BestPrac.Org

Stop Spam : Best Practice in Email
Spam Prevention and Eradication

Anti Spam Laws -
Australian Spam Law:

The Australian Spam Act 2003 and the Spam (Consequential Amendments) Act 2003 became operative on 11 April 2004.

Like many other countries, prior to the introduction of specific anti spam laws there were other areas of law that had the potential to deal with spam. The problems of getting the Courts up to speed on quickly evolving technology issues, the untested nature of some of the possible avenues of redress and the high costs of such litigation meant that reliance on existing laws was very impractical. Prior to the 'Spam Act 2003', the Internet Society's Australian branch published a very detailed overview of the legal developments in spam law in Australia, written by Perth lawyer and technology consultant, Jeremy Malcolm. An extract from the 'Conclusion' in that paper summed up the position quite neatly:

It is difficult to resist the conclusion that the law as it stands is ill-equipped to respond to the challenge of spam, and that law reform of some nature will be required.

An important part of the subsequent Australian 'Spam Act 2003' is that it does not only apply to Australian spammers. It also applies to spam sent from overseas, with Australia negotiating multilateral agreements with other nations to restrict spam that originates from overseas.

The Australian spam legislation provides for an "opt-in" approach to bulk commercial emailing. Although consent is mandatory, consent is defined in the Act as being either "express consent" or "implied consent". It provides for numerous types of organisations to be exempted from the Spam Act. It provides minimal private course of redress, leaving enforcement to a Federal Government agency - the Australian Communications and Media Authority, aka ACMA.

Some criticism of the powerful investigatory powers given to the ACMA have been raised, claiming unreasonable potential for infringement of civil liberties. Opposition amendments to the legislation in Parliament to soften those provisions were defeated.

Summary of the Major Provisions of the Australian 'Spam Act 2003' and related Spam Legislation:

It is illegal to send, or cause to be sent, unsolicited commercial electronic messages. The Act covers email, instant messaging, SMS and MMS of a commercial nature. (It does not cover faxes, internet pop-ups or voice telemarketing.)
The offence need not be "bulk" sending of the spam. A single message to a single recipient is theoretically an offence.
The Act covers messages that are sent:
- from Australia; or
- by senders who:
  - are physically present in Australia; or
  - are organisations with central management and control (board meetings) in Australia; or
- to computers in Australia (including the recipient’s personal computer); or
- to recipients who read the message when they:
  - are physically present in Australia; or
  - are organisations carrying on business in Australia;
The following organisations are exempt from the Spam Act on the proviso that the message sent by these organisations must relate to goods or services and the sender must be the supplier of those goods or services. :
- government bodies
- registered political parties
- charities
- religious organisations
- educational institutions (for messages sent to current and former students).
All commercial messages must contain accurate information about the message's originator. (The originator need not necessarily be the sender. It is the individual or organisation that authorised the message.) Such information must be likely to remain current for at least 30 days from the sending of the message.
All messages must contain a functional 'unsubscribe' facility that is reasonably expected to work for at least 30 days after the sending of a message, and must be free of charge.
An "opt-out" request must be honoured within 5 working days.
While the legislation does not compel an "opt-in" approach, it still does compel consent. Consent may be either "express consent", or "implied consent" - for example, where there is an existing relationship or where a website publishes an email address and invites relevant correspondence.
The Act provides specific protection for businesses using a "closed loop confirmation process" (aka confirmed opt-in) for subscriptions, though the unsubscribe requirements still apply.
The Act prohibits the supply, acquisition or use of software that 'harvests' email (or other electronic) addresses from the internet for the purpose of sending spam.
The sale, purchase or other forms of provision, acquisition or use of address lists to send spam is prohibited.
It is an offence to aid, abet or otherwise being knowingly involved in any contravention of the Act.

The related area of spamming via zombie computers, or the use of 'botnets' is covered under other legislation. Under the "Criminal Code 1995" it is illegal for any person or organisation to remotely use and control another person’s computer without their knowledge or consent. Related offences such as writing or being in possession of botnet code and other offences are also covered by the "Criminal Code 1995". The ACMA refers botnet activities to the Australian High Tech Crime Centre or the relevant state or territory police force.

Penalties for breaches of the Australian 'Spam Act':

The ACMA has three options for penalising offenders under the Spam Act 2003:

Firstly, the ACMA may issue a Formal Warning. It is likely to issue a formal warning when an offence is considered to be inadvertent, relatively minor and one-off;

Secondly the ACMA may issue an Infringement Notice. Under the Infringement Notices system, the penalties for sending spam are:

$440 per contravention for an individual (to a daily maximum of $22,000)
$2,200 per contravention for a corporation (to a daily maximum of $110,000)

Infringement Notices for other related offences such as sending messages without a working unsubscribe mechanism, or incorrect sender details, or contravention of the harvesting provisions are:

$220 per contravention for an individual (to a daily maximum of $11,000)
$1,100 per contravention for a corporation (to a daily maximum of $55,000)

Thirdly, the ACMA may institute Court Proceedings. Court proceedings are most likely to be used where an infringement notice is disputed or where a person/corporation is a repeat offender or a large-scale offender. Maximum penalties a Court may impose on a first-time offender for sending spam are:

$2,200 per contravention for an individual (to a daily maximum of $44,000)
$11,000 per contravention for a corporation (to a daily maximum of $220,000)
Forfeiture of profits derived from spamming
Compensation to any person/entity that has suffered loss or damage as a result of breaches of the Act.

The maximum penalty for repeat offenders of a particular provision is five times those amounts. (ie up to $220,000 for an individual and up to $1,100,000 for a corporation.)

The maximum penalty a Court may impose for other related offences such as sending messages without a working unsubscribe mechanism, or incorrect sender details, or contravention of the harvesting provisions are:

$1,100 per contravention for an individual (to a daily maximum of $22,000)
$5,500 per contravention for a corporation (to a daily maximum of $110,000)

The maximum penalty for repeat offenders of a particular provision is five times those amounts. (ie up to $110,000 for an individual and up to $550,000 for a corporation.)

Botnet related penalties under the "Criminal Code 1995":

Unauthorised access and modification of data via a carriage service. For example, accessing another persons computer to install a bot.

A two year maximum prison sentence

Unauthorised modification of data via a carriage service. For example, installing a bot on another person’s computer.

A 10 year maximum prison sentence

Possession of data with intent to commit a computer offence. For example, possession of bot binaries and exploiting tools or installers.

A three year maximum prison sentence.

Producing, distribution or obtaining data with intent to commit a computer offence. For example, writing a bot code or selling a bot code, or similar actions.

A three year maximum prison sentence.

Reporting Violations:

The Australian Communications and Media Authority encourages Australian internet users to report spam to them. There are three ways you may do this:

If you have Microsoft Outlook or Outlook Express as your email software, a free download called "SpamMATTERS" is available that plugs in to your email software and enables you to give a single-click on a spam to both report it to the ACMA and to delete it from your inbox.
If you don't use Outlook or Outlook Express, you can still report spam by registering online for a 'key'. You can then report spam to a dedicated ACMA email address.
You can also submit spam manually to ACMA by completing an online spam submission form.

Presumably, non-Australian internet users would also be encouraged to submit any spam to the ACMA via these methods if the spam has a clearly Australian connection, such as the sender, the IP address or it is promoting an Australian business.

Further Information:

Disclaimer:

The above is given in summary form only. It is not a comprehensive statement of every aspect of spam law in Australia or of the 'Spam Act 2003'. This page is for informational and educational purposes only and does not constitute legal advise. Please make your own enquiries and seek your own legal advise before relying on any statements made herein.

Stop Spam : Best Practice in Email Spam Prevention and Eradication

Anti Spam Laws - Australian Spam Law: