Existing Legal Framework
Privacy
Privacy Act
21. The Privacy Act 1993 already provides suitable rules against the collection, transfer and use of electronic address information (email address, SMS number, fax number etc) pertaining to an individual, without their consent or knowledge. However, this is dependent on how the information is collected, from where it is collected, and how it is used.
22. Information privacy principle 3 provides that when an agency collects personal information directly from the individual concerned, that individual must be made aware of:
- the fact that information is being collected (i.e. no secret copying of email addresses);
- the purpose for which the information is being collected;
- the intended recipients of the information; and
- the name and address of the agency collecting the information and that will hold the information.
Individuals must also be told of their rights of access to and correction of information held. "Correction" may include deletion (e.g. deletion from a mailing list).
23. Principle 4 provides that an agency shall not collect personal information by unlawful means, or by means that, in the circumstances, are unfair or intrude unreasonably upon the personal affairs of the individual concerned.
24. Principles 10 and 11 control use and disclosure. In essence they limit agencies to using and disclosing information they hold to the purposes for which they obtained the information unless the individual consents to some other use, or an exception set out in the principles applies. For example, a company that amasses customers email addresses for some legitimate purpose can't simply sell those to marketers unless they've complied with the principles (e.g. by telling customers at the outset of their practice or by getting authorisation later).
25. It is important to note that personal information about an individual can be collected, traded and used from publicly available registers and other publications, such as the motor vehicle register, with or without the permission of the individual.
26. In addition, the Privacy Act only applies to natural persons. The "privacy" of corporate entities is not protected by the Privacy Act. Although corporate entities have some allied interests in controlling their data and preserving confidentiality it has not generally been seen as appropriate to apply privacy laws to non-natural persons.
27. The main way that compliance with the Privacy Act is enforced is by individual complaints to the Privacy Commissioner which are then investigated, conciliated and settled. Cases that don't settle can lead to civil proceedings before the Human Rights Review Tribunal. Remedies are available for actions that constitute an "interference with privacy". This requires not only a breach of a privacy principle but also some evidence of harm to a particular individual.
28. While individual complaints and proceedings may sometimes be appropriate, this is not likely to provide a very effective means for a mass problem such as spam. Although the collective harm may be great, the ability to quantify harm to an individual complainant may be quite difficult. The Privacy Act does allow for class actions although successfully pursuing those may be difficult and costly.
29. The Privacy Act would seem to have limited use as a means for addressing the spam problem due to the exceptions to key principles, the manner of enforcement and its application to natural persons only.
Harassment
Harassment Act
30. It has been suggested that the civil harassment regime under the Harassment Act 1997 potentially covers acts of spamming.
31. The object of the Harassment Act is
…to provide greater protection to victims of harassment by -
(a) Recognising that behaviour that may appear innocent or trivial when viewed in isolation may amount to harassment when viewed in context; and
(b) Ensuring that there is adequate legal protection for all victims of harassment.
32. Section 3(1) of the Harassment Act states that:
(1) For the purposes of this Act, a person harasses another person if he or she engages in a pattern of behaviour that is directed against that other person, being a pattern of behaviour that includes doing any specified act to the other person on at least 2 separate occasions within a period of 12 months.
33. The term "specified act", in relation to a person, is defined in section 4(1) of the Act as including the following:
(d) Making contact with that person (whether by telephone, correspondence, or in any other way):
(f) Acting in any other way -
(i) That causes that person ("person A") to fear for his or her safety; and
(ii) That would cause a reasonable person in person A's particular circumstances to fear for his or her safety.
34. There are a number of difficulties in seeking to apply the Harassment Act to the problem of spam. The two principal difficulties would appear to be first, while spam is generally acknowledged to be a nuisance, it is, in general, of a different character than harassment and second, the Harassment Act works on the basis of individual victims obtaining a civil court order against a named respondent after the repetition of an act, which would be unworkable in relation to most spam.
35. While consideration has been given to using the Harassment Act as a basis for legislating against spam, stand alone legislation seems a more suitable option given the different purposes of the Harassment Act and anti-spam legislation.
36. The Harassment Act would, however, be a useful complement to any legislation against spam as it gives individuals legal protection against personal emails causing distress to the recipient.
Transparency
37. No existing legislation covers the spam issue of transparency - invalid sender addresses (both physical and electronic), no unsubscribe function and misleading/inaccurate headers and subject lines on commercial messages.
Misuse/Abuse of Computing Resources
38. There appears to be adequate coverage under the Crimes Amendment Act (No 6) 1999, concerning the misuse or abuse of computing resources applicable to spam, for example denial of service attacks (DoS) and the transporting of viruses such as the Sobig.F worm.
3. Do you consider existing privacy protections in this area sufficient?