New anti-spam legislation has consequences for Australian business
The issue of spam is currently attracting considerable attention worldwide. On 2 February 2004, the OECD called for governments to work harder against spam by improving cross-border co-operation on network security and law enforcement The European Commission has also announced a series of law enforcement and awareness actions that are needed to make a "ban of spam" reality. Of course, Australia's Spam Act 2003 commences on 10 April 2004. Burt Hill and Kaman Tsoi provide us with an overview of the new legislation including its general restrictions, exceptions, defences and penalties. Their article also considers the implications of the legislation for employers. We wait with interest to see what impact the Australian legislation will have on the receipt of unsolicited emails and other electronic messages.
Burt and Kaman are solicitors in Freehills Melbourne's corporate group specialising in technology law and privacy.
Late last year the Federal Parliament passed the Spam Act 2003 (Act) in an attempt to tackle the proliferation of unsolicited emails and other messages such as SMS text, used by marketers. These communications not only clog-up recipients' inboxes and slow productivity, but often carry offensive and illegal content such as pornography and financial scams.
While the new Act is not restricted to spam sent from Australia, it is unlikely to have much of an impact on the bulk of spam, which originates overseas from sources difficult to trace. However, the Act will have consequences for organisations that send emails and other electronic messages for commercial purposes, and organisations should be aware of their obligations under the Act. Employers should also be aware of how the Act could apply to messages sent by their employees.
Rules when sending commercial electronic messages
New rules affecting commercial electronic messages with an Australian link are established in Part 2 of the Act. The key provisions are:
a restriction on sending unsolicited messages;
a requirement to include a functional unsubscribe facility; and
a requirement to include accurate sender information.
A "commercial electronic message" is a message where one of the purposes of the message is a commercial purpose. It need not be the primary or sole purpose of the message. Twelve types of commercial purposes are specified in the Act, with scope for the regulations to make exclusions or add other purposes. The commercial purposes set out in the Act extend to the promotion of suppliers of goods and services and of providers of business or investment opportunities. Websites linked to from the electronic message can be taken into account in determining whether the message has a commercial purpose. Notably, an electronic message does not need to be sent in bulk to fit the definition of a commercial electronic message.
The concept of "Australian link" is designed to restrict the rules about commercial electronic messages to messages sent from Australia or to Australia. This is determined taking into account factors such as physical presence, organisational presence and the location of the computer, server or device used to access the message.
A message will be considered "unsolicited" where the recipient has not consented to the sending of the message. The concept of 'consent' is addressed in detail in the Act and includes express consent as well as consent inferred from the conduct or relationships of the recipient (such as existing business relationships). Generally, mere publication of an electronic address will not amount to consent, except in some circumstances where a relevant message is sent to a person's conspicuously-published work-related electronic address.
Other provisions
Other provisions in Part 3 of the Act include prohibitions on the supply, acquisition and use of address-harvesting software and address lists produced with such software.
Exceptions for factual messages and for government, charities etc
Messages from government bodies, political parties, religious organisations, charities and some messages from educational institutions, which relate to goods or services provided by those organisations, are not subject to the unsolicited message prohibition or unsubscribe requirement. However the requirement to include accurate sender information still applies. The Labor Opposition ultimately backed down on their requested amendments to extend these exceptions to not-for-profit organisations and trade unions.
A similar exception is provided for messages that contain no more than factual information, identification of the source or sponsor of the information and an unsubscribe facility (which would be optional). The factual information by itself would need to be information without a commercial purpose. For example, many newsletter and update messages would be considered factual messages for the purpose of the exception.
Implications for employers
Importantly for organisations, if an individual authorises the sending of an electronic message and does so on behalf of an organisation, then the organisation rather than the individual is taken to have authorised the sending of the message. Whether an employee has sent a message on behalf of their organisation will depend on whether that employee has exceeded his or her authority. In other words, if the message was sent within the course of his or her employment then this message may be taken to have been authorised by the organisation.
Therefore, it is important that organisations take proactive measures such as restructuring their email policy and implementing training regimes to ensure that employees within an organisation are educated on the new legislative changes, and their responsibilities within the organisation concerning the sending of emails. These sorts of risk prevention strategies should be directed at establishing the scope of employees' authority to send electronic messages.
Defences and other provisions
Proving whether an individual has sent a commercial electronic message will depend on whether the person who caused the message to be sent had some knowledge of what they were doing. In other words, emails sent as a result of a virus that has hijacked a computer would not be in breach of the legislation.
The Act also provides a number of defences regarding the sending of messages by mistake or where the sender could not reasonably have found the Australian link. A person does not contravene the Act if the person (such as an internet service provider) merely supplies a carriage service that enables the electronic message to be sent.
Penalties
Compliance with the Act will be monitored and enforced by the Australian Communications Authority. Civil penalties under the Act will be assessed according to a sliding scale for repeat offenders. An individual could be liable for up to a total of $44,000 for contraventions on a single day, while an organisation could be fined up to $220,000 in a day. Offenders with a prior record will be penalised up to a maximum of $220,000 for each day of spamming by an individual, and $1.1 million per day for organisations.
Next steps
Organisations should conduct a review of the types of electronic messages they send in order to determine which messages can no longer be sent without consent, which require the inclusion of accurate sender information and which require the inclusion of a functional unsubscribe facility. Implementing appropriate solutions will involve both legal and technical input, and be supported by training and updated policies relating to electronic messages.
The operative provisions of the Act take effect 120 days after the Act receives Royal Assent (formal approval by the Governor-General), setting the expected date around April 2004. Two possible other sources of obligation yet to be drafted but foreshadowed by the new legislation are regulations to accompany the Act and e-marketing industry codes enforceable under the Telecommunications Act. The Act itself will be reviewed in two years.
March 2004 contents
|
