Czech Republic: Unsolicited Commercial Communications
Spam is a nuisance. Almost everyone has encountered spam and many had to give up their mailbox when spam piled up so massively that the mailbox could no longer be used. From the technical point of view, defence against spam is not easy as some spam filters do more harm than good. Who has not experienced an important business email, wrongly qualified as advertising, getting caught in a spam filter?
What is the response to spam in the field of law and what is the current practice of supervisory authorities?
Under Czech law, advertising sent by electronic mail (or by other forms of electronic communication, such as various electronic communicators) qualifies as „commercial communication“ and is governed primarily by Sec. 7 of Act no. 480/2004 Sb., on Services of Information Society. In the Czech Republic, the supervising authority in the area of „spam regulation” is the Office for Personal Data Protection. The Office has issued several opinions on the issue, the most recent being published in February this year.
The Office has, among other things, informed that it often deals with situations in which commercial communications (advertising etc.) are sent to addresses acquired from contact databases purchased from third parties. Such databases or contact lists, whether their origin is lawful or unlawful (as was the case in the recent T-mobile scandal), are frequently traded as highly profitable goods. However, a large portion of senders of commercial offers does not realize (or maybe realizes too well) that a mere purchase of a database – usually for a significant amount of money – is not sufficient as the database cannot be lawfully used without an additional condition being met. Unsolicited commercial communications may only be sent if a clearly identified person has given its valid consent. When complaints are heard before the Office for Personal Data Protection, senders who use contact databases often argue that the seller of the database has declared that the database is lawful (in other words, the senders try to shift the liability to database sellers) or that general consent with unsolicited commercial communications has been given.
That is not correct. Consent under Sec. 7 of Act no. 480/2004 Sb. is to be understood as a free, clear and conscious expression of will, addressed by the recipient to the sender of commercial communications, which allows the sender to use the recipient’s electronic contact details to send unsolicited commercial communications. The consent must clearly specify who grants it to whom and for what purpose. Consent must be granted in advance (prior to the receipt of the communication) and the sender must be able to prove its existence. That means that it is the sender of commercial communications who shall prove that a clearly identifiable person has granted its consent to receive commercial communications. Consent must be addressed to a specific sender and should specify what type of goods or services may be advertised in the communication. Unlike the (general) regulation of consent with personal data processing (whether under the current national legislation or under the GDPR), regulation of unsolicited commercial communications does not require that the consent shall specify in advance for how long it is given. Recipients shall however have an option to withdraw the consent in each individual commercial communication addressed to them (usually reflected in the notorious “unsubscribe“ line found at the end of an email, often written in 5pt font).
The consent has no prescribed form (i.e. written form is not obligatory), however, as mentioned above, the sender must be able to prove its existence. Moreover, it is the sender who bears the burden of proof with regard to the existence of valid consent. The sender cannot release itself from this liability by referring to any guarantees made by database sellers. Sellers may be found liable under civil law, for instance for damage suffered by the buyer of the database, but administrative sanctions will always be imposed on the sender. If the sender is not able to prove that valid consent exists, it risks a hefty penalty (up to CZK 10,000,000 or approx. EUR 400,000) for each breach of obligations set forth by the above-mentioned Sec. 7 of Act no. 480/2004 Sb., which may be imposed in proceedings conducted under Sec. 11 of said Act.
One of the cases mentioned by the Office, which concerned the use of a database bought from a third party for the purpose of sending commercial communications, indeed resulted in a penalty being imposed on Zaplo Finance, a loan provider. It is fair to note that the sanction imposed was rather symbolic (CZK 36,000 or approx. EUR 1,500). The Office justified that by not having received many complaints about Zaplo Finance and therefore assessed the level of harmfulness of its offence as negligible. However, the issue should not be underestimated as it is not impossible that next time, the penalty may be much higher. Moreover, the Office has been heard to announce that it will pay close attention to this issue in its upcoming inspections.