Australian Spam Law: Features

Ketupa

framework

features

New Zealand

prosecutions

codes

related
Guides:

Security &
InfoCrime

Governance

Networks

Censorship &
Free Speech

related
Profiles:

Messaging

forgery

Adult Content industry

Aust
Constitution
& cyberspace

features

This page discusses features of the Australian anti-spam legislation.

It covers -

coverage
the sender
weak opt-out
harvesting
exclusions
industry codes
penalties & enforcement

coverage

The Act prohibits sending - or causing to be sent - unsolicited commercial electronic messages that have an Australian link. It prohibits sending commercial electronic messages to a non-existent address that would have an Australian link if the address existed. The Act prohibits action to aid, abet or otherwise be party to a contravention of the legislation.

The legislation is intended to prohibit -

spam that originates in Australia, irrespective of whether it is sent to an Australian address or overseas
spam that originates overseas and is sent to an address accessed in Australia

It assumes that Australia will conclude multilateral arrangements with other nations to restrict spam that originates overseas, with regulations under the Act giving effect to those agreements once in place. A particular emphasis is likely to concern agreements with South Korea, China, Romania and other eastern european states, and the US (ie regimes where regulation and business practice and where technological weaknesses such as inattention to open relays is common).

As we have discussed in the Governance guide on this site, Australian law does not extend beyond the nation's borders and extraterritorial enforcement of the Act is problematical. The legislation does, however, send a signal to Australians and the international community.

     the sender

A major concern in dealing with spam is that it is attributed to addresses that do not exist or are false. That is a particular issue where recipients are invited to 'unsubscribe' from junk messages, with the address for unsubscription either being inactive or simply sending a signal to the spammer (and associates) that the recipient's address is live and can therefore be deluged with more spam.

The Act accordingly requires that all commercial electronic messaging contain accurate information about the message's originator.

That originator is the entity (an individual or organisation) that authorised the sending of the message, irrespective of whether the entity actually sent the message or arranged for its despatch on behalf of that entity.

The information must be reasonably likely to remain correct for up to 30 days after despatch of the message.

There is no requirement that the message be identified with an 'ADV' or other flag in the title (eg facilitating filtering by recipients and ISPs), construed as a requirement of the 2000 EU Electronic Commerce Directive and 2002 Directive on Privacy & Electronic Communications.

     weak opt out

As we have noted in discussing spam, much debate about its management has centred on the claimed virtues of 'opt in' versus 'opt out' approaches.

Some proponents argue that messages should only be sent when the recipient has actively indicated that the messages are welcome, with that indication generally being on a sender by sender basis - the 'opt in' approach.

Others suggest that it is sufficient to allow reciptients to signal that they wish to 'unsubscribe' from particular mailing lists/databases - the 'opt out' approach in which the recipient is tacitly fair game unless signalling 'no'. Proposed opt-out legislation in South Korea was interpreted by its spammers as simply legitimising spam, a reason for caution in acclaiming the October 2003 announcement of an anti-spam agreement between Australia and South Korea.

Major marketers, seeking to leverage their advantage regarding smaller competitors, have suggested creation of a 'white list' of approved senders, accompanied by filtering by internet service providers and recipients. The suggestion poses competition concerns and has been questioned because of historic poor practice by individual enterprises and industry bodies such as the US Direct Marketing Association and UK Advertising Standards Authority.

The Act stipulates that all commercial electronic messaging contain a functional 'unsubscribe' facility to allow people to opt out from receiving messages from that source in the future.

That facility must be reasonably likely to be able to receive and enable action to unsubscribe messages for a period of 30 days after the sending of the message.

A request to opt out must be honoured within five working days to avoid future breaches of the legislation.

The Act provides that acceptable examples of the unsubscribe facility will be specified by regulation and may vary between technologies. The Spam Regulations 2004 of 8 April 2004 (here) specify conditions regarding the the functional unsubscribe facility, including use of premium services, costs and fees.

     harvesting

The Act 2003 prohibits the supply, acquisition or use of software that 'harvests' electronic addresses from the internet for the purpose of sending spam. As with copyright anti-circumvention technology, the emphasis here is on intentional misuse.

Provision, acquisition or use of address lists to send spam is prohibited.

     exclusions

The Act features significant exclusions regarding "currently accepted government, business and commercial practices".

These include messages from -

government agencies
religious organisations
registered political parties
charities
educational institutions directed to current/former students and their households

where the message relates to goods or services, and the entity authorising the message is the supplier of the goods or services. It is assumed that trade unions, professional associations and other bodies have a prior relationship with recipients and would thus not be affected by infringement provisions.

"Purely factual" messages are also excluded from the legislation, although the sender must include accurate information about the message's originator. The expectation is that such messages will encompass news services.

industry codes

The legislation reflects the past decade's emphasis on 'co-regulation' in telecommunications.

The Australian Communications & Media Authority (ACMA) - the national telecommunications regulator that replaced the Australian Communications Authority (ACA) and Australian Broadcasting Authority in 2004 - facilitates development of formal Industry Codes that "complement and are consistent with" the legislation. That role is identified in the Spam (Consequential Amendments) Act, amending Part 6 of the Telecommunications Act.

The expectation is that those Codes - similar to Codes under the federal Privacy Act - will provide relevant and achievable standards and procedures to assist compliance with the legislation. NOIE will assist the 'excluded' entities (eg government agencies and recognised religious bodies) in development of best practice guidelines regarding responsible electronic messaging practices. The Australian Communications Industry Forum (ACIF) has published a draft guideline on speam, ie SMS spam.

The codes are discussed in more detail in the final page of this profile.

penalties and enforcement

The Act is enforced by the ACA (now ACMA) in the first instance. Penalties involve two levels -

infringement notices by the ACA
penalties imposed by courts under the legislation

ACMAA may choose to issue a formal warning, rather than issue an infringement notice or initiate a full court proceeding. Typically that would be done where it was satisfied that contravention was largely inadvertent and would not be repeated, or in cases where a warning would suffice to change the contravening behaviour.

ACMA may choose to issue infringement notices for contraventions of the legislation, instead of initiating a full court proceeding. A negative response to an infringement notice would incur court action. If the contravention was proven during that litigation the infringer might be penalised at a higher rate than the infringement notice.

Infringement notice penalties for sending spam are

$440 per contravention for an individual (with a maximum of $22,000 for all contraventions that occur on a single day)
$2,200 per contravention for a body corporate (with a maximum of $110,000 for all contraventions that occur on a single day).

Infringement notice penalties for sending commercial messages without an unsubscribe facility or inaccurate sender information, or for a contravention of the harvesting provisions are half of those amount.

ACMA may initiate a court action regarding breach of the legislation. If a contravention is found to have occurred, ACMA may apply to the court to order the person or organisation involved to pay a penalty and to surrender any financial benefit gained in the course of contravening activity. Any person who has suffered loss or damages from an entity's breach of the Act may apply to the court to make an order for compensation. ACMA may also apply on behalf of that person.

The main court-imposed penalties for spamming cover

sending unsolicited commercial electronic messaging
sending commercial electronic messages to a non-existent address
aiding, abetting or otherwise being a party to such a contravention.

Maximum penalties that might be imposed by a court for sending spam are

$2,200 per contravention for an individual, with a maximum penalty of $44,000 for all contraventions that occur on a single day
$11,000 per contravention for a body corporate, with a maximum penalty of $220,000 for all contraventions that occur on a single day.

failure to include accurate sender information
failure to include a functional unsubscribe capability
supply, acquisition and use of address harvesting software and harvested lists
aiding, abetting or otherwise being a party to such a contravention.

The maximum penalties that a court may impose for sending commercial messages without an unsubscribe facility or inaccurate sender information, or for a contravention of the harvesting provisions are -

$1,100 per contravention for an individual (with a maximum penalty of $22,000 for all contraventions that occur on a single day)
$5,500 per contravention for a body corporate (with a maximum penalty of $110,000 for all contraventions that occur on a single day)

Where a court has previously found contravention of the particular provision and the entity has contravened subsequent to the court finding, the amounts are five times higher.

A crucial question at the time of passage of the legislation was whether the ACA would have the resources - and more broadly, the will - to actively enforce the legislation rather than relying on community education campaigns and industry initiatives such as the IIA NoSpam program.

In discussing the federal Privacy Act, for example, we've noted criticisms that the Privacy Commissioner's office is under-resourced and apparently slow to act. The final page of this profile looks at education, industry initiatives, litigation and responses.

In November 2003 the Government forecast that

implementation of the regulatory and legal measures proposed in this Bill and the Spam Consequentials Bill will require an additional expenditure of $0.3M in the 2003-4 financial year, $1.5M in the 2004-5 financial year, and $1.6M in the 2005-6 financial year ie. a total of $3.4M over this period

Arguably that is not a significant amount given the real costs to the economy and community of inaction regarding spam.

The Act features standard 'search & seizure' provisions regarding evidence (eg access under warrant to premises and dealing with encrypted information on devices believed to have been used for spamming). The Spam (Consequential Amendments) Act provides the ACA with investigatory powers relating to breaches of the Spam Act and its regulations, based on Parts 26 and 27 of the Telecommunications Act. Action under search warrants relating to breaches of the Act and regulations is based on Part 28 of the Telecommunications Act.

next page (New Zealand regulation)