China: Regulating Spam in the Middle Kingdom - China´s New Anti-Spam Regulations

New regulations designed to limit the amount of unsolicited advertising email sent in China became effective on March 30, 2006. Over the last several years, China has developed a reputation for hosting many global spammers. This has occurred despite China's strict regulatory regime governing online activities because, until now, it has not had national level regulations prohibiting advertising email (commonly referred to as "spam"). The national government began informally addressing the problem several years ago through the government backed Internet Society of China ("ISC")¹ which established an anti-spam division² and issued the "Standards for Public Email Service"³ on September 1, 2004. These voluntary industry guidelines were publicly adopted by some companies, but there was no enforcement mechanism. On March 30, 2006, the Administration of Email Services Procedures (the "Email Procedures")⁴ promulgated by the Ministry of Information Industry ("MII") came into effect. The Email Procedures impose restrictions on senders of email, particularly advertising email, as well as on email service providers which are meant to work together to provide a mechanism for eliminating spam.

Like the anti-spam laws of many other countries, the Email Procedures include labeling requirements, require that each advertising email contain certain information and require that individuals be provided with the right to opt-out of receiving emails.

Labeling Obligation. The Email Procedures require e-mail advertisements to include the term "AD" or the equivalent Chinese characters in the subject field of every advertising email sent by an entity in China. This is meant to make it easier for recipients to identify and/or filter advertising email.

Opt-In Consent to Receive Advertising Email. Advertising email may be sent only to recipients who have expressly consented to receiving advertising email from a vendor. While this would prevent a company from sending unsolicited emails to prospective customers, it should not prevent a company from sending an email which does not constitute advertising to existing customers, e.g., emails relating to the goods and services the organization is currently providing or inquiries regarding whether the consumer wishes to receive advertising emails from the vendor in the future.

Opt-Out Information. In addition, any entity within China sending advertising email must provide an opt-out mechanism within the body of the advertising emails. The advertising email must also include contact information, i.e., an email address that is valid for at least 30 days from the date that the advertising email was sent, so that individuals can exercise their right to opt-out of receiving future advertising emails from the vendor.

Prohibited Activities. In response to the apparently wide-spread use of zombie-nets, the Email Procedures also prohibit the sending of email from someone else's computer without authorization. They also prohibit email address harvesting, and the selling, sharing or exchanging of harvested email addresses, or sending email to randomly generated addresses. They also prohibit hiding or forging email headers including the sender, receiver and transmission route identifying its source, destination or transmission route.

Content Restrictions. China's telecommunications and Internet regulations currently impose various restrictions on online content. To address the possible ambiguity of whether specific content was permissible in email, the Email Procedures incorporate by reference several articles from the Telecommunications Regulations that restrict certain types of content, including prohibitions on disclosure of state secrets; incitement of ethnic hatred or racial discrimination; spreading of rumors; propagation of obscenity, pornography, gambling, violence, murder or fear; inciting the commission of crimes; or insulting or slandering others. Under the Email Procedures, individuals are prohibited from using email to engage in hacking, stealing or damaging information of other people on a network, spreading computer viruses, or otherwise compromising the security of a computer network.

The Email Procedures impose obligations on entities that provide email services on either a commercial or non-profit basis. The Email Procedures establish a registration and filing system which is meant to identify all entities in China that provide email services to third parties.

Registration Requirements. The Email Procedures require any entity intending to provide commercial service to end-users for sending and receiving email within China to first obtain a value-added telecommunication services business license ("VAS License") or, in the case of a non-profit entity, complete the appropriate registration procedures. When an email service provider intends to begin operation, in order to obtain Internet access from an Internet service provider ("ISP"), the email service provider must submit the VAS License or evidence of having completed the appropriate non-profit filing. At least 20 days prior to commencing operation of email services, the email service provider is required to register the IP addresses of all email servers with the MII or the provincial branch of the Administration of Communications.

Operational Requirements for Email Service Providers. Email service providers are required operate email services as follows:

• email services must comply with technical specifications established by the MII;
• anonymous email forwarding must be prevented by disabling open-relays;
• security management is required, and remedial measures must be immediately undertaken when network security flaws are discovered;
• service providers must maintain copies of all emails sent and received, as well as the email addresses and IP addresses of senders/receivers for at least 60 days;
• service providers must clearly inform users of the services' content and instructions; and
• service providers must maintain the confidentiality of users' registration information and email addresses, which cannot be used or disclosed without the consent of its owners.

Email service providers are also obligated to maintain the confidentiality of users' email correspondence, with email content only being disclosed in the case of national security concerns or a criminal investigation.

Fines Applicable to Email Service Providers. If email service providers violate the Email Procedures, they may be subject to fines of up to RMB 30,000 (US $3,750) per occurrence and, in severe cases, criminal prosecution.

The Email Procedures provide that a new "Complaint and Handling Center for Email Abuse" is to be established by the ISC under the authority of the MII. This Email Abuse Center will be responsible for receiving and coordinating reports of email violations. Both email service providers and ISPs are required to accept complaints regarding email related issues from users. Depending on the nature of the complaint, the Email Abuse Center is required to forward it to the appropriate local or national authorities. Any organization with its email address being reported is required to launch an investigation immediately in order to address the spam complaints, and then to report the results to the Email Abuse Center.

The Email Procedures could potentially have a significant impact on organizations based in China. They provide for monetary fines of up to RMB 30,000 (US $3,750). What is unclear at this time is if the fines will be imposed on a per email basis or on each email campaign.

Companies sending emails within China should carefully review their email policy and guidelines to ensure that they comply with the new Email Procedures. If fines are imposed on a per email basis, the fines could be enormous for any organization sending email in China.

1. http://www.isc.org.cn

2. http://www.anti-spam.cn.

3. http://www.english.anti-spam.cn/newshow.asp?NEWSID=2849.

4. Administration of Email Services Procedures, Circular No. 38, Ministry of Information Industries (promulgated February 20, 2006 and effective March 30, 2006).

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved