Australia

This page discusses regulation of spam in Australia under the federal Spam Act 2003 and other legislation.

It covers -

• the legislation
• background
• definition
• coverage
• the sender
• weak opt-out
• harvesting
• exclusions
• industry codes
• penalties & enforcement

Later pages of the profile consider the regulation of spam in New Zealand, along with litigation and industry responses to the 2003 Act (including an examination of industry codes). There is a broader discussion about spam - its definition, impact, statistics and regulatory principles - in our Security & InfoCrime guide.

     the legislation

The 2003 Spam Act (PDF) and associated Spam (Consequential Amendments) Act 2003 (here) was passed by Parliament in December 2003. The two Acts will come into effect upon proclamation and are thus likely to be in place from early 2004. They are to be reviewed within two years.

The legislation reflects the national government's telecommunication powers under the 1901 federal Constitution, discussed here.

The Spam Act 2003 - formally described here - prohibits the sending of unsolicited commercial messaging within Australia or on behalf of Australian entities. Prohibition reflects the Government's statement that spam

is typically anonymous, indiscriminate and global. With these characteristics spam has become a popular vehicle for promotions that can be illegal, unscrupulous or use tactics that would not be commercially or legally viable outside the virtual environment. Some of the key issues raised by spam include privacy, illegal/offensive content, misleading and deceptive trade practices and burdensome financial and resource costs.

There are significant privacy issues surrounding the manner in which e-mail addresses and personal information are collected and handled. It is not uncommon for address collectors to covertly harvest e-mail addresses from the Internet, as users visit certain sites, and buy and sell them in bulk without the knowledge or consent of the owner. A report to the US Federal Trade Commission (FTC) estimates that roughly half of all unsolicited commercial e-mail contains fraudulent or deceptive content.

There are obvious community and regulatory agency concerns with the illicit content of a considerable amount of spam - including those that promote pornography, illegal online gambling services, pyramid selling, get rich quick schemes or misleading and deceptive business practices. The indiscriminate method of distribution is of particular concern as it is common for minors to receive spam that is pornographic, illegal or offensive.

The associated Spam (Consequential Amendments) Act 2003 - formally described here - makes various amendments to the Telecommunications Act and the ACA Act to enable effective investigation and enforcement of breaches of the Spam Act.

Its main provisions are discussed below. In essence, they involve a framework to enable development of industry codes, an investigatory role for the ACA regarding complaints and authorisation of warrants to monitor compliance with the Act and regulations.

The legislation is weaker than the EU 1997 Distance Selling Directive (which builds on the 1995 Data Protection Directive discussed in our Privacy guide), the 2000 Electronic Commerce Directive and 2002 Directive on Privacy & Electronic Communications. The importance of global regulation in dealing with spam means that Australia will come under pressure to harmonise its legislation with that in the EU. The 2003 enactments should be seen as a major step on a long road, rather than arrival at a final destination.

     background

Development and passage of the legislation reflected sustained lobbying by the Internet Industry Association (IIA), consumer groups such as Coalition Against Unsolicited Bulk Email Australia (CAUBE.AU) and other entities that sought effective regulation of junk messaging.

It also reflected community consultation by the National Office for the Information Economy (NOIE), centred on the 2002 interim and 2003 final versions of the NOIE Spam Report, and discussions in regional/global telecommunications regulation fora. The consultation encompassed public submissions by bodies such as the federal Privacy Commissioner and Australian Information Industry Association. It was followed by a Senate Committee report on the draft legislation

That legislation received, at best, lukewarm support from direct marketers, from a number of charitable, religious and education bodies and from libertarians opposed to a restriction on free speech. That was accommodated through a range of exclusions, most of which will ideally be tightened in future through amendment of the Act or through the articulation of effective regulations under the Act and industry codes of practice.

Most provisions of the Act will commence 120 days after the legislation receives Royal Assent. The expectation is that will ensure that persons or enterprises that currently unknowingly send spam will be able to correct their behaviour without penalty during the 'sunrise' implementation period.

     definition

The Act defines spam as "unsolicited commercial electronic messaging", embracing email, mobile text messaging (SMS) and some other electronic messaging is also covered. The definition excludes voice to voice telemarketing.

The legislation is concerned with commercial messaging, ie messages that offer a commercial transaction or point the recipient to a location where a commercial transaction takes place. To be considered spam, the message must have been sent without the recipient's consent.

Such consent may be expressly given or may be inferred from the behaviour or business or other relationships of the recipient. In some circumstances - one of the most criticised aspects of the legislation - consent may also be inferred by "conspicuous publication" of an electronic address.

In the Second Reading Speech the Minister for Communications, Information Technology & the Arts commented

The Spam Bill 2003 has as its cornerstone the principle of consent. Has the recipient asked for this communication—which constitutes explicit consent—or is there implicit consent? Implicit consent would exist where there is an existing business or other relationship. Drafting the bill has been a delicate balancing act. We must balance the legitimate needs of business and the concerns of the community. ...

The bill hits the right targets. We are hitting those who send spam and the techniques they use, while avoiding a restriction on the right to free speech—be it political, religious or general free speech. The bill also avoids any undue burden on industry or significant restriction on generally accepted business practices. It provides a springboard to develop and use the international arrangements that will be essential to deal with spam effectively because of its global nature.

The Act does not refer to bulk messaging. In principle a single unsolicited commercial electronic message could thus be spam, although enforcement by government is unlikely.

     coverage

The Act prohibits sending - or causing to be sent - unsolicited commercial electronic messages that have an Australian link. It prohibits sending commercial electronic messages to a non-existent address that would have an Australian link if the address existed. The Act prohibits action to aid, abet or otherwise be party to a contravention of the legislation.

The legislation is intended to prohibit -

• spam that originates in Australia, irrespective of whether it is sent to an Australian address or overseas
• spam that originates overseas and is sent to an address accessed in Australia

It assumes that Australia will conclude multilateral arrangements with other nations to restrict spam that originates overseas, with regulations under the Act giving effect to those agreements once in place. A particular emphasis is likely to concern agreements with South Korea, China, Romania and other eastern european states, and the US (ie regimes where regulation and business practice and where technological weaknesses such as inattention to open relays is common).

As we have discussed in the Governance guide on this site, Australian law does not extend beyond the nation's borders and extraterritorial enforcement of the Act is problematical. The legislation does, however, send a signal to Australians and the international community.

     the sender

A major concern in dealing with spam is that it is attributed to addresses that do not exist or are false. That is a particular issue where recipients are invited to 'unsubscribe' from junk messages, with the address for unsubscription either being inactive or simply sending a signal to the spammer (and associates) that the recipient's address is live and can therefore be deluged with more spam.

The Act accordingly requires that all commercial electronic messaging contain accurate information about the message's originator.

That originator is the entity (an individual or organisation) that authorised the sending of the message, irrespective of whether the entity actually sent the message or arranged for its despatch on behalf of that entity.

The information must be reasonably likely to remain correct for up to 30 days after despatch of the message.

There is no requirement that the message be identified with an 'ADV' or other flag in the title (eg facilitating filtering by recipients and ISPs), construed as a requirement of the 2000 EU Electronic Commerce Directive and 2002 Directive on Privacy & Electronic Communications.

     weak opt out

As we have noted in discussing spam, much debate about its management has centred on the claimed virtues of 'opt in' versus 'opt out' approaches.

Some proponents argue that messages should only be sent when the recipient has actively indicated that the messages are welcome, with that indication generally being on a sender by sender basis - the 'opt in' approach.

Others suggest that it is sufficient to allow reciptients to signal that they wish to 'unsubscribe' from particular mailing lists/databases - the 'opt out' approach in which the recipient is tacitly fair game unless signalling 'no'. Proposed opt-out legislation in South Korea was interpreted by its spammers as simply legitimising spam, a reason for caution in acclaiming the October 2003 announcement of an anti-spam agreement between Australia and South Korea.

Major marketers, seeking to leverage their advantage regarding smaller competitors, have suggested creation of a 'white list' of approved senders, accompanied by filtering by internet service providers and recipients. The suggestion poses competition concerns and has been questioned because of historic poor practice by individual enterprises and industry bodies such as the US Direct Marketing Association and UK Advertising Standards Authority.

The Act stipulates that all commercial electronic messaging contain a functional 'unsubscribe' facility to allow people to opt out from receiving messages from that source in the future.

That facility must be reasonably likely to be able to receive and enable action to unsubscribe messages for a period of 30 days after the sending of the message.

A request to opt out must be honoured within five working days to avoid future breaches of the legislation.

The Act provides that acceptable examples of the unsubscribe facility will be specified by regulation and may vary between technologies.

     harvesting

The Act 2003 prohibits the supply, acquisition or use of software that 'harvests' electronic addresses from the internet for the purpose of sending spam. As with copyright anti-circumvention technology, the emphasis here is on intentional misuse.

Provision, acquisition or use of address lists to send spam is prohibited.

     exclusions

The Act features significant exclusions regarding "currently accepted government, business and commercial practices".

These include messages from -

• government agencies
• religious organisations
• registered political parties
• charities
• educational institutions directed to current/former students and their households

where the message relates to goods or services, and the entity authorising the message is the supplier of the goods or services. It is assumed that trade unions, professional associations and other bodies have a prior relationship with recipients and would thus not be affected by infringement provisions.

"Purely factual" messages are also excluded from the legislation, although the sender must include accurate information about the message's originator. The expectation is that such messages will encompass news services.

     industry codes

The legislation reflects the past decade's emphasis on 'co-regulation' in telecommunications.

The Australian Communications Authority (ACA), the national telecommunications regulator that is likely to be merged with the Australian Broadcasting Authority in 2004, will facilitate development of formal Industry Codes that "complement and are consistent with" the legislation. That role is identified in the Spam (Consequential Amendments) Act, amending Part 6 of the Telecommunications Act.

The expectation is that those Codes - similar to Codes under the federal Privacy Act - will provide relevant and achievable standards and procedures to assist compliance with the legislation. NOIE will assist the 'excluded' entities (eg government agencies and recognised religious bodies) in development of best practice guidelines regarding responsible electronic messaging practices. The Australian Communications Industry Forum (ACIF) has published a draft guideline on speam, ie SMS spam.

The codes are discussed in more detail in the final page of this profile.

     penalties and enforcement

The Act is to be enforced by the ACA in the first instance. Penalties will involve two levels -

• infringement notices by the ACA
• penalties imposed by courts under the legislation

The ACA may choose to issue a formal warning, rather than issue an infringement notice or initiate a full court proceeding. Typically that would be done where it was satisfied that contravention was largely inadvertent and would not be repeated, or in cases where a warning would suffice to change the contravening behaviour.

The ACA may choose to issue infringement notices for contraventions of the legislation, instead of initiating a full court proceeding. A negative response to an infringement notice would incur court action. If the contravention was proven during that litigation the infringer might be penalised at a higher rate than the infringement notice.

Infringement notice penalties for sending spam are

• $440 per contravention for an individual (with a maximum of $22,000 for all contraventions that occur on a single day)
• $2,200 per contravention for a body corporate (with a maximum of $110,000 for all contraventions that occur on a single day).

Infringement notice penalties for sending commercial messages without an unsubscribe facility or inaccurate sender information, or for a contravention of the harvesting provisions are half of those amount.

The ACA may initiate a court action regarding breach of the legislation. If a contravention is found to have occurred, the ACA may apply to the court to order the person or organisation involved to pay a penalty and to surrender any financial benefit gained in the course of contravening activity. Any person who has suffered loss or damages from an entity's breach of the Actmay apply to the court to make an order for compensation. The ACA may also on behalf of that person.

The main court-imposed penalties for spamming cover

• sending unsolicited commercial electronic messaging
• sending commercial electronic messages to a non-existent address
• aiding, abetting or otherwise being a party to such a contravention.

Maximum penalties that might be imposed by a court for sending spam are

• $2,200 per contravention for an individual, with a maximum penalty of $44,000 for all contraventions that occur on a single day
• $11,000 per contravention for a body corporate, with a maximum penalty of $220,000 for all contraventions that occur on a single day.

Where a court has previously found contravention of the particular provision and the entity has contravened subsequent to the court finding, the amounts are five times higher.

Additional penalty provisions in the Act relate to -

• failure to include accurate sender information
• failure to include a functional unsubscribe capability
• supply, acquisition and use of address harvesting software and harvested lists
• aiding, abetting or otherwise being a party to such a contravention.

The maximum penalties that a court may impose for sending commercial messages without an unsubscribe facility or inaccurate sender information, or for a contravention of the harvesting provisions are -

• $1,100 per contravention for an individual (with a maximum penalty of $22,000 for all contraventions that occur on a single day)
• $5,500 per contravention for a body corporate (with a maximum penalty of $110,000 for all contraventions that occur on a single day)

Where a court has previously found contravention of the particular provision and the entity has contravened subsequent to the court finding, the amounts are five times higher.

A crucial question is whether the ACA will have the resources - and more broadly, the will - to actively enforce the legislation rather than relying on community education campaigns and industry initiatives such as the IIA NoSpam program. In discussing the federal Privacy Act, for example, we've noted criticisms that the Privacy Commissioner's office is under-resourced and apparently slow to act. The final page of this profile looks at education, industry initiatives, litigation and responses. In November 2003 the Government forecast that

implementation of the regulatory and legal measures proposed in this Bill and the Spam Consequentials Bill will require an additional expenditure of $0.3M in the 2003-4 financial year, $1.5M in the 2004-5 financial year, and $1.6M in the 2005-6 financial year ie. a total of $3.4M over this period

Arguably that's not a significant amout given the real costs to the economy and community of inaction regarding spam.

The Act features standard 'search & seizure' provisions regarding evidence (eg access under warrant to premises and dealing with encrypted information on devices believed to have been used for spamming). The Spam (Consequential Amendments) Act provides the ACA with investigatory powers relating to breaches of the Spam Act and its regulations, based on Parts 26 and 27 of the Telecommunications Act. Action under search warrants relating to breaches of the Act and regulations is based on Part 28 of the Telecommunications Act.





   next page  (New Zealand regulation)