European Commission: Fight against Spam, Spyware and Malicious Software

IRIS 2007-1:1/38

Lennert Steijger

Institute for Information Law (IViR), University of Amsterdam

In a new Communication “On Fighting spam, spyware and malicious software”, issued on 15 November 2006, the European Commission states that more efforts are needed for fostering the reliability and security of electronic communications networks and services than have been undertaken so far.

Pointing to the fact that spam accounts for 50% to 80% of messages addressed to end-users and that spam and malicious software cost up to EUR 50 billion worldwide in 2005, and further emphasising the increasingly fraudulent and criminal nature of unsolicited e-mail, the Commission encourages Member States to turn to a more rigorous enforcement of existing legislation, in particular that based on Directive 2002/58 on Privacy and Electronic Communications. It referred to the Dutch telecommunications regulatory authority OPTA - which managed to cut back domestic spam by 85% with only five full-time employees and a budget of EUR 570 000 - as an example of how a lot can be achieved with moderate means.

The Commission proposes that action be taken at three levels. First of all Member States are urged to realise effective enforcement by coordinating national agencies involved in fighting spam, involving market players and drawing on their expertise and available information, providing for adequate resources, and contributing in international contexts. Secondly, companies are invited to ensure that information standards for the purchase of software applications is in accordance with data protection law, and to combat illegal use of software in advertisements. E-mail service providers are invited to apply effective filtering policies. Thirdly, at the EU level, the Commission will inter alia continue efforts in raising awareness and in promoting cooperation between stakeholders. It will also continue to develop agreements with third countries. In addition, it intends to revise the current legislative framework and to introduce new legislative proposals at the beginning of 2007 to strengthen user privacy and security. The proposals may entail obligations for service providers to notify security breaches, and to implement adequate security policies. Member States may be required to ensure that any person or organisation with a legitimate interest in combating infringements under the ePrivacy Directive may take legal action and bring such infringements before a national regulatory authority. The Commission will monitor the implementation of these actions and assess by 2008 whether additional action is needed.