On 22 December, Phase 2 of Hong Kong’s new anti-spam law, the Unsolicited Electronic Messages Ordinance (“UEMO”), will come into effect. Phase 2 will establish rules for sending commercial messages. The Hong Kong Legislative Council passed the UEMO earlier this year, with Phase 1, relating to professional spamming and fraudulent mass mailing activities, taking effect from 1 June.
The UEMO introduces regulation in Hong Kong in relation to spam and junk messages, as well as other activities, such as address harvesting. It regulates “commercial electronic messages” which are messages that advertise or promote goods or services and are sent by electronic means, such as pre-recorded voice messages, faxes, emails and messages through short messaging services (SMS) or multimedia messaging services (MMS). All commercial electronic messages with a “Hong Kong link” are regulated by the UEMO. A message has a Hong Kong link if it is sent to or from a Hong Kong telephone number, is received in Hong Kong or is sent by a person physically present in Hong Kong or a Hong Kong corporation.
1. Phase 1 is here
Phase 1 of the UEMO commenced on 1 June. It implemented offences for the use of unscrupulous techniques to reach out to more recipients (ie professional spamming activities) as well as fraud and other illicit activities related to the sending of multiple commercial electronic messages.
Offences and penalties
The following professional spamming activities are now prohibited for sending multiple commercial electronic messages with a “Hong Kong link”:
- supply, acquisition or use of address harvesting software or lists;
- generating electronic addresses by automated processes;
- use of scripts or other automated means to register for five (5) or more email addresses; and
- use of open relays/proxies to deceive or mislead recipients as to the source of such messages.
Reports of such activities may be made to the Office of the Telecommunications Authority (“OFTA”) and OFTA may take prosecution action if appropriate. A person who contravenes these offences is liable to a fine of up to HK$1 million and/or imprisonment of up to five (5) years.
The following fraud and other illicit activities related to sending of multiple commercial electronic messages are also offences under the UEMO:
- sending messages without authorisation to deceive or mislead recipients about the source;
- falsifying header information;
- using false information to register electronic addresses or domain names; and
- falsely representing to be the registrant of an electronic address or a domain name.
Reports of such activities may be made to OFTA and OFTA may refer the matter to Hong Kong police if appropriate. These offences may be subject to fines imposed by a court and/or imprisonment of up to ten (10) years.
It is a defence under the UEMO to charges of acquisition and use of harvested address lists and automatically generated electronic addresses, if the sender can prove that it took all reasonable precautions and exercised all due diligence to avoid committing the offence. In addition, with respect to sending messages to automatically generated electronic addresses, it is a defence if the sender can prove that it did not know and had no reason to suspect that the electronic address was obtained using automated means.
Therefore, a key point for businesses is to undertake due diligence with respect to any address lists that are acquired or used. Enquiries should be made about how the lists were compiled and how the contact details were obtained. It is also important for businesses to keep records of all enquiries in the event that the source of lists or addresses is questioned in the future.
2. Phase 2 is coming soon
Phase 2, which sets out the general rules for sending commercial messages and the set up of the “do-not-call” registers, will come into effect on 22 December 2007.
Rules for sending commercial electronic messages With the introduction of Phase 2, senders of commercial electronic messages will be required to do the following in relation to each commercial electronic message:
- identify the sender and provide contact information;
- provide an unsubscribe facility at no cost (ie an “opt-out”);
- honour unsubscribe requests within ten (10) working days;
- not send commercial electronic messages to electronic addresses registered in the do-not-call registers unless consent has been given;
- not send out email messages with misleading subjects; and
- not hide the calling line identification when sending messages to telephones.
Further details regarding the type of sender information, language requirements, the order in which information must be presented and requirements for the unsubscribe facility are set out in UEMO Regulations which will also come into effect on 22 December 2007. In addition, a public consultation is also underway on a Code of Practice for sending commercial electronic messages under the UEMO. The Code of Practice is intended to provide practical guidance on the presentation of the sender information and unsubscribe facility as well as the choice of unsubscribe facility.
Records of unsubscribe requests must be retained for a period of three (3) years. However, unsubscribe requests are valid indefinitely unless revoked or consent is obtained.
Phase 2 provides for the set up of the “do-not-call” registers. OFTA will set up three separate do-not-call registers for fax messages, pre-recorded messages and SMS messages. Members of the public can register a fixed, mobile and fax number (but not email addresses) on one or all of the registers using a registration hotline set up by OFTA. Registration will be a means of notifying senders that the person does not wish to receive commercial electronic messages at the registered number.
It is a breach of the UEMO if a commercial electronic message is sent to a number which has been listed for 10 working days or more. Business sending commercial electronic messages will need to apply to OFTA for a subscription to the relevant registers, which will be provided for a fee. Once a business successfully applied for a subscription account, it can then download the lists from a special purpose website.
Each of the three registers has a different launch date. The provisions of the UEMO regarding the corresponding do-not-call register will be enforceable from that date. The dates are:
- Fax 8 January 2008
- SMS 25 January 2008
- Pre-recorded 26 March 2008
Penalties for contravention
Reports of contraventions can be made to OFTA and the offender may be served with an enforcement notice. Contravention of an enforcement notice may attract a fine of up to HK$100,000 for the first conviction. The penalties for misuse of information contained in an unsubscribe request or do-not-call register are fines of up to HK$1 million or imprisonment of up to 5 years.
The following types of messages are exempt from the provisions of the UEMO:
- messages sent by post;
- person-to-person “interactive” calls, such as telemarketing calls;
- survey or religious messages without contents that advertise, promote or offer any products, services, business opportunities or organizations;
- messages sent in response to the recipient’s specific requests, such as faxon- demand;
- messages, such as invoices or receipts to confirm a commercial transaction that the recipient has previously agreed to enter into with the sender; and
- radio and television programme services.
The sending of these types of messages and services will not be subject to regulation under the UEMO.
4. Impact for Business
Any use or supply of lists of harvested or automatically generated electronic addresses should have ceased as of 1 June. Businesses should be making enquiries as to the source of electronic addresses in lists purchased or acquired from third parties and recording those enquiries.
Businesses should now also be taking steps to become “UEMO compliant” with respect to the sending of commercial electronic messages ahead of the introduction of Phase 2 on 22 December. The following items should be a priority:
- ensuring that SMS, fax, email and pre-recorded message formats are compliant with the requirements of the UEMO, Regulations and Code of Practice;
- making arrangements for an unsubscribe facility which complies with the relevant requirements and for recording and retaining unsubscribed requests;
- becoming familiar with the do-not-call register operation and preparing to subscribe to the relevant lists maintained by OFTA.