1. This paper is based on the following- The Chamber's response to the earlier consultation paper on "Proposals to Contain the Problem of Unsolicited Electronic Messages", November 2004- Comments from members of the relevant Chamber committees- The Chamber's established position in other related policy areas, e.g. copyright.General comment2. In the Chamber's earlier paper of November 2004, we acknowledge that spamming has become a substantive problem for business, hence we support legislation to deal with specific abuses.The Chamber is not in favour of legislation, as the policing and associated administration would incur additional cost to the government and hence to tax payers. On the other hand, the ease of spamming means that any effort that is entirely voluntary will not suffice in combating the problem. We therefore support a minimalist legislation to deal with specific problems of abuse."3. The current Consultation Paper, however, sets out a very elaborate framework to control the problem of spamming. While we would very much like to have the spamming problem contained, we would advise caution against the dangers of legislative overkill.4. The Consultation Paper starts with a set of objectives and guiding principles which we have found very reasonable. However, it seems to us that these objectives can be met by translating the guiding principles into much simpler legislative framework that is currently proposed.5. Our specific views on various aspects of the legislative proposals are described below.Legislative framework6. The Consultation Paper contains proposals which could develop into elaborate provisions in the subsequent Bill, to cover practices relating to sending electronic messages, address-harvesting, establishing offenses, compensation, investigation, and other related arrangements. Much of the discussion in the Consultation Paper is indeed perfectly sound - such as that the right to receive messages should rest with the user but an opt-in scheme may be too onerous on e-marketers. However, that does not mean every detail such as mandatory unsubscribe function and regulations over headings and contents must be prescribed in the law. To do so risks the law being too complicated, or worse, being overtaken by technology and hence getting outdated very soon.7. We believe much of what the Consultation Paper aims for can be achieved through a self-regulatory regime sanctioned by the anti-spamming legislation. Taking the model of the Personal Data Privacy Ordinance, the anti-spamming Bill needs only lay down a number of principles (such as the user's right to decide, no misleading nature of the messages), implemented through self-regulatory codes of practices. Such codes would be developed and enforced by a suitably empowered regulatory authority, after consultation with industry and users.8. Under such a regime, the Bill is of an enabling nature, while the substance of regulation lies in the codes of practices. To the extent that the codes are not part of the law, they are voluntary but not mandatory; however, this does not mean they are "toothless" guidelines. As in the case of the Personal Data Privacy Ordinance, failure to comply with the codes is not itself an offence, but in court proceedings it will be admissible as evidence and taken into account by the court in deciding on whether the law has been contravened. The advantage of this approach is that keeps the Bill simple while enabling the regulator to implement it in a flexible way, in line with the changing social or technological environment.9. To some extent this approach is recognized in the Consultation Paper (para 94 and 95), but limited only in application to e-marketers. We suggest the Administration to seriously consider adopting this as the legislative approach itself, not just as a step in implementation.Scope and enforcement10. In general, we are in agreement with the proposals of the Consultation Paper with regard to the scope and the enforcement agent of the anti-spamming legislation (the Bill).11. With regard to the scope of application, we support a technology-neutral regime to cover all forms of electronic communication. Since spams are very often of an extra-territorial nature, we appreciate the need for the "Hong Kong link" concept to be established to enable meaningful application of the Bill. The law should however not punish those providing a mere routing service - the ISPs and "pipe providers" should not become scapegoats for unscrupulous behaviour by users.12. The government proposes that the legislation be enforced by the Telecommunications Authority (TA). This may complicate the role of the TA, and may give rise to further uncertainties in view of the possible merger of the TA with the Broadcasting Authority (a subject of another government consultation). On the other hand, the setting up of a new regulatory authority (e.g. one similar to the Privacy Commissioner's Office) would go against the principle of small government. On balance, we would favour an existing rather than a new agency as the regulator and enforcement agent of the Bill.Offence and penalties13. In our earlier paper, we stated:If a law were to be enacted, it should be narrowly focused and targetted specifically at practices which have a deceptive element, so as not to interfere with legitimate e-commerce. Some example of deceptive practices include:- using other people's identity to send email;- using other people's server without authorisation;- spoofed or fraudulent header information or subject lines.14. We agree, therefore, with the Consultation Paper that practices with fraudulent and deceptive intent, such as those described in para 74-75 of the consultation paper, should be subject to criminal sanctions including a suitable custodial sentence.15. We are not sure, however, if the same strict regime should apply to other aspects of the spamming activity. Unless there is a clear criminal element, spamming is, in most cases, a business practice without malicious intent. These practices need to be regulated, and some of them may be questionable or even unethical, e.g. address-harvesting or dictionary attacks, but they should not be treated in the same category as criminal acts that requires a custodial sentence. Thus the proposal for imprisonment of up to five years would seem to be not proportional to the offence. We believe a hefty financial penalty would be more appropriate.Employer liability16. The Consultation Paper proposes that where an offence is committed by an employee, the employers or directors of a company should be presumed to have committed the act, unless they can demonstrate that they have not authorized it. This amounts to having the employers or directors of a company "presumed guilty unless proven innocent", and is bound to be a controversial subject among the business sector.17. On balance, as in the case of copyright legislation, we have no objection to this provision, recognizing that the promotion of corporate governance would require a higher level of responsibility of directors and principals. However, we are strongly of the view that this should only be implemented on the basis of very clear guidelines as to what will amount to sufficient proof that the directors concerned have not authorized the infringing act. Moreover, this should apply for civil liabilities but not in the case of criminal sanctions, for which the burden of proof must lie firmly within the prosecution.Conclusion18. Given that spamming is a very specific problem, a legislative approach to tackle it should be established quickly and expeditiously. If it is decided that a law should be enacted, then it should be done quickly, or we risk perpetually "chasing the problem". This is why a specific minimalist approach would be preferable to a complex and comprehensive approach.19. In the end, however, legislation is not the only nor the most important solution. Spamming is by nature a cross-border problem which no local legislation can tackle effectively. As emphasized in our previous paper, other policies and measures should be considered together, including international cooperation, education, and industry self-regulation.
Top