Spam is costing businesses enormous amounts of money and time in handling unwanted messages and maintaining necessary bandwidth. It is therefore alarming to note that Vietnam produces 3.07% of the world’s spam, placing it seventh in the global ranking published by SophosLabs in its Security Threat Report 2012. As the mobile phone market in Vietnam continues to grow, spam has not only become an everyday nuisance, but also poses a serious threat to security.

The government passed Decree 77/2012/ND-CP (Decree 77) in October 2012 to further tighten the controls against spamming and related conduct. Decree 77 was issued to supplement existing Decree 90/2008/ND-CP against spam (Decree 90), and will be effective from January 1, 2013. Decree 77 does not make an overhaul of current regulations, but rather provides several means to limit spamming.

Defining “Spam”

Decree 90 classifies spam into two types: (1) e-mails and text messages for the purpose of deception, harassment, or spreading computer viruses and harmful software, or violating regulations of the IT Law; and (2) advertising via e-mails or text messages which are in violation of the principles of sending advertising via e-mail or text message, as stipulated in the Decree.

Decree 77 adds information messaging services as another category. Although such messages are not treated as another classification of spam, the Decree has several provisions regulating such services. Information messaging services are defined in Decree 77 as services using text messaging to provide information, applications, or utilities to the user. Information messaging services must obtain a management code from the Ministry of Information and Communications (MIC) and have numerous obligations, such as publishing information on a website before providing the services and taking measures to prevent spam mail and spam services. They are also prohibited from charging for error messages, messages without services, messages with services but with syntax different from that announced by the enterprise, or messages that cheat users.

Opt-Out or Opt-In

In regulating spam, countries are usually divided into “opt-out” or “opt-in” jurisdictions. If unsolicited messages are permitted, as in the United States, it is an “opt-out” jurisdiction. If prior consent is required before sending a message, it is an “opt-in” jurisdiction, like the European Union. Spam regulation will differ depending on this particular distinction.

Under Decree 90, the regulations did not make this distinction clear and required individuals and organizations to obtain consent before sending an advertising e-mail, whereas advertising service providers were permitted to send advertising e-mail until the recipient opted out. This inconsistency was subsequently removed by Decree 77, which requires that all organizations and individuals must seek prior consent from future recipients, making Vietnam an “opt-in” jurisdiction.

It is logical to conclude that “opt-in” jurisdictions adopt a more stringent system against spam. However, this may limit potential legitimate marketing activities if exceptions are not allowed. Decree 77 does not regulate how this consent is applied and to what services. Due to the lack of regulation, companies are likely to provide consumers with consent forms drafted with a broad scope.

Prohibited Acts

There is great incentive to use electronic marketing because the cost of sending the message is minimal, and it reaches a larger audience. Even with a low response rate, it may still be more profitable than traditional marketing channels. One way of limiting spam is to impose liability on spammers using technologies to generate large lists of addresses to spam. Existing regulations already recognize this issue and prohibit the exchange, purchase, or sale of lists of electronic addresses or software for gathering addresses.

Decree 77 further prohibits hiding senders’ names or electronic addresses, or illegally using the name or electronic address of another organization or individual when sending text messages or e-mails. Decree 77 also explicitly prohibits charging for services without notifying the users.

Previous regulations provided a limit of five e-mails per 24 hours that may be sent to a single e-mail address. Decree 77 will allow only one message of the same content. Current regulations do not refer to the same content, and this means that when Decree 77 becomes effective, the same sender may send more than five e-mails per day, as long as it is not of the same content. The regulation of text messages has been correspondingly amended.

Enforcement

Decree 77 lists more acts that may be subject to administrative fines. The amounts of fines have not changed, however, and the maximum monetary penalty remains at VND 80 million (approximately USD 4,000). The existing law also requires that violators return the money that has been appropriated or improperly collected when committing administrative violations; such entities or individuals may also be subject to suspension. However, given the widespread presence of spamming and limited governmental resources, administrative fines alone are not an effective means to control spam.

Since internet service providers (ISPs) and text messaging service providers have direct control of the traffic on their networks, they should be involved in regulating spam. Decree 77 increases the role of ISPs and text messaging service providers in blocking and limiting the source of spam. Text messaging service providers must provide tools to users for providing feedback on spam, as well as for accepting and refusing advertising messages. They must also return the service charge upon request of providers of information, and must prevent and refund charges for information messaging services without a management code issued by the MIC. They must also prevent spam from fake sources and revoke their subscriber numbers. Increasing the role of service providers brings focus to enforcement efforts.

Positive Steps

The government has taken positive steps to control spam by widening the scope of prohibited acts and giving enforcement authorities a clearer legal basis to penalize everevolving spamming activities.