The fight on spam: is data protection up to the task?

Jeremy Phillips

A press release from the European Commission today, entitled “More action needed to fight spammers and protect online privacy, says Commission report”, reiterates the Commission’s view that EU Member States can do more to tackle online privacy threats to the public. According to the release,

“A Commission-funded study published today found that although in recent years several EU countries have taken some measures to enforce Europe’s ban on spam, including fines for spammers, the number of prosecuted cases and sanctions imposed on lawbreakers vary considerably [This is not surprising. First you have to catch your spammer …]. The study confirms the need for the legislative improvements proposed under the reform of the EU’s Telecoms rules ( MEMO/09/219 ): clearer and more consistent enforcement rules and dissuasive sanctions, better cross-border cooperation, and adequate resources for national authorities in charge of protecting citizens’ online privacy.

” Today’s figures show that several EU countries are doing more to enforce online privacy rules. However, spam is an area where we can and must improve for the benefit of internet users in the EU ,” said Viviane Reding, EU Commissioner for Information Society and Media. ” Although since 2002, European law has prohibited spam and spyware, on average 65% of EU citizens are still affected by spam on a regular basis [Presumably this figure is only so low because it takes into account people who are not users of the internet]. We need to step up our fight against spammers and make sure that the EU adopts legislation that provides for strong civil and criminal sanctions against spammers. I call on EU countries to reinforce their national efforts to fight on-line privacy threats such as spam, spyware and malicious software. If we can end the spam plague within Europe [a noble target, but not an easy one for as long as Europe retains online connections to the rest of the world] we will set the example for our neighbouring countries and other parts of the world which are as responsible for spam we receive in Europe. “

The main findings of the study published today by the European Commission indicate that:

Almost all EU countries now have one or more websites where citizens can find information or make a complaint if they become a victim of spam, spyware or malware;

An analysis of more than 140 enforcement cases from 22 Member States shows considerable differences between the number of cases per country and the fines imposed. The highest numbers of cases were reported in Spain (39), Slovakia (39) and Romania (20) [Does this reflect the cogency of the enforcement or the lack of sophistication of the spammers?]. The highest fines were imposed in the Netherlands (€1 000 000), Italy (€570 000) and Spain (€30 000). However, spammers in countries such as Romania, Ireland, and Latvia received modest fines ranging from hundreds to several thousand Euros [It’s good to achieve consistency, but if there’s a punitive element involved it may well vary in light of local conditions, currency etc].

A successful approach to fighting online threats requires a combination of prevention, enforcement and raising public awareness [the last of these is particularly important because it’s lack of public awareness that makes spamming such a viable proposition for its proponents]. Public authorities (such as telecoms regulators, data protection and consumer agencies and law enforcement bodies) must have clear responsibilities and cooperation procedures between themselves [this should be the case for all problem areas and not just canning spam]; while public and private sector must also work together. The level of cooperation differs strongly between EU countries. Cooperation agreements exist in Belgium, Cyprus, Estonia, France, Germany, Italy, Latvia, Lithuania, the Netherlands, Romania and the UK, while Luxembourg and Malta, for example, rely on informal cooperation.

Spam is a global problem. More international cooperation, both within the EU and worldwide, is necessary to tackle spam.

EU countries should allocate sufficient resources to national authorities in order to gather evidence, pursue investigations and mount prosecution in this field [This in turn requires educating national authorities as to the vast cost to them of spamming, not just through consumers being entrapped by it but through the cost of filtering and deleting real spam and the effort incurred in assessing the veracity or otherwise of putative spam and the loss through wrongful deletion or filtering of non-spam communications].

The reform of the EU’s telecoms rules proposed by the Commission (and currently being finalised by the European Parliament and the Council) would provide conditions for a better enforcement of privacy rules. A new provision in the EU telecoms rules requires that penalties for breaking national laws on online privacy should be effective, proportionate and dissuasive. It further obliges EU countries to allocate the necessary resources to national enforcement authorities.

The new rules will also enable national spam fighters to join the European network of authorities that enforce consumer protection laws and private organisations such as internet service providers will be entitled to take legal action against spammers that abuse their networks. At the same time, the European Commission is negotiating an agreement with the US on cross border cooperation in the enforcement of consumer protection laws. Industry figures show that 1 in 6 spam e-mails are sent from the US. Under the reformed telecoms rules, cooperation on spam will be included in the scope of the EU-US agreement.

Today’s study, including assessments of progress in each EU country, links to national data protection authorities’ websites in Member States where you can complain about spam, spyware and malware here

Flash Eurobarometer Confidence in the Information Society here.”

Datonomy feels that, while the involvement of the data protection authorities has been correctly invoked here, both data protection and consumer protection measures are going to be of little practical use until we can grapple with the problems of detecting, identifying and bringing to justice those who are responsible.

Leave a Reply

Your email address will not be published. Required fields are marked *