Draft Communications Data Protection Directive COM(2000) 385

Article 13(1.)

The European Coalition Against Unsolicited Commercial Email wholeheartedly supports the extension of the 'prior permission' requirement for fax and automated calling systems to email. We have always been in favour of grouping like with like: systems where tireless automata with the capability of overwhelming the hapless recipient with a flood of messages require stronger regulation than those which are inherently limited by factors of cost and human endurance. We understand and are in accord with the Commission's endeavours to create a more harmonised environment throughout the EEA where already 5 EU Member States¹ and one EFTA Member State² have adopted measures effectively prohibiting unsolicited advertising email³.

We concur with the Article 29 Working Party's observations concerning the data protection issues raised by unsolicited commercial communications⁴:

1. that there should be transparency and honesty in requesting, obtaining, and ultimate use of email addresses supplied by users voluntarily, and
    
2. that gathering addresses from public spaces would be contrary to the principles outlined in Schedules 1 and 2 of the Data Protection Act of 1998.

In the compiling lists for sending unsolicited advertising email, the requirement that personal data be processed "fairly" would not appear to be fulfilled, nor the requirement that data provided for one purpose not be processed in a manner incompatible with that purpose. "Balance of interests"⁵ would appear to be not in favour of processing given the cost imbalance and potential disruption to the recipient or data subject.⁶

The use of 'opt-out lists' would not appear to offer adequate protection to the data subject. For one thing, it is technically possible with a minimum of effort effectively to read out the contents of the database. The only scheme proposed in the UK (the (US)DMA's eMail Preference Scheme) has other problems in addition:

1. There are no absolute requirements for would-be senders of Unsolicited Bulk Email to use it. Unlike other forms of direct advertising, the costs of entry are so low that senders of UBE are unlikely to join an association and abide by its rules,
    
2. the particular implementation appears to be hedged about with unnecessary restrictions, and the data subject is required to renew the "subscription" periodically, and
    
3. the database used is not located within the EEA and therefore not subject to European legislation concerning the protection of personal data.

One address-gathering practice not specifically mentioned in Article 29 Working Party documents is the automated querying of mail service using various combinations of common names, initials, and numbers. Sometimes known as 'dictionary attack' or 'dictionary spamming', this would also appear not to be in accordance with data protection principles: here data relating to persons is indirectly extracted by an effective misuse of the transfer protocols. This would certainly seem to be in violation of the Data Protection Principles as to gathering personal data without the data subjects' knowledge or consent. The practice itself is abusive. In extreme cases, it can cause overload of servers with resultant outages or deterioration of service. In addition to the direct costs of receiving those messages which actually get through, the subscribers of the affected Internet Service Provider ultimately end up bearing the costs as provider overheads are transposed into increased service charges.

The service providers are left in the uncomfortable position of effectively having to protect other Internet users from the consequences of their own customers' possible violation of the principles embodied in the Data Protection Act. A real source of friction arises between those customers who want to send Unsolicited Bulk Email and the providers whose Terms Of Service/ Acceptable Use Policies categorically ban the practice. The would-be senders of Unsolicited Bulk Email cannot understand why the provider explicitly prohibits an activity which otherwise appears to be 'legal'.

There exists a danger when protection from the consequences of the misuse of individuals' personal data has to be afforded by commercial or academic service providers rather than the properly constituted authorities: the service providers could be 'bribed' or bullied into acting contrary to their own policies. There have been allegations of such elsewhere in the world, and likewise there is anecdotal evidence of various attempts to stifle the compilation and publication of lists containing information concerning known sources or transit points of abusive traffic. Industry self-regulation can be a good thing, but it has its limits.

The concept of 'permission marketing' where advertisements are sent only to those who have specifically given their permission is increasingly put into practice.⁷ The advantages of the 'opt-in' approach in establishing and maintaining relations are⁸:

• The opt-in approach does not prohibit the sending of commercial e-mail to customers or website visitors
   
• The opt-in approach does not prohibit disclosure to third parties of data supplied by Internet users
   
• The opt-in approach does not prohibit the compilation of mailing lists
   
• The opt-in approach prohibits unfair collection and use of data

We firmly believe that the 'opt-in' approach will go far in encouraging the implementation of ethical marketing practices which respect individuals' privacy on the one hand and ultimately promote the development of electronic commerce on the other.

"For countries which have announced their intention of having a high level of data protection, it is difficult to see the advantage in stopping at the minimum standard of the opt-out, unless it is to placate backward-looking industry interests and to shore up business practices which with the advent of consensual marketing now belong firmly in the past. To portray the opt-out approach as a compromise between privacy protection and free enterprise is a gross distortion. To use a somewhat fanciful analogy, the opt-out approach amounts to giving the e-mail user a sponge to mop up a flood of commercial messages which will never run dry [...] while the opt-in approach gives him [or her] access to the source and allows him [or her] to control the level of the flow. As for free enterprise, it is hard to imagine that any legislator would wish to sacrifice citizens' privacy in the name of free enterprise.⁹"

We think that the Commission's Draft of the proposed directive offers the best way forward and urge the UK Government to support it.

Respectfully,

George W. Mills, Chair
European Coalition Against Unsolicited Commercial Email
 

¹ Austria, Denmark, Finland, Germany, and Italy

² Norway

³ Commission Draft COM(2000) 385, EXPLANATORY MEMORANDUM 3. PROPOSED CHANGES Unsolicited communications - page 5

"Four Member States already have bans on unsolicited commercial e-mail and another is about to adopt one. In most of the other Member States opt-out systems exist. From an internal market perspective, this is not satisfactory. Direct marketers in opt-in countries may not target e-mail addresses within their own country but they can still continue to send unsolicited commercial e-mail to countries with an opt-out system. Moreover, since e-mail addresses very often give no indication of the country of residence of the recipients, a system of divergent regimes within the internal market is unworkable in practice. A harmonised optin approach solves this problem."

⁴ Article 29 Data Protection Working Party, (WP28) Opinion 1/2000 on certain data protection aspects of electronic commerce, adopted 3 February 2000

⁵ Data Protection Act 1998, Schedule 2,

6. - (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

⁶ Article 29 Working Party (WP36), Opinion 7/2000 On the European Commission Proposal for a Directive of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector of 12 July 2000 COM (2000) 385, Adopted 2 November 2000

(WP37) Working Document: Privacy on the Internet - An integrated EU Approach to On-line Data Protection, Adopted on 21 November 2000

"Five Member States (Germany, Austria, Italy, Finland and Denmark) have adopted measures aimed at banning unsolicited commercial communications. In the other Member States, either an opt-out system exists or the situation is not fully clear. Companies in opt-out countries may target e-mail addresses not only within their own country but as well to consumers in Member States with an opt-in system. Moreover, since e-mail addresses very often give no indication of the country of residence of the recipients, a system of divergent regimes within the internal market does not provide a common solution for the protection of consumers' privacy. Opt-in is thus a well-balanced and efficient solution in order to remove obstacles to the provision of commercial communications whilst protecting the fundamental right of privacy of consumers. The Working Party thus welcomes and supports the proposal to address unsolicited electronic mail in the same way as automatic calling machines and facsimile machines. In all these situations, the subscriber has no human interface and supports parts or the whole of the costs of the communication. The degree of invasion into privacy and the economic burden are comparable."

⁷ Commission of the European Communities, Unsolicited Commercial Communications and Data Protection (p 104)

"<...> businesses prepared to eschew unpopular and counterproductive online marketing practices and adopt the ethos of the Internet community stand to win the confidence of web surfers. And while opt-out registers have no commercial value, consent-based lists represent a valuable commodity. The growing trend towards permission marketing was confirmed in Europe at an international conference held in Paris from 12 to 15 September 2000 (www.webcommerce-europe.com ), in particular during a round table session devoted to e-mail marketing <...> Those present had the impression of an awkward disunity between the exponents of this new trend and the advocates of the opt-out approach, such as FEDMA and the American DMA."

⁸ Ibid. (pp 111-112)

⁹ Ibid. (p 65)

The European Coalition Against Unsolicited Commercial Email is an all-volunteer, ad-hoc grouping of Internet users and professionals dedicated to bringing about an end to an unethical practice by technical and legislative means. http://www.euro.cauce.org