Spam Act

73.161 The Spam Act prohibits the sending of commercial electronic messages via email, SMS, multimedia message service or instant messaging without the consent of the receiver. Accordingly, it establishes an opt-in regime that is different from the provisions governing the use of information for direct marketing in the Privacy Act.[191]

73.162 The definitions of ‘consent’ in the Privacy Act and the Spam Act are broadly consistent. The Privacy Act provides that ‘consent’ means ‘express consent or implied consent’.[192] Under the Spam Act, however, consent can be express and inferred, although it may not be inferred from the mere publication of an electronic address.[193] Consent can be inferred from ‘conspicuous publication’ of certain electronic addresses, such as the electronic addresses of employees, directors or officers of organisations, so long as the publication is not accompanied by a statement to the effect that the account holder does not wish to receive unsolicited commercial electronic messages.[194] Regulations may specify in more detail the circumstances in which consent may or may not be inferred.[195] Consent can be withdrawn if the account holder or a user of the account indicates that he or she does not wish to receive any further commercial electronic messages.[196]

73.163 The Spam Act does not prohibit sending ‘designated commercial electronic messages’. A commercial electronic message is a ‘designated commercial electronic message’ if it consists of no more than factual information,[197]or the message is authorised by:

  • a government body, registered political party, religious organisation, a charity or charitable institution, and the message relates to goods or services, and the body is the supplier, or prospective supplier, of the goods or services concerned;[198] or

  • an educational institution, and the account holder is, or has been, enrolled as a student in that institution or is a member or former member of the household of the relevant electronic account holder and is, or has been, enrolled as a student in that institution, and the message relates to the supply of goods or services, and the educational institution is the supplier, or prospective supplier, of the goods or services concerned.[199]

73.164 The Spam Act requires lawful commercial electronic messages to contain certain information, such as information about the identity and contact details of the sender.[200] It also provides that a person must not send a commercial electronic message unless the message includes a statement to the effect that the recipient may use an electronic address set out in the message to send an unsubscribe message to the individual or organisation who authorised the sending of the message, or a statement to a similar effect.[201] The requirement to include an unsubscribe message does not apply to designated commercial electronic messages.[202]

73.165 The Spam Act also contains rules prohibiting the supply and use of ‘address-harvesting software’[203]—that is, software that is used to search the internet for electronic addresses to compile or ‘harvest’.[204] Ordinary telephone calls and facsimile communications are not covered by the Act.[205] ACMA has a range of powers to enable it to enforce the provisions of the Spam Act.[206]

73.166 Two industry codes dealing with spam have been developed under the Telecommunications Act since the introduction of the Spam Act. These are the Australian eMarketing Code of Practice[207]and the Internet Industry Code of Practice.[208] These codes are intended to complement the operation of the Spam Act by outlining action to be taken by industry members to help to counter spam.

73.167 In 2006, the Federal Court of Australia delivered the first significant decision dealing with the Spam Act. In Australian Communications and Media Authority v Clarity1 Pty Ltd, the Court found that the respondents (Clarity1 and the company’s director, Wayne Mansfield) had sent tens of millions of messages to recipients whose email addresses had been obtained by the use of harvested address lists.[209] The respondent raised a number of defences which were unsuccessful, including that the recipients of the messages had consented to the sending of the messages because they failed to use the ‘unsubscribe facility’ in the messages.

73.168 The respondents sought to rely on the OPC’s Guidelines to the National Privacy Principles, which provide in relation to NPP 2 that ‘it may be possible to infer consent from the individual’s failure to opt out provided that the option to opt out was clearly and prominently presented and easy to take up’.[210] Nicholson J did not accept this argument, finding that non-legislative guidelines do not assist in the interpretation of legislation. Nicholson J also held that the inclusion of an unsubscribe facility in a commercial electronic message does not support an inference that a recipient consented to receiving a message by failing to use the facility.[211]

73.169 In its review of the private sector provisions of the Privacy Act (OPC Review), the OPC indicated it would discuss with the Australian Communications Authority (ACA) (now ACMA) the development of guidance to clarify the relationship between the Privacy Act and the Spam Act.[212]

73.170 In 2006, DCITA concluded a review of the operation of the Spam Act.[213] DCITA found that the Act was operating successfully and should not be amended. It recommended, however, that additional advice be developed on the operation of certain aspects of the Act. It also recommended that steps be taken to educate the public about the operation of the Act. To this end, it recommended that the OPC and ACMA develop ‘joint awareness materials to clarify the relationship between the Spam Act and the Privacy Act’.[214] DCITA also recommended that the Australian Government undertake further consultation to determine whether facsimile communications should be regulated by the Spam Act.

73.171 In DP 72, the ALRC noted that a number of stakeholders had raised issues relating to the Spam Act. Stakeholders submitted that the Spam Act and the Privacy Act were inconsistent because the Spam Act adopts an opt-in model, while the Privacy Act provides an opt-out model for direct marketing. Stakeholders also submitted that the Spam Act and the Privacy Act take different approaches to consent, and that consideration should be given to whether the Spam Act should regulate Bluetooth messages.[215]

73.172 The ALRC expressed the preliminary view that the Spam Act is an appropriate response to public concern about unsolicited commercial electronic messages. The ALRC noted, however, that it was interested in views on whether the Spam Act should be amended to:

  • provide that the definition of ‘electronic message’ under s 5 includes Bluetooth messages;

  • provide that facsimile messages are regulated under the Act;

  • provide that an electronic message is required to include an unsubscribe message if the electronic message: consists of no more than factual information; has been authorised by a government body, a registered political party, a religious organisation, a charity or charitable institution, or an educational institution, and relates to goods or services; or

  • remove the exception for registered political parties.[216]

Submissions and consultations

73.173 The DBCDE submitted that the ALRC’s question appears to go beyond the scope of the ALRC’s Terms of Reference, and suggested that the ALRC may wish to refrain from further examination of the Spam Act. The Department noted that the prohibition in the Spam Act on unsolicited commercial electronic messages applies to messages sent to private individuals, organisations, government agencies and businesses.

The possible amendments in relation to which the ALRC is seeking comment would therefore have a much broader impact than just affecting privacy law. In particular, the amendments would impact on business to business dealings and business to Government dealings.[217]

73.174 The DBCDE also noted that the review of the Spam Act included consideration of the issues raised by the ALRC,[218] and that it is reviewing whether the scope of the Spam Act should be extended to cover facsimile messages.[219]

73.175 A number of stakeholders supported Bluetooth messages being regulated under the Spam Act.[220] Others stakeholders did not support this reform.[221] For example, ACMA highlighted that consumers can control the receipt of Bluetooth messages to a greater extent than SMS or email, without losing functionality.[222] The DBCDE submitted that a commercial electronic message needs to be sent to an address connected with an account to be regulated under the Spam Act. With Bluetooth technology, however, the device itself and not an account is used to receive the message. The Department also noted that it is not aware of widespread public concern in relation to the volume or impact of commercial electronic messages sent to Bluetooth devices.[223]

73.176 Some stakeholders supported facsimile messages being regulated under the Spam Act.[224] Other stakeholders stated that they were unaware of any significant issues with the use of facsimile messages for marketing purposes to warrant any legislative or regulatory action.[225] The DBCDE noted that it is considering this issue.[226]

73.177 A number of stakeholders supported the notion that a wider range of messages—including messages that consist of no more than factual information, or that have been authorised by a government body, a registered political party, a religious organisation, a charity or educational institution—should include an unsubscribe facility.[227] Other stakeholders submitted that amending the Spam Act so that purely factual messages must include an unsubscribe facility would have a detrimental impact on customer service.[228] The DBCDE noted that submissions to the review of the Spam Act indicated that there is little community concern about these kinds of messages.[229]

73.178 Some stakeholders supported the removal of the registered political party exemption from the Spam Act.[230] The DBCDE submitted, however, that the exemption is consistent with other exemptions in the legislation which seek to balance the ability of organisations that undertake socially important work in the ‘public interest’ and the rights of individuals to privacy. The DBCDE submitted that messages from political parties typically take place during a limited period, such as during an election campaign. The Department also noted that the removal of the exemption was examined by the Spam Act review, which found that the exemption has caused few difficulties in practice and recommended that it should be retained.[231]

ALRC’s view

73.179 The ALRC does not make any recommendations to amend the Spam Act, as these issues were recently considered in the review of the Act. Further, the DBCDE is considering whether the scope of the Act should be extended to cover facsimile messages.

73.180 The Spam Act is an appropriate response to public concern about unsolicited commercial electronic messages. There is some confusion, however, about the interaction between the Privacy Act and the Spam Act. The ALRC recommends below that ACMA, in consultation with relevant stakeholders, should develop and publish guidance relating to privacy in the telecommunications industry, including guidance on the interaction between the Privacy Act and the Spam Act.

73.181 The ALRC notes stakeholder concerns about the different approaches to consent under the Privacy Act and the Spam Act. The guidance should address the requirements to obtain an individual’s consent for the purposes of the Privacy Act and the Spam Act—including how it applies in various contexts and when it is appropriate to use the mechanism of ‘bundled consent’.[232]

[191] Spam Act 2003 (Cth) s 16. Direct marketing is discussed further in Ch 26.

[192] Privacy Act 1988 (Cth) s 6.

[193] Spam Act 2003 (Cth) sch 2 cl 4. Consent is discussed further in Ch 19.

[194] Ibid sch 2 cl 4.

[195] Ibid sch 2 cl 5.

[196] Ibid sch 2 cl 6.

[197] Ibid sch 1 cl 2.

[198] Ibid sch 1 cl 3.

[199] Ibid sch 1 cl 4.

[200] Ibid s 17.

[201] Ibid s 18.

[202] Ibid s 18(1)(b).

[203] Ibid pt 3.

[204] Ibid s 4.

[205] Ibid s 5(5); Spam Regulations 2004 (Cth) cl 2.1.

[206]Spam Act 2003 (Cth) pt 4; Telecommunications Act 1997 (Cth) pt 28. See also Australian Government Department of Communications‚ Information Technology and the Arts, Report on the Spam Act 2003 Review (2006), ch 11.

[207] Australian eMarketing Code Development Committee, Australian eMarketing Code of Practice (2005).

[208] Internet Industry Association, Internet Industry Spam Code of Practice (2006).

[209] Australian Communications and Media Authority v Clarity1 Pty Ltd (2006) 150 FCR 494.

[210]Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles (2001), 37.

[211] Australian Communications and Media Authority v Clarity1 Pty Ltd (2006) 150 FCR 494, [80].

[212] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 11.

[213] Australian Government Department of Communications‚ Information Technology and the Arts, Report on the Spam Act 2003 Review (2006).

[214] Ibid, rec 22.

[215] See Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [64.79]–[64.85].

[216]Ibid, Question 64–6.

[217]Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.

[218]Australian Government Department of Communications‚ Information Technology and the Arts, Report on the Spam Act 2003 Review (2006).

[219]Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.

[220]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; I Graham, Submission PR 427, 9 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007.

[221]Optus, Submission PR 532, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[222]Australian Communications and Media Authority, Submission PR 522, 21 December 2007.

[223]Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.

[224]Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; I Graham, Submission PR 427, 9 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007; S Hawkins, Submission PR 382, 6 December 2007.

[225]Optus, Submission PR 532, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007.

[226]Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.

[227]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; I Graham, Submission PR 427, 9 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[228]Optus, Submission PR 532, 21 December 2007; Telstra Corporation Limited, Submission PR 459, 11 December 2007. See also Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.

[229]Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.

[230]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; I Graham, Submission PR 427, 9 December 2007.

[231]Australian Government Department of Communications‚ Information Technology and the Arts, Report on the Spam Act 2003 Review (2006); Australian Government Department of Broadband‚ Communications and the Digital Economy, Submission PR 512, 21 December 2007.

[232] See discussion of bundled consent in Ch 19.