Many people (including myself) have been watching how the UK’s December 2003 spam legislation has developed. Though there was little hope for it at the time, it seems the situation is now out of control, and no one believes the UK legislation (though based on the strong EC Directive) will do much at all.
(continued. . .)
The UK passed its Privacy and Electronic Communications (EC Directive) Regulations 2003 in September 2003. They went into effect in December 2003, only slightly after the deadline established by the Directive on Privacy and Electric Communications, Council Directive 2002/58/EC, art. 13, 2002 O.J. (201) 37 (previously covered here).
This legislation, like the directive, covers many issues including faxes, security, itemized billing and more. The EC directive was strong, requiring an opt-out for existing relationships and opt-in for others. Section 22(2) codifies the opt-in requirement, and22(3) codifies the opt-out for marketers who obtained the address through a sale and markets "in respect of that person's similar products and services only." Section 23 forbids forged headers for messages sent under Section 22 and requires a valid opt-out address, though it is unclear if this address is physical.
There is no doubt that the UK requirements are strong on paper. They are, after all, based on the restrictive EC directive. The problems seem to stem from enforcement and interpretation.
Section 30(1) has a vague private right of action. "A person who suffers damage by reason of any contravention of any of the requirements of these Regulations by any other person shall be entitled to bring proceedings for compensation from that other person for that damage." Since a person must bring proceedings, an ISP cannot sue, but it is unclear whether an individual could. This debate is solved, however, by Section 30(2), which offers an affirmative defense of "such care as in all the circumstances was reasonably required to comply with the relevant requirement." In this case, care to keep to only business addresses, which aren’t received by "individuals" under the statute could be enough to defend any claim. The statute only offers compensation for damages, which to any individual person will be low.
Section 32 offers the preferred method of enforcement. Persons or the Office of Communications can request that the Information Commissioner enforce the regulations.
A person’s Section 32 rights to request enforcement can be exercised using the Information Commisioner’s Office’s online form to report violations, but it must be completed on paper and mailed in, even requiring a stamp. This five page beast of a form helpfully notes that "[i]n most instances we cannot pursue a complaint if we are unable to identify the sender." It then asks for the name, address, phone number, website, and e-mail address of the alleged offender. It does not, however, ask for the actual mail received, not to mention, say, the header or routing information. These complaints most likely accomplish nothing for the dedicated folks who fill it out or for the poor folks who have to process them. Compare this system to the sleek Australian complaint form, complete with stellar guide to what is legal. Even the vague FTC multi-purpose CAN-SPAM-and-all-other-complaint form is better; at least it is electronic.
In the UK, it looks like some dedicated bloke must transcribe an entire e-mail or set of e-mails and them wait for the Information Commissioner to get around to issuing a warning and then some sort of fine. We're all still waiting.
Even before the regulations, the Commissioner warned that it did not have enough funding to carry out responsibilities under the new laws. These predictions were correct. Though the law threatens fines for non-compliance, seven months later, none have been issued.
Now, spam operations are shifting to the UK, where spam policy is perceived as lax. At least one Italian spam operation has already made the switch after Italy made spam a criminal offense. After the UK’s regulations went into effect in Decmeber 2003, it edged out unregulated India for the #10 spot in global spam, where it still ranks. UK users are frustrated that their legal solution is doing nothing to stop even domestic or other European spam. Many are second-guessing the policies of delegating enforcement to a failing agency and allowing spam directed at business addresses, which are not statutorily individuals. Reform to UK spam policy is likely to start with these issues, especially if the Information Commissioner does not act soon.
For more countries, see the Spam Around the World index.