Proposed Amendments to "E.Privacy" Directive

These are outlined in the Report from the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs, (A5-0270/2001) which according to procedure includes the Opinions of the Committee on Legal Affairs and the Internal Market, the Committee on Industry, External Trade, Research and Energy, and the Committee on the Environment, Public Health and Consumer Policy.

(Amendment 1) The report starts out promising enough, proposing an additional Citation:

having regard to Articles 7 and 8 of the European Union Charter of fundamental rights, proclaimed in Nice on 7 December 2000, which seek to guarantee respect for private life and communications, including personal data,

(Amendment 18) and then goes on to propose additional text (in bold italics) to Recital 21:

Safeguards should be provided for subscribers against intrusion of their privacy by means of unsolicited calls, telefaxes, electronic mails and other forms of communications for direct marketing purposes. Member States may limit such safeguards to subscribers who are natural persons. The proposal to include unsolicited commercial electronic communications in the scope of article 13.1 is essential in order to deal with the specificities of electronic messaging. The costs and "nuisance factor" involved in unsolicited commercial electronic messages, particularly on mobile devices, is substantially greater than offline postal mail. The proposal of a ban on unsolicited commercial electronic communications should not, therefore, infer any alteration to provisions of Community law relating to offline commercial communications.

Justification

La nature spécifique du courrier électronique et des nuisances qui peuvent découler du traitement du courrier non sollicité, justifie pour ce type de communication une tutelle accrue de protection de la vie privée.

[The specific nature of email and the nuisances which can result from the handling of unsolicited email justify additional measures to protect privacy for this type of communication.]

(Amendment 19) So far, so good, but the rot starts here, with a proposed additional Recital (21a):

Member States' possibilities for taking legal action on their own in respect of unsolicited electronic communications are limited and imply international cooperation. It also makes a big difference whether the sender has used a static or a dynamic address. A system which prohibits the sending of messages without the recipients' consent (opt-in) is not effective on its own. The sector concerned should be encouraged to draw up common rules, if necessary having the same status as that provided for in Article 27 of Directive 95/46.

Justification

The main aim of the fight against unsolicited communications is that service providers should develop filter programs. Unfortunately, there are many examples showing that recipients in countries with opt-in systems receive large quantities of spam in spite of the rules. It is therefore more important, with regard to individual members of the public and consumers, that service providers have a strong interest in improving their service. If need be, models and good practice guidelines could be drawn up within the remit of the Article 29 Working Party.

Ah, so "filters" are to be the answer. So senders of UCE are not to be inhibited legally from pounding servers with their spew which in any case never reaches the intended recipients, assuming the filters are effective.

(Amendment 20) But supposedly there is no need for any further legislation, according to this additional proposed Recital (21.b):

Spamming – the bulk sending of untargeted unsolicited emails – is already covered by special protection measures, in particular by Article 7(1) of Directive 2000/31/EC, by Articles 6 and 7 of the general data protection Directive 95/46/EC, by Directive 84/450/EEC on misleading advertising and by Directive 93/13/EC on unfair terms in consumer contracts.

Justification

Existing, current legislation can be used to combat spam and, therefore, there exists no need for a new, rigid and cost-increasing legislation that most likely will not have an effect on spam.

"Cost-increasing" to whom, pray? A ban on Unsolicited Commercial Email would not affect those who already practice "permission-based" marketing in the slightest, whilst giving the aggrieved recipients and their providers the legal means to stop those who have no respect for privacy or others' property. "Existing, current" legislation either does not apply to spam or spamming practices, or is difficult and expensive to enforce. Part of the difficulty (not to mention expense) arises from the fact that little or no specific legislation is in place.

(Amendment 41) An additional "preamble" is to be added to Article 13:

- 1. Personal data treatment for unsolicited communications is regulated by the General Data Protection Directive 95/46/EC)

Justification

General directive 46/95/EC already enables it to be established when the processing of personal data for unsolicited communication is lawful, according to "principles relating to data quality". The general directive also establishes a series of criteria for "making data processing legitimate" (e.g. when "unambiguous consent" of the data subject is expressed, but also when public data, freedom of expression or vital interests of the data subject are involved), that it would be wrong (and technologically "non-neutral") to eliminate on technological grounds. Opt-in and opt-out systems are both used in the Member States, and the subsidiarity principle would tend to argue against the imposition of a common practice, which would in any case co-exist with hundreds of national legislations around the world. Opt-out systems are already specified by the e-commerce Directive (2000/31) and the Distance-selling Directive (97/7).

But does the sending of UCE to addresses gathered without the data subject's knowledge or consent constitute a "legitimate" processing of personal data? The European Commission, the Article 29 Working Party, and the French National Commission for Data Processing and Liberty don't think so, nor do we.

(Amendment 42) But now we get to the heart of the matter. Article 13 is now to read:

1. The use of automated calling systems without human intervention (automatic calling machines) or facsimile machines (fax) for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.

Justification

An opt-in solution for e-mail marketing will penalise responsible marketers, but not stop illegitimate ones from continuing to send unsolicited emails. Spamming is already covered by special protection measures including Article 7 (1) of Directive 200/31/EC and Articles 6 and 7 of the general data protection Directive 95/46/EC. Stricter legal requirements will only have the effect of reducing the impetus for business to develop effective software solutions within the EU.

"Responsible" marketers have already embraced the "permission-based" model, those who haven't are by definition irresponsible. This goes particularly for the on-line vendors who won't take "no" for an answer, neither in the initial contact, nor in honouring subsequent "remove" requests.

Apart from that, if the "software solutions" really are "effective", then the punters will never see the spew in the first place. But who is supposed to pay for the development of these software solutions? That's right, the subscribers of Internet Service Providers.

(Amendment 43) It gets even better, with a warmed-over bit from the E.Commerce Directive followed by a piece of purported reasoning breathtaking in its cluelessness:

1a. In addition, Member States shall take appropriate measures to ensure that other commercial communications by a service provider established in their territory shall be identifiable clearly and unambiguously as such, as soon as it is received by the subscriber.

Justification

The Distance Selling Directive in Article 10 establishes the opt-in system (consumer’s prior consent) for faxes or automatic call systems. However, it specifies the opt-out system for other electronic communications (which includes e-mail messages). The Proposed Directive defends the opt-in system for the sake of supposed increased harmonisation among all European countries. However, it will only harm e-commerce in Europe vis-à-vis other parts of the world. Moreover, Article 7.2 of the E-commerce Directive also establishes that the opt-out system shall apply. This will lead to great uncertainty for ISPs and a serious lack of consistency among different EU pieces of legislation.

It is understood that the objective of the European Commission is to combat so-called spamming. However, sending direct marketing via e-mail should be considered as a legitimate business activity since it involves something that is completely different from spamming. The spamming should not be considered as a direct marketing activity, since, in the majority of cases, the spammed consumer cannot identify the origin of his data.

The opt-out system will promote e-commerce in Europe, one of the major objectives of the eEurope initiative. The opt-in system will be a barrier to the same and will help encourage direct marketing companies to set up their business outside the European Union, where the legislative framework allows the opt-out for direct marketing purposes.

The failure to include like with like was, is, and remains a mistake explainable (if not necessarily justifiable) by the fact that the deliberations took place four or five years ago, when there were far fewer Internet subscribers than now. Email should have been included together with those media (fax and automatic calling systems) where tireless automata pound on human beings whose endurance is limited. The present mess represented by the E.Commerce Directive is one of the areas of legal uncertainty which the Commission tries to address. The lack of consistency will in no way be ameliorated by these amendments. As the Commission put it:

Four Member States already have bans on unsolicited commercial e-mail and another is about to adopt one. In most of the other Member States opt-out systems exist. From an internal market perspective, this is not satisfactory. Direct marketers in opt-in countries may not target e-mail addresses within their own country but they can still continue to send unsolicited commercial e-mail to countries with an opt-out system. Moreover, since e-mail addresses very often give no indication of the country of residence of the recipients, a system of divergent regimes within the internal market is unworkable in practice. A harmonised optin approach solves this problem.
[See overview of legal situation as of May 2002]

Concerning spamming, the Committee's attempt to muddy the waters is disingenuous at best, mendacious at worst. Sending direct marketing material via email may indeed be considered a "legitimate business activity" involving something completely different from spamming if and only if the recipient had given permission. Otherwise there is no difference. Permission is what distinguishes the welcome guest from the unlawful intruder. Guests don't force their way into people's homes, legitimate marketers don't force their messages on to people who haven't asked (but are nevertheless required to pay) for them.

We are expected to believe that "the opt-out system will promote e-commerce in Europe" although it is not easy to see how, when many are afraid that their personal data will be misused to an even greater extent than they are now. "Permission-based" marketing on the other hand, is about establishing and maintaining trust: something that spamming (that's right, spamming) destroys. Who wants to do business with someone whose initial approach is based on trespass or theft by conversion? In this context, it is useful to recall:

(Amendment 44) But the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs chooses to serve up another warmed-over bit from the E.Commerce Directive, with the same 'justification':

3. Member States shall ensure that service providers undertaking unsolicited commercial communications by means others than those in paragraph 1 regularly consult and respect the opt-out registers in which natural persons not wishing to receive such commercial communica [sic]

The bit "can register themselves" seems to have been left out of the English-language versions of the working drafts, and this omission has been carried over to the published final report. In any case, it was never clear just how many of these "opt-out registers" were to be set up. There appears to be nothing to stop the proliferation of hundreds or thousands of these. This ambiguity was forcefully illustrated in early drafts of legislation to implement the E.Commerce Directive in Spain: senders of UCE were to consult at least once a month either an external 'opt-out' list or one they maintain themselves.

(Amendment 45) A few words added to the original Commission draft (shown in bold italics):

2. Member States shall take appropriate measures to ensure that, free of charge and in an easy and clear manner, unsolicited communications for purposes of direct marketing, by means other than those referred to in previous paragraphs , are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation.

(Amendment 46) An interesting bit which is similar to provisions in actual state and proposed Federal legislation in the United States:

2a. The practice of sending electronic messages for the purpose of direct marketing disguising or concealing the identity of the sender on whose behalf the communication is made shall be prohibited.

Justification

The explicit reference to the fraudulent practice of disguising the identity of the sender could strengthen anti-spam efforts, also if not only the general directive, but also other directives already protect the consumer (84/450 on misleading advertising, 93/13 on unfair terms in consumer contracts and 98/6 on the indication of prices).

This, while welcome, does not completely address the problem of "mainsleaze": where senders still flood servers and mailboxes with unsolicited advertisements which the recipients end up paying for.

(Amendment 47) Last, but not least:

2 b Senders of unsolicited electronic mail shall supply with their messages an address to which the recipient may send a request that such communications cease.

No justification is offered. That "single-case opt-out" just doesn't scale has apparently not occured to certain members of the Committee. As the authors of the study prepared for the European Commission put it:

By allowing the recipient to register his objection only after the event i.e. after the initial prejudice has been suffered, the opt-out approach deprives Internet users of their rights over their own mailboxes.

Amendments Tabled Before Plenary Session

Additional amendments can be tabled by MEPs who are not members of the Committee issuing the report.

(Amendment 53) The famous "opt-in" amendment: unnecessary overkill on the one hand, nil protection on the other. The only use it had was to stop the Parliamentary juggernaut and force a re-think.

1b. Member States shall ensure that service providers undertaking unsolicited commercial communications by means other than those in paragraph 1 only use the opt-in registers in which natural persons wishing to receive such commercial communications are listed. Undertakings will be obliged to include in every electronic commercial communication how and where the receiver can unsubscribe from such lists or withdraw his given consent, free of charge. Such undertakings will be allowed to send, a maximum of two times a year, unsolicited electronic communications asking natural persons for consent to send further commercial communications via email.

Justification

The EU’s hard-fought, leading role in the world mobile telecommunications market is under considerable threat. Burdening the industry with the consequences of spam will force the EU’s industry to concede this advantage. For example, research undertaken by Ovum has concluded that the spam, "...could kill the wireless market."

Every piece of reputable research undertaken on the issue has clearly found that (i) consumers view unsolicited commercial e-mail as a serious breach of their privacy and a nuisance and (ii) that industry is increasingly turning to permission-based marketing as their most effective tool. Anti-spam legislation will help EU industry adapt more quickly to this reality.

While Directive 95/46/EC theoretically covers trafficking of e-mail addresses, it has been proved completely impossible to implement this Directive under an opt-out regime. Recital 30 of Directive 2000/31/EC (the 'E-Commerce Directive') also states: "Unsolicited commercial communications by electronic mail should not result in additional communication costs for the recipient." A European Commission study has found that these communications are costing EU citizens € 10 billion [EUR 1E10] per year.

To take the last assertion first, the figure of EUR 10,000 Million from the European Commission study "Unsolicited Commercial Communications and Data Protection" (Page 67) was given as a global cost, not one confined to net.users in the EU alone.

The requirement that "only opt-in registers..." be used is completely unnecessary. As long as the recipient has knowingly given consent (and this can be demonstrated) an additional requirement that the same recipient should "register" in some external "opt-in list" is absolutely redundant.

The provision that enterprises be allowed to send unsolicited messages no less than twice a year goes entirely against the sense and purpose of a supposedly "opt-in amendment". Not only is there, apparently, a total absence of even the half-hearted "protection" offered by "opt-out", the hapless user could very soon become overwhelmed by continued solicitations to allow commercial email. Look at the numbers again: a full-time occupation consisting of nothing put pressing the "delete" key can be guaranteed by only half the Small-to-Medium-scale Enterprises ("SMEs") taking advantage of this offer. This calculation leaves out the 9 million sole traders and 8 million "very small" enterprises who could understandably be very tempted to make use of Parliament's largesse at the expense of ordinary consumers holding email accounts.

(Amendment 60) Labeling and "single-case opt-out" rinsed and repeated.

1a. In addition, Member States shall take appropriate measures to ensure that other commercial communications by a service provider established in their territory are identifiable clearly and unambiguously as such, as soon as they are received by the subscriber. Undertakings will be obliged to include in every electronic commercial communication how and where the receiver can unsubscribe from such lists or withdraw his given consent, free of charge.

Justification

[same as for Amendment 53]

The reader might well be forgiven for having expected better than the lame offering above, given the rhetorical flourishes in the Justification, yet this, too, passed the roll call vote. Privacy will never be protected so long as email addresses, regardless of provenance, regardless of whether they were obtained "fairly and lawfully" or not, can be used in such a way as to force costs and overheads onto the data subject. Given sufficient volume, the data subject's mailbox would easily become effectively useless, something which could never be interpreted as being in that person's interests.

Second Time Around: Proposed Amendments

Parliament referred the report back to the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs. A draft Second Report appeared on 11 October and was put to the vote on 22 October. Of interest to us are the proposed Amendments to Article 13:-

1. The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax), electronic mail or SMS (short messages service available on mobile phones) for the purpose of direct marketing may be only allowed in respect of subscribers who have given their prior consent.

Once again email is to be "opt out", yet a similar misuse of personal data via mobile phone is to be prohibited. This latter provision is badly-written and too specific: the current system for short text messages is mentioned, but the next-generation EMS (extended messaging service) is apparently not covered.

2. Member States shall take appropriate measures to ensure that, free of charge, and in a easy and clear manner, unsolicited communications for purposes of direct marketing, by means other than those referred to in paragraph 1, are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation.

Nowhere does the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs address the European Commission's concerns about the unsuitability of the 'national choice' approach to the requirement for recipients' prior consent to advertising by email:-

"From an internal market perspective, this is not satisfactory. Direct marketers in opt-in countries may not target e-mail addresses within their own country but they can still continue to send unsolicited commercial e-mail to countries with an opt-out system. Moreover, since e-mail addresses very often give no indication of the country of residence of the recipients, a system of divergent regimes within the internal market is unworkable in practice."
[See overview of legal situation as of May 2002]

At least the nonsensical labeling requirement has not been carried over from the E.Commerce Directive. But there's more:-

The practice of sending electronic messages for purposes of direct marketing disguising or concealing the identity of the sender on whose behalf the communication is made, or without a valid address to which the recipient may send a request that such communications cease, shall be prohibited.

The original intention is to facilitate 'single-case opt-out', which in any case does not scale. (Are you really up to issuing 1, 9, or 18 million 'opt-out' "requests"?) Nevertheless, as a means whereby an innocent third party whose address is forged into the From: line of UBE can take legal action, this provision could be welcomed.

As from 30 months after the entry into force of this Directive, subscribers have the right to ask from providers of electronic communications services to use technical solutions which allow them to view the sender and subject line of electronic mails, and also to delete them, without having to download the rest of the electronic mail's content or any attachments.

This appears to be based on AOL's mail handling system, which the rest of the industry regards as being somewhat obsolescent. Subject lines are often deliberately made to be misleading, so it is quite probable that the recipient will end up having to download anyway. The presence of large attachments would not necessarily be indicated. Since these can take a long time to download and can contain malicious code, this provision actually offers inadequate protection.

Owners/operators of Windows boxen don't have to wait at all for such a "technical solution": a freeware application called POP3 Scan Mailbox offers this kind of function with the additional possibility of examining all or part of a suspect message. Similar functionality has long since been available for other operating systems. It should be noted that online mailbox administration can be very costly in connect time, however. More connect time can be spent deciding and marking for deleteion than the messages would have taken to be downloaded.

In any case, the automatic 'reply' feature would not be available for messages which are deleted. In other words, a message would have to be downloaded before the 'reply to remove' facility provided for in the previous paragraph could be utilised.

A further source of inspiration for the Committee's proposed amendment comes from some Web-based mail systems offering "anti-spam" filtering capability. Here again, it must be mentioned that perusing one's email online through a web browser can become a very expensive pastime on a metered connection.

It should be noted that such utilities or systems by themselves cannot and do not deal with the problem of chronic mailbox overload, something the offerings from the Committee on Citizens' Freedoms and Rights, Justice and Home Affairs do little to prevent.

An amendment tabled prior to the plenary session was accepted and included:-

1a. Notwithstanding paragraph 1, if companies obtain communication details for electronic mail directly from their customers, in the context of the purchase of a product or a service, in accordance with Directive 95/46/EC, they may use those communication details for direct marketing of their own products or services, provided customers have the right to stop, free of charge, in an easy manner and at any time, such use of communication details.

And this is supposed to inspire consumer confidence in electronic commerce? "Buy online!! And get spammed until you beg them to stop!!"

At least the remedy to this is relatively simple: there are services reachable via the links to "Special Email Services" which allow the user to generate any number of 'disposable' addresses - very useful for dealing with online vendors who don't want to respect the Purpose Principle of the Data Protection Directive.

The entire pig's breakfast was accepted by Parliament for First Reading and forwarded to the Council.

Common Sense: The Council's View

Article 13 - Unsolicited communications

1. The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.

SMS and other messaging systems based on mobile telephony are covered, according to the definition of "electronic mail" in Article 2(h):

"electronic mail" means any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient.

2. Irrespective of paragraph 1, where a natural or legal person obtains communication details for electronic mail directly from its customers, in the context of the purchase of a product or a service, in accordance with Directive 95/46/EC, the same natural or legal person may use these communication details for direct marketing of its own similar products or services, provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, such use of communication details when they are collected and at the occasion of each message in case the customer has not initially refused such use.

Two things stand out here:

1. "their own similar products or services" means that the spectre of being flooded with promotion material from any and all divisions of a major conglomerate when making online purchases recedes, and
    
2. the rights of the online purchaser to opt-out of receiving promotional material at the time of purchase are clearly defined.

3. Member States shall take appropriate measures to ensure that, free of charge, unsolicited communications for purposes of direct marketing, by means other than those referred to in paragraph 1, are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation.

"National Choice" for snail mail and telemarketing. Sicut erat in principio...

4. In any case, the practice of sending electronic mail for purposes of direct marketing disguising or concealing the identity of the sender on whose behalf the communication is made, or without a valid address to which the recipient may send a request that such communications cease, shall be prohibited.

One would hope that this issue would never arise, but those seeking to get around the law by means of header forgery, "cloaking" or other deception are put on notice that such activity in and of itself is not to be allowed.

5. Paragraphs 1 and 3 shall apply to subscribers who are natural persons. Member States shall also ensure, in the framework of Community law and applicable national legislation, that the legitimate interests of subscribers other than natural persons with regard to unsolicited communications are sufficiently protected.

6. The European Commission shall submit to the European Parliament and the Council, not later than three years after the date of implementation of this Directive by Member States, a report on the effects on consumers and economic operators of this Article, taking into account the international environment. Where appropriate, the Commission shall submit proposals for the modification of this provision to take account of the results of the abovementioned report and any changes in the sector and any other proposal it may deem necessary.

All emininently reasonable, and Something We Can Live With. It only remains to persuade Parliament to leave well enough alone.

Usual Nonsense: The Committee's View Again

So as not to be accused of inconsistency, our favourite Committee on Citizens' Freedoms and Rights, Justice and Home Affairs in its latest report proposes to serve up the same unworkable mess it proposed for First Reading, albeit by a smaller margin this time.

The directive proposal moves on to the Plenary session scheduled between 13 and 16 May. An absolute majority (314) would be required in order to overturn the Council's Common Position and initiate the Conciliation Procedure.

Disharmony of varying national régimes is guaranteed by the amendments proposed in the Committee's report. See overview of legal situation as of May 2002.