Do European laws prevent a U.S. company from blocking spam?

Do European laws prevent a U.S. company from blocking spam?

Is it true that European laws prevent a U.S.-based company from blocking emails from European destinations that are fully and completely addressed, even if they're spam? Can you tell me about the law, where I can find more information on it and how I can work around this issue to stop email-related threats?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The Internet has had a major effect upon the question of jurisdiction. Historically, jurisdiction to prescribe law and adjudicate disputes has been based on territorial principles. Take U.S. direct mail, for example: anyone sending mail in the U.S. must understand and follow the U.S. laws covering the United States Postal Service and U.S. citizens. But what about an e-commerce transaction? For instance: a U.S. retailer transacting with a European citizen on American soil using a website powered by European servers in Europe. Which laws would apply to a dispute? There are currently no international laws that cover such complex cross-jurisdictional boundaries.

I am not aware of any E.U. laws that try to prevent U.S.-based organizations from blocking emails from European destinations. Blocking delivery of legitimate email from Europe would probably be a violation of some sort under international trade agreements covering restraint of trade. Even if there was a law, how would it be enforced? The E.U. certainly does not have jurisdiction over U.S. citizens or U.S. companies located in the United States. The E.U. and some of its members have been known to punish U.S. companies that violate its guidelines via fines or sanctions against their branch operations within the EU. To my knowledge, though, no company has been barred from operating; most issues are resolved long before reaching that point.

There is a U.S.-E.U. agreement called Safe Harbor that aims to protect E.U. citizens' personal data if it is handled by U.S. organizations. Safe Harbor is a set of principles similar to the E.U. Data Directive, the key piece of legislation governing unsolicited commercial email (UCE) in the E.U.

Its full title is Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The directive provides for a national "opt-out" list, which consumers can join if they wish to stop receiving UCE. But this means it is still legal for a firm to send UCE in the absence of an explicit consumer opt-in. There are several national opt-out lists across the E.U. countries, making an E.U.-wide email marketing campaign quite challenging.

One common requirement in the E.U. and U.S. is that UCE email must be clearly identified as advertising and provide opt-out instructions. Spam rarely meets any of these rules.

Companies that send a lot of UCE must ensure that they comply with these laws and industry best practices, particularly as ISPs are also looking to prevent abuse of their infrastructure by spammers. One interesting twist in this battle occurred a few years ago when Verizon Communications Inc. offered to compensate its DSL customers who failed to receive emails from a European address; its services allegedly had an over-aggressive spam-blocking mechanism. You could say anyone who pays for an email service has a right to receive their email, wherever it is from, as long as it has been sent from a genuine account and there is no reason to think it can cause damage to the ISP's infrastructure and service.

More information:

  • A SearchSeurity.com reader asks Michael Cobb, "Do BlackBerrys and other mobile devices put sensitive data at risk when used overseas?"
  • Get the latest news and expert advice on information security laws.

    • This was first published in January 2009