Saturday, February 3, 2001

SPAM Costs Internet Users Billions a Year

Internet subscribers world-wide are unwittingly paying an estimated €10 billion (US $9.36 billion) a year in connection costs just to receive "junk" e-mails, according to a study undertaken for the European Commission. The study, which provides detailed information on the junk mail (or "spam") phenomenon in both the US and the European Union, forms part of the Commission's ongoing efforts to ensure that the development of the internet and e-commerce does not undermine Europe's rules on Internet privacy and data protection. Unless consumers feel their privacy is adequately protected, the on-line services that are so important to wealth and job creation in Europe are unlikely to flourish. The study also compares the different approaches adopted by EU Member States in implementing the EU Directives on data protection into national law. The study will help the Commission's work with Member States' data protection experts on assessing the implementation of EU data protection Directives. The findings will also be taken into account by the Commission when proposing updates to EU data protection legislation.

"The exponential growth of junk e-mail in recent years is a fact of life. Current technology allows a single cyber-marketing company to send half a billion personalised ad mails via the World Wide Web every day," says Frits Bolkestein, Internal Marketing Commissioner. "Consumer information gleaned from individual web transactions/consultations can be sold for large sums of money, and yet many individual subscribers are unaware of the scale and implications of these developments. In the interests of ensuring a Single Market in goods and services and the growth of cross-border trade, the Commission has a responsibility to ensure that the Data Protection Directives are fairly applied across the Union. We aim to encourage the continued development of internet services without weakening the individual's right to privacy."

Within the EU, data protection is enshrined in two Directives: 95/46/EC that lays down general rules, and 97/66/EC that lays down specific provisions to deal with data protection and privacy in the telecommunications sector.

The study's analysis of e-mail marketing concentrates on the most-developed market, the US, and details how, in response to the rapid growth of junk mail, the e-mail marketing industry is working with internet users towards systems of data collection and exchange based on the express permission of the user.

In looking at legal protection against junk mail or "spamming" in the EU, the study finds that the application of the concepts enshrined in the existing Directives are applied in different ways across the EU. Protection is afforded via either opt-outs (e.g. a box to tick if you do not wish to receive unsolicited information) or opt-ins (a formal request to receive such information). Opt-ins are required in Austria, Denmark, Finland, Italy and Germany.

The speed with which Internet technology is moving was recognised in an undertaking made in a Commission proposal of July 2000 to revise and update the Directive on data protection and privacy in the telecommunications sector (97/66/EC). This proposal favours the opt-in approach. This is supported by the study which found that, from the point of view of industry, "permission based marketing" is proving a more effective and viable method of data collection. The study also found that the opt-in approach would serve to bolster consumer confidence in the EU. Differences in how Member States apply the existing EU Directives risk, the study indicates, giving rise to potential barriers to the free movement of data within the Internal Market.

The Commission monitors the efficient operation of this legislation in close co-operation with Member States' data protection experts, who meet regularly in a Working Party established by the 1995 Directive (Article 29). In November 2000, the Working Party issued a formal opinion on the Commission proposal to update Directive 97/66 as well as a report on "Privacy and the Internet" that looked at two key areas: the industrial uses of data and the legal protection of data.

To date, the Commission has decided to bring Ireland, Luxembourg, France and Germany to the European Court of Justice for failure to notify the measures these administrations are taking to implement the provisions of 95/46/EC in national law the implementation deadline was October 1998.

Later this year, the Commission is due to prepare a report on the application of Directive 95/46/EC. This will take full account of the potential for technological developments, particularly in terms of data collection, to undermine the strong standards of protection laid down in the Directive.