transferred from Sweden.
Both individuals and legal entities, may seek remedy from the marketer for breach of the New Regulations. There are three types of remedies:
injunction against the continuance of the marketing activities under penalty of a conditional fine
compensation for damages,
a fine for disruptive marketing practices
The Consumer Ombudsman may take enforcement action on his own initiative or as a result of a complaint from a person affected by the marketing. The Consumer Ombudsman can demand an order for the marketer to provide information or an injunction against the continuance of the marketing activities under penalty of a conditional fine. The Consumer Ombudsman can also demand that the marketer pay a fine for disruptive marketing practices if the marketer or any person acting on its behalf intentionally or negligently breaches the New Regulations.
Orders and injunctions combined with a conditional fine may be issued by the Consumer Ombudsman himself in cases of minor importance. (What amounts to a case of minor importance is not defined in the Marketing Practices Act).
1 Legislative decree no. 196 dated June 30, 2003
2 No. 181
3 Available in Dutch at
7 The Position Statement on e-commerce and marketing on the Internet can be found on .