There are a number of reasons why implementation of the new laws is proving traumatic for European business. To begin with, it doesn't help that the legislation is being rolled out by the EU Member States in what can - at best - be called a piecemeal fashion. Although all EU countries were supposed to implement the Directive into their national laws by October 31 of last year, only a handful of countries have done so, spurring the Commission to start proceedings against the remaining nine members in December 2003. Once the Directive becomes law in the remaining Member States, however, the Commission hopes that there will be a sharp drop in spam, freeing up inboxes from junk mail, which, according to some estimates, currently accounts for approximately 30% of all incoming e-mail.
The Directive's main thrust lies in the provision that expressly prohibits the sending of unsolicited electronic mail (comprising e-mail, SMS and MMS) to individuals unless the individual has given express prior consent (referred to as "opt-in" consent). By way of exception, however, electronic marketing communications may be sent to an individual unless and until he or she objects (referred to as "opt-out" consent) if: the sender originally obtained the individual's contact details "in the context of the sale of a product or a service;" the "same natural or legal person" issued the communication; and the marketing is for the "sender's own similar products or services." Failure to comply may result in hefty penalties, and, somewhat startlingly, there is the possibility of imprisonment under the new Italian law.
There has been serious criticism: first, the Directive has been faulted for restricting not only "true spam", i.e., e-mails that are randomly sent out in bulk, but also arguably legitimate electronic mail targeted at a more select audience, such as electronic newsletters which provide value to recipients. Another major criticism of the Directive is the room for manoeuvre given to Member States in implementing and interpreting the Directive. As a result, companies using e-mail, messaging or the internet to communicate with their customers are confronted with a matrix of widely differing legal standards within the EU. Vivid examples of this dilemma can be found in numerous aspects of the legislation. One example are the provisions granting the exception to the strict opt-in requirement - how exactly should a company wishing to send unsolicited commercial communications determine whether its relationship with a recipient arose "in the context of the sale of a product or service"? For obvious reasons, this issue is of significant importance and interest to most companies. The draft German statute requires, without further specification, that the relationship be "an on-going commercial relationship," the UK law requires negotiations at least to have occurred, if not a sale, while the Swedish legislators initially suggested that companies would only be able to send unsolicited electronic communications within one year after the conclusion of the sales contract. Other examples of discrepancies in Member State approaches abound, even in the same context of the rules relating to the specific opt-in exception. For instance, how similar must a product or service touted in a marketing communication be to the product or service that formed the basis of the original relationship between the sender and the recipient? The UK considers products or services "similar" if they are products or services that the customer "would reasonably expect to receive" from the sender. Other countries have implemented this provision more narrowly. And who qualifies as "the sender" - the company or its marketing agency? Or both? Questions such as these must be clarified before businesses, particularly large multinational corporations with complex corporate structures and multiple product ranges, can feel reasonably safe in conducting electronic marketing activities.
Businesses using electronic communications are also faced with varying degrees of protection afforded to corporate entities because the Directive delegates responsibility to Member States for determining how to adequately protect legal persons in their national legislation. In some Member States, only individuals (ie living persons) are protected. In others, companies, partnerships and other "legal persons" are provided with rights as well. This flexibility has led to widely varied protection of legal persons depending on where they are located. The spectrum of protection ranges from the French approach, at one end, where legal entities may receive the same protection as individuals, to the Swedish approach, at the other, where protection for legal entities is virtually nonexistent. The remaining Member States have adopted similar or middle-of-the-road approaches, giving European businesses a mixed bag of rights. As with many other aspects of e-commerce and internet law, companies therefore face the often difficult choice to either comply with the most restrictive legal regime, or to familiarize themselves and comply with the legislation in each and every country where a potential recipient is located.
The Directive is certain to give rise to particular concern for those companies that have made significant investments in compiling customer databases in compliance with previous laws. Some Member States, such as France, are considering transitional legislation allowing companies to only use their customer databases "one last time" to obtain consent for future marketing. In the UK, recently published guidance to the law allows for the ongoing use of customer registers compiled under previous legislation where these have "been used recently."
The Directive also seeks to regulate and restrict a less obvious intrusion into the domain of the computer user - the use of information obtained through cookies placed on a website visitor's hard drive or other data collected from users of communication services. Cookies are small text files deposited in a user's computer when he or she visits a website, and allow websites to recognize a visitor and track that visitor's actions over time. Website operators use this data to assess the effectiveness of the content and design of the site, and can also eliminate the need for a visitor to re-enter personal details every time he or she visits that site. While the Directive expressly recognizes the usefulness of cookies, it nevertheless severely restricts their use, at the same time using deeply unclear - and far from practical - obligations on website operators. In short, the Directive requires that if cookies are being used, then a user must be provided with "clear and comprehensive information" about the information being collected. In addition, the user must also be given "the opportunity to refuse" cookies, although access to the website can be made conditional on their acceptance. Technically, it would seem that this is supposed to happen before any cookies are delivered to the user's PC, which runs counter to current to market practice. It remains to be seen whether it suffices to notify the user of their ability to change their browsers settings to reject cookies for the operator to meet the requirement to allow "the opportunity to refuse." Again, the standards set forth in the Directive are subject to some customization by the Member States.
In conclusion, while the Directive represents a major step and initiative in combating arguably invasive commercial practices, more work needs to be done to establish clear standards and guidelines so that legitimate commercial activities can be conducted with some degree of certainty. Perhaps most importantly, however, the Directive does not attempt to resolve the jurisdictional issues entailed in enforcing the new regime. As most spam originates from outside the EU, it is not at all clear whether the new restrictions will in fact result in a significant reduction in commercial spam. Until the dust settles, computer users may have to continue to rely on the other remedies currently available to ward off spam - spam filters and the humble "delete" key.
This article first appeared online on FT.com, February 3, 2004 and is reprinted with permission.