Internet Newsletter for Lawyers |
|---|
Legal harmonisation within the European Union is a wonderful idea. Imagine being able to run a pan-European business operation without having to dissect the regulatory nuances of every single Member State. Imagine being able to deal with just one set of regulatory authorities. One might even be able to achieve full legal compliance and get on with running the business.
An area where this appears to be a hopeless ambition is e-mail marketing. When the European Commission published its original proposal for a new data protection directive for the electronic communications sector in July 2000, harmonisation was a key driver. The desirable prospect of a common EU e-privacy regime seemed achievable. Four years later, the differences are still there. The directive concerning the processing of personal data and the protection of privacy in the electronic communications sector (2002/58/EC) was fiercely negotiated by all camps and as a result, there is quite a bit of room for national divergences in its interpretation.
This article looks at the different ways in which some EU Members States have interpreted the rules established by the directive in the area of e-mail marketing. Unfortunately, a one-size-fits-all approach is unlikely to work.
(a) the e-mails relate to similar products or services to those for which the recipient is regarded as a customer;
(b) there is always an opportunity to opt out of further unsolicited e-mails; and
(c) certain transparency conditions are met – the identity of the sender must not be disguised or concealed, and a valid address that the recipient may use to opt-out must be provided.
However, relying on this exception on a pan-European level can be problematic because of the different approaches to the concept of "customers".
In the UK, the so-called opt-out exception is set out in Regulation 22(3) of the Privacy and Electronic Communications Regulations. According to Regulation 22(3)(a), the contact details of the recipient of the e-mail must have been obtained directly from that individual in the course of a sale or negotiations for the sale of a product or service. Here, the interpretation of what constitutes "negotiations for the sale" is linked to the concept of inducement. For example, where a competition is part of the inducement to raise interest in a product or service, this will be regarded as part of the negotiations for a sale.
Similarly, in the Netherlands, Article 11.7 of the new Telecommunications Act allows the sending of marketing e-mails on an opt-out basis to individuals with whom the sender has had prior contact in the context of selling its good or services. This suggests that the Dutch Authority's interpretation is likely to follow the approach of the UK's Information Commissioner. The position in Austria is even more relaxed, according to its data protection authority, as the practice of sending marketing e-mails without consent is generally allowed as long as the e-mail provides the recipient with the opportunity to object to any further messages.
However, in most EU countries, the interpretation of customers appears to be much stricter. In Sweden, it is now prohibited to send advertising by e-mail to people who have not agreed to receive the advertising beforehand. This prohibition does not apply where there is an established customer relationship, which the Swedish Consumer Agency interprets as existing where a person has already purchased goods or services from the advertiser. A similar approach has been taken in places like Belgium, Denmark, France and Spain. In Denmark, for example, the Consumer Ombudsman (who sits within the Danish Consumer Agency) has already indicated that for an individual to qualify as a customer, there must be an actual purchase.
The harshest stance from an e-mail marketer's point of view is likely to be the one adopted in Germany. Given Germany's traditionally protectionist approach to consumer privacy, the courts are likely to adopt a strict interpretation of the new Unfair Competition Act. Recent cases have indicated that a one-off transaction is insufficient to make the purchaser qualify as a customer.
As for other EU jurisdictions, they either have failed to implement the directive or have incorporated pretty much the wording of the directive, so it is too early to say how the words "in the context of the sale" are likely to be interpreted. This is the case, for example, in Ireland where the Data Protection Commissioner has yet to publish an official interpretation of the black letter of the law.
In Belgium, the consent requirement does not apply to corporate subscribers if the e-mail address does not contain personally identifiable information. However, any corporate e-mail address that includes a person's name will be subject to the general consent requirement. Similarly, in the Netherlands the opt-in regime only applies to natural persons, but this includes individuals using corporate e-mail addresses.
In Ireland, sending marketing e-mails to business recipients will only be unlawful if the recipient has notified the sender that they do not consent to the receipt of such communications to that address. This is a fairly straightforward way of solving the uncertainty created by the Directive, as it does away with some of the technicalities in the distinction between natural and legal persons.
However, in countries like Germany, Italy and Spain, the opt-in regime applies to both natural and legal persons, although the German courts have allowed a lower threshold for the opt-out exception in relation to business-to-business marketing.
This contrasts with the position adopted in the UK, where the Information Commissioner has publicly stated that it is prepared to take a pragmatic view on pre-existing lists for the time being, provided that the direct marketers ensure that any opt-out requests received either before or after the coming into force of the privacy and electronic communications regulations are acted upon promptly.
In a similar fashion, although Belgian law does not provide for a transitional period to comply with the new regime, in November 2003 the Commercial Court of Nivelles held that it was lawful to send marketing e-mails to addresses which had been collected on an opt-out basis before the new opt-in regime had come into force, but that companies should cease to send marketing e-mails as soon as the right to opt-out was exercised. This approach has been upheld by the Belgian data protection authority.
All in all, the laws dealing with direct marketing by e-mail in the European Union are a regulatory labyrinth and for many international organisations it is almost impossible to explore every single turn. One can only hope that the EU data protection authorities will choose to go after the real spammers, rather than to penalise those companies that try to respect individuals' wishes but fail to get to grips with the technicalities of the law.
Eduardo Ustaran is an e-commerce and data protection lawyer at Field Fisher
Waterhouse, www.ffw.com.
He is the editor of Data Protection Law & Policy and
co-author of E-Privacy and Online Data Protection (Butterworths, September
2002) and of the Law Society's Data Protection Handbook (July 2004).
E-mail eduardo.ustaran@ffw.com.
Back to Contents.