Ask the Expert

Do European laws prevent a U.S. company from blocking spam?

Is it true that European laws prevent a U.S.-based company from blocking emails from European destinations that are fully and completely addressed, even if they're spam? Can you tell me about the law, where I can find more information on it and how I can work around this issue to stop email-related threats?

    Requires Free Membership to View

    Login

The Internet has had a major effect upon the question of jurisdiction. Historically, jurisdiction to prescribe law and adjudicate disputes has been based on territorial principles. Take U.S. direct mail, for example: anyone sending mail in the U.S. must understand and follow the U.S. laws covering the United States Postal Service and U.S. citizens. But what about an e-commerce transaction? For instance: a U.S. retailer transacting with a European citizen on American soil using a website powered by European servers in Europe. Which laws would apply to a dispute? There are currently no international laws that cover such complex cross-jurisdictional boundaries.

I am not aware of any E.U. laws that try to prevent U.S.-based organizations from blocking emails from European destinations. Blocking delivery of legitimate email from Europe would probably be a violation of some sort under international trade agreements covering restraint of trade. Even if there was a law, how would it be enforced? The E.U. certainly does not have jurisdiction over U.S. citizens or U.S. companies located in the United States. The E.U. and some of its members have been known to punish U.S. companies that violate its guidelines via fines or sanctions against their branch operations within the EU. To my knowledge, though, no company has been barred from operating; most issues are resolved long before reaching that point.

There is a U.S.-E.U. agreement called Safe Harbor that aims to protect E.U. citizens' personal data if it is handled by U.S. organizations. Safe Harbor is a set of principles similar to the E.U. Data Directive, the key piece of legislation governing unsolicited commercial email (UCE) in the E.U.

Its full title is Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The directive provides for a national "opt-out" list, which consumers can join if they wish to stop receiving UCE. But this means it is still legal for a firm to send UCE in the absence of an explicit consumer opt-in. There are several national opt-out lists across the E.U. countries, making an E.U.-wide email marketing campaign quite challenging.

One common requirement in the E.U. and U.S. is that UCE email must be clearly identified as advertising and provide opt-out instructions. Spam rarely meets any of these rules.

Companies that send a lot of UCE must ensure that they comply with these laws and industry best practices, particularly as ISPs are also looking to prevent abuse of their infrastructure by spammers. One interesting twist in this battle occurred a few years ago when Verizon Communications Inc. offered to compensate its DSL customers who failed to receive emails from a European address; its services allegedly had an over-aggressive spam-blocking mechanism. You could say anyone who pays for an email service has a right to receive their email, wherever it is from, as long as it has been sent from a genuine account and there is no reason to think it can cause damage to the ISP's infrastructure and service.

More information:

  • A SearchSeurity.com reader asks Michael Cobb, "Do BlackBerrys and other mobile devices put sensitive data at risk when used overseas?"
  • Get the latest news and expert advice on information security laws.

    • This was first published in January 2009

    Join the conversationComment

    Share
    Comments

      Results

      Contribute to the conversation

      All fields are required. Comments will appear at the bottom of the article.
      Back to top