Spamming: How to Lawfully Email Advertising Messages - 29 maggio 2003 
Spamming: How to Lawfully Email Advertising Messages
GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr. Mauro Paissan, Members, and Mr. Giovanni Buttarelli, Secretary-General, having convened today,
HAVING REGARD to the complaints and reports lodged with this Authority concerning the improper use of electronic mail for advertising and promotional purposes,
HAVING REGARD to the decisions taken by the Garante in this sector and considering it necessary to issue a general provision concerning the application of the relevant regulations,
HAVING REGARD to Act no. 675 of 31 December 1996 [Data Protection Act], legislative decree no. 171 of 13 May 1998 [transposing EC Directive 97/66 into domestic law] and other applicable regulations,
HAVING REGARD to the records on file,
HAVING REGARD to the considerations made by the Secretary General pursuant to Section 15 of the Garante´s Regulations no. 1/2000,
ACTING on the report by Mr. Mauro Paissan,
1. The inconvenience suffered by many users
This Authority has been receiving several hundreds of complaints and reports lodged by users of electronic networks as well as by user and consumer protection associations, referring to the circumstance that e-mail messages have been received for promotional, advertising, commercial information and/or direct selling purposes without the recipients´ prior informed consent.
Many data subjects have also complained of the additional inconvenience resulting from the messages continuously dispatched by the same sender-data controller as well as from the fruitless attempt either to have their own e-mail addresses erased by the sender(s) or to prevent additional messages from being delivered. Yet other reports deal with the inconvenience deriving from the receipt of e-mails showing either no sender´s name or no address, or else containing untrue sender information.
In most cases, the data subjects have not been requested to provide their prior specific consent – as required by law – after being appropriately informed about the underlying arrangements and features of the e-mail messages.
In other cases, the messages appear to have been sent by companies to customers – again without any type of consent – in order to promote products and services that are similar to those they supply to such customers on the basis of a contractual relationship, or else to offer other products or services that are distributed also by third parties.
The Garante has provided assistance to many citizens, pointing out the relevant safeguards; it has also actively co-operated at community level to achieve the adoption of common decisions by the EU data protection authorities, which have been posted both on the EU Commission´s and on the Garante´s web site (www.garanteprivacy.it).
The Garante has also found that many complaints lodged under Section 29 of the Data Protection Act were grounded, and has subsequently issued specific prohibitions in respect of data processing operations. Proceedings have been also instituted to impose the relevant administrative sanctions and the case files have been transmitted to the competent judicial authorities whenever the commission of criminal offences has been detected.
In co-operation with police officers, who had been entrusted by this Authority with the performance of the necessary controls and the enforcement of specific provisions, several measures have been applied on the spot at the premises of service providers and/or other data controllers in order to temporarily suspend unlawful personal data processing operations performed by entities that had been found to carry out this type of activity on a systematic basis. Finally, audits have been carried out concerning other Internet access providers and additional entities to investigate compliance of processing operations with the legislation in force.
Based on these premises, the Garante considers it necessary to issue a general provision specifying what measures are to be adopted by this industry sector in order to abide by data protection legislation - with particular regard to the communications sector. Furthermore, the Garante considers it necessary to prohibit unlawful processing operations as referred to in other reports that are hereby dealt with by a single decision – in particular those concerning identifiable data controllers.
2. Lawfully sending e-mails for advertising purposes
E-mail addresses contain personal information that must be processed in compliance with the relevant regulations (Section 1(1), letter c) of the Data Protection Act).
Their use for promotional and/or advertising purposes is only allowed if the data subject has given his or her prior free, specific and informed consent thereto.
Consent is necessary regardless of the fact that the addresses are created and used automatically by software applications without any human intervention, or that no check is made as to their activation or the recipients´ identity, or that the addresses are not stored after sending the relevant messages.
These mechanisms are based on the choice made available to data subjects further to the so-called opt-in approach, and were re-affirmed in 1998 by legislative decree no. 171/1998 even before EC Directive 2002/58 provided for extending them to all EU countries.
This Authority has repeatedly addressed the issue at stake by stating that the availability of e-mail addresses on the Net does not imply that those addresses may be used freely to send advertising messages (see the Garante´s decision of 11 January 2001).
In particular, the data relating to individual users participating in discussion groups on the Internet are made known exclusively for taking part in a given discussion and may not be used for different purposes in the absence of their specific consent (see Section 9(1), letters a) and b) of the Data Protection Act).
A similar conclusion can be drawn as regards the e-mail addresses contained in an Internet provider´s subscriber list – again, if the free, specific consent of such subscribers is lacking – and/or the addresses that are published on web sites of public entities for institutional purposes.
The above considerations also apply to advertising messages sent to web site managers – including those of private entities – by using the addresses that either are published on the respective web sites or can be obtained by interrogating the lists of domain name registrants. Indeed, in the latter case the availability of the e-mail addresses on the Net is aimed at providing information on the person that is responsible for technical and/or administrative matters in connection either with a domain name or with other functions related to Internet-based services – e.g. for the protection of several rights under criminal and civil law, also pursuant to the Data Protection Act -, whereas it is not meant to signify the data subject´s agreement to receiving advertising messages.
In all the cases mentioned so far, the – often massive – e-mailing results into an unjustified breach of the recipients´ rights. Indeed, the recipients are obliged to keep up the Internet connection for a long time in order to receive the messages, browse them and select those they were awaiting or are willing to accept, and to incur the costs arising from the telephone connection – which are sometimes increased on account of the considerable size of the messages delivered, making all the above operations lengthier – or else to implement special "filters", check more carefully for the presence of viruses or quickly delete materials that are unsuitable for children – especially within a household.
This inconvenience also affects both SMEs and major companies receiving a considerable number of messages, since they are required to take measures internally and incur organisational and other costs to fight against it.
The circumstance that advertising costs are charged to users in a utterly unjustified manner also applies to the messages sent by natural persons who, in several cases addressed by this Authority, do not limit themselves to occasionally sending out communications, but rather undertake systematic communication activities for personal purposes or even disseminate data in a way entailing application of personal data protection legislation (see Section 3 of Act no. 675/1996).
3. The legal framework applying to information and consent
The contents of the information notice to be provided to data subjects as well as the cases in which the data subjects´ express consent is required or may be dispensed with are set out in the Data Protection Act (Sections 10, 11, 12 and 20 of Act no. 675/1996).
In this regard, it should be pointed out, again, that consent may not be considered unnecessary because the personal data concerning an individual´s e-mail address are allegedly "public" in that they are available to everyone.
The relevant legislation (see Section 12(1), letter c), and Section 20(1), letter b) of the Data Protection Act) only applies in connection with publicly available registers, lists, records or documents if there are provisions in force specifically requiring said registers etc. to be available on a general basis – whereas this is not the case if the personal data are publicly available merely on account of factual circumstances. Only think not only of the aforementioned collection of data via web sites and/or messages transmitted via newsgroups and/or mailing lists, but also of the e-mail addresses that are collected on the Net by means of ad-hoc software and standard search engines.
In our legal system, the consent requirement was therefore applicable to the sending of any e-mail message for direct marketing purposes long before this principle was laid down without exceptions at European level by Directive 2002/58/EC, which is currently being transposed (see, in particular, Article 13 and Recital no. 40 of the latter).
The above view is further supported by the legislation concerning consumer protection in distance selling; with regard to the underlying relationship in whose connection personal data are to be processed, suppliers are prohibited from using e-mail for specific purposes - including advertising activities - in the absence of a consumer´s prior consent (see Section 10(1) of legislative decree no. 185 of 22 May 1999).
Conversely, the provisions laid down in the recently enacted decree on e-commerce (legislative decree no. 70 of 9 April 2003) are not to be taken into account with regard to personal data protection, having been declared expressly to be inapplicable (see Section 1(2), letter b), of said decree).
The consent, which must be documented in writing, is to be given freely and explicitly, and by differentiating between the different purposes and services/products on offer – prior to sending out the relevant messages (Section 11 of the DPA).
The above requirements may not be evaded by sending an initial e-mail with advertising and/or promotional contents to request the recipient´s consent, or else by only granting a recipient the right to opt out of the list of addressees in order to stop receiving similar messages.
Conversely, the practice followed by some suppliers is appropriate and should be encouraged – such practice consisting in preliminarily obtaining the recipients´ valid consent and thereafter confirming receipt of said consent by sending a message only aimed at informing that advertising material will be subsequently transmitted. This practice – if implemented properly – also allows verifying the e-mail addresses corresponding to the entities that had given their consent as well as establishing whether the latter still applies.
Breach of the rights recognised to users under the law makes it unlawful to process the data, which
- is prohibited directly by the law without any specific prohibitive injunction being necessary as issued either by the Garante or by judicial authorities,
- may carry administrative sanctions consisting in payment of a fine, in particular if no information notice is provided and/or the notification of processing operations is not submitted (see Sections 10, 34 and 39 of the Data Protection Act, and Section 12 of legislative decree no. 185/1999),
- entails payment of expenses and duties related to the proceeding instituted either upon lodging of a grounded complaint with the Garante or upon an action brought before a civil court, as well as compensation for any damage, including pecuniary damage, that is suffered on account of the unlawful conduct and can be proven by the data subject in connection with the inconvenience described above,
- also carries criminal punishments if the data are unlawfully processed with a view to gain for oneself or another or else to harm another, which entails the additional punishment of having the relevant judgment published in the press (Sections 35 and 38 of the Data Protection Act).
4. Advertising messages sent to own customers
Further to transposition of Directive 2002/58/EC, it will actually be possible for certain companies to notify their customers of the existence of products and/or services that are similar to those that already form the subject of a contract for the sale of products and/or services to such customers.
In these cases, the data controller company – having informed customers appropriately in advance – will be allowed to send advertising messages, however it will have to inform customers clearly and specifically – both at the time of collecting the data and with each subsequent message – that they have the right to object, freely and in a simple manner, to the use of their data for that purpose either from the start or at a later stage (see Article 13(2) of Directive 2002/58/EC).
5. Messages sent on behalf of third parties and purchase of data banks
In some cases reported to the Garante, advertising messages had been sent on behalf of third parties by specialised companies using e-mail addresses contained in own data banks.
Those companies can be regarded as either data controllers or joint data controllers, depending on their relationships with the respective contractors as well as on the mechanisms regulating use of the data in concrete; they are required to abide by the provisions concerning information and consent, also with regard to the communication of personal data to their contractors and the relevant purposes.
Therefore, the resulting obligations and liability – including criminal liability – should be considered carefully by the individual operators also if the specialised company in charge of the mailing is established outside the European Union.
6. Data subjects´ rights
Regardless of the relationship between sender and recipient of a message, the entity holding the personal data must ensure that a data subject has the possibility at any time to exercise the rights recognised under the law – which is often done in order to know the source of the data, or else to terminate their use, free of charge, for commercial and advertising purposes, or to have unlawfully processed data erased (see Section 13(1), letter e), of the Data Protection Act).
A standard form to exercise the above rights in an easy manner, free of charge and without specific formalities, also verbally and by using e-mail, can be found on the Garante´s web site; proof of the applicant´s identity is required (under Section 17(1) of Presidential Decree no. 501 of 31 March 1998). This form should be used in preference to others that can be found on the Internet, which are not fully valid because they refer to items that are not mentioned in Section 13 of the DPA – e.g., they refer to certifications and/or authorisations that are not required under the law.
The rights should be exercised on the basis of said model, to be sent directly to the data controller´s/data processor´s known address, whilst a complaint should be lodged with either the Garante or judicial authorities only at a later stage – if necessary.
Also with a view to allowing the aforementioned rights to be exercised, sending anonymous advertising messages without any identifiable sender should be considered to give rise to an unlawful data processing operation irrespective of the provisions laid down in decree no. 70/2003 on e-commerce – which does not apply to personal data protection matters, as already pointed out – as well as of the regulations yet to be laid down with regard to personal data in transposing Directive 2002/58/EC – which does not allow sending advertising messages if the sender´s identity is camouflaged or actually hidden, or if no valid address is made available for the recipient to request termination of communications.
Therefore, the provisions in force already require that senders of any messages clearly specify where their messages originate as well as to whom and where the recipients can apply in order to exercise their rights (see Section 10(1), letter f), of Act no. 675/1996). To comply with the fairness requirement, the type of the message – i.e. commercial advertisement – should be also specified in the "subject" part of the e-mail (see Section 9(1), letter a) of Act no. 675/1996).
7. Lists of possible recipients
Where lists are drawn up by operators to collect the names of recipients that either have not given or have withdrawn their consent, they may not be used to make it mandatory for data subjects – even indirectly – to be included into said lists.
As mentioned above, consent is to be regarded as an "affirmative" authorisation, therefore failure by a data subject to respond to a request for consent entails denial of his/her consent and may not be equated to his/her tacit assent.
In fact, it appears that some operators are planning to follow a different practice, which consists in drawing up – also by means of web sites – ad-hoc lists of individuals who have given their consent, such lists being grouped in accordance with the different categories of advertising and commercial messaging the individuals have consented to receive. This practice may be useful in organisational terms to ensure stricter compliance with the requests made by data subjects. In this regard, a useful arrangement might also consist in allowing data subjects to directly enter/erase their names into/from the different lists – perhaps by means of an ad-hoc web page – subject to their identification.
8. E-mails from abroad
Some messages do not fall under the scope of application of the Italian data protection Act, since they originate from abroad.
However, this does not mean that no remedies or safeguards are available, since users may apply to the geographically competent national supervisory authorities – if any – to have an assessment carried out.
In other cases – e.g. with regard to the legal framework in force in federal States – e-mailing advertising messages may be unlawful under the legislation of certain States of the federation; therefore, users may request the competent public authorities of such States to consider whether the unlawful conduct at stake is to be prosecuted.
Finally, account should be taken of the fact that some unsolicited e-mail messages can be used for the commission of ordinary offences – e.g. cheating –, which must be considered to have been committed in the Italian territory if the underlying activity has taken place abroad, but the resulting offence has occurred in Italy.
This Authority hereby reserves the right to consider the status of the individual service providers whose processing operations have been the subject of specific reports, also in the light of such additional documents as may be received.
In this regard, not only will the relevant case files be transmitted - if necessary - to the judicial authorities that are competent over criminal matters, but the following steps will be also taken via individual decisions based on the assessment of the individual complaints and reports, namely
a) charges will be brought for breach of administrative requirements concerning the information notice as per Section 10 of the Data Protection Act, and
b) proceedings will be instituted to apply the additional administrative sanctions laid down in legislative decree no. 185/1999.
BASED ON THE ABOVE PREMISES, THE GARANTE
1. pursuant to Section 31(1), letter l), of Act no. 675/1996, hereby prohibits the entities referred to in the complaints and reports lodged with this Authority from unlawfully processing further any personal data in breach of the aforementioned provisions in order to send advertising materials and/or for direct selling purposes, or else to perform market surveys or interactive commercial communications,
2. pursuant to Section 31(1), letter c), of Act no. 675/1996, draws the attention of the data controllers referred to in the relevant case files to the need for bringing the processing of personal data into line with the principles mentioned in this decision.
Done in Rome, the 29th day of May 2003
THE SECRETARY GENERAL