Regulating spam: Directive 2002/58 and beyond

Abstract

This paper analyses the legal framework regulating unsolicited commercial communications or spam in the European Union. Our focus is on the Directive on privacy and electronic communications of July 12, 2002 (the E-Privacy Directive), as this directive has introduced new rules on the regulation of spam. The economic impact of spam is rising and so is the awareness of spam's cost to society. Secondly and not coincidentally, the attention of the legislator towards spam came to a peak during 2002-2003, with the EU adopting its E-Privacy Directive, with a transposition deadline of 31 October 2003, and the US adopting their CAN SPAM Act 2003. It is therefore fair to say that spam is currently also very much on the political agenda as lawmakers realize that junk e-mail has become a huge cost factor for businesses and a significant nuisance to voters. On a more general level, attempts to regulate spam pose questions that are very interesting for a number of reasons. First, the proliferation of spam in publicly available networks puts some communications law principles in a whole new light. For example, one of the classical ground rules used to be the obligation to transport all mail offered to the postal service provider indiscriminately. The twin principle of communications secrecy and the obligation to carry for a common carrier have evolved into an almost dogmatic aspect of the relevant field of law. Now that most or all of the communication service providers consist of private parties and now that their networks are overflowed with unsolicited e-mails, it is fair to take a new look at old principles. Also, as everybody concedes that the solution to spam is to be found in a combination of technology and law, the problem of how to cope with spam might shed light on the future development of the interaction between law and information technology. The fact that law and technology are intertwined and that law and information technology look at each other to provide answers is in a way symbolic of a lot of other problems of tech regulation. Our main research objective is to assess the practical legal consequences of the new regulatory regime. The question we therefore have to answer is: What are the consequences of the new regulatory regime of unsolicited communications, as introduced in (Article 13 of) the new E-Privacy Directive? To answer that question we have to answer a number of sub-questions. First of all, we need to compare the new regime with the legal landscape before the E-Privacy Directive. This requires us to assess the other relevant European Directives as well as related initiatives. Secondly, if we want to be able to say something about the consequences that the Directive will have, we will need to find out what the Directive does not regulate. In other words, we will have to find the gray areas or weak spots in the new regulation. We will also take a look at the definitions used in the Directive. Related but different is the question as to what margin of regulation is left to Member States. It is a question of EU law whether any room is left for national interpretation or national choices to be made in implementing new European legislation. Therefore we will have to map the space left for national choices. In order to make a valuable assessment of the new regime we will have to take a close look at the wording, exceptions and history of the main article of material law, Article 13. This implies an analysis of the meaning of Article 13's sections and their relation to other parts of the new regulatory framework. Article 13's relation with other sections of the E-Privacy Directive will subsequently be addressed. In order to evaluate the practical consequences, the next question we will have to answer is what new obligations the Directive has created for Member States, businesses and consumers and what consequences that has for liability issues.