The Department of Internal Affairs

Te Tari Taiwhenua | Department of Internal Affairs

Building a safe, prosperous and respected nation



 

Regulatory system information: Unsolicited Commercial Electronic Messaging

Description of the regulatory system

System objectives/purposes

The Unsolicited Electronic Messaging system aims to promote a safer and more secure environment for the use of information and communication technologies in New Zealand. To achieve this, the system focuses on reducing information restraints and costs to businesses and the wider community that arise from unsolicited commercial electronic messages.

Unsolicited commercial electronic messaging forms part of a wider system working to achieve digital safety. Other regimes within this wider system include censorship regulation.

Key statutes

Unsolicited Electronic Messages Act 2007.

Brief description of what the system does

The regulatory system promotes good electronic marketing practice by:

  • prohibiting unsolicited commercial electronic messages being sent
  • requiring commercial electronic messages to include information about the person who authorised its sending
  • prohibiting the use of address-harvesting software or a harvested-address list from being used to send unsolicited commercial messages
  • providing an avenue for consumers to complain about unsolicited commercial messages.

Agencies involved in the Unsolicited Electronic Messaging regulatory system

These include:

  • The Department of Internal Affairs (DIA) (delivery and enforcement)
  • Ministry of Business Innovation and Employment (policy)
  • New Zealand Police (consultation and cooperation)
  • Computer Emergency Response Team, New Zealand (CERT) (reporting and triaging cyber incidents).

Currently, there is a memorandum of understanding between the DIA and CERT.  While other national and international agencies involved include (but are not limited to) the Cyber Policy Group, the Australian Communications and Media Authority and the Unsolicited Communications Enforcement Network.

Regulated parties and non-government stakeholders

Regulated parties are any New Zealand business or person that sends commercial electronic messages.

The main non-government stakeholders include:

  • people and organisations that send electronic marketing material
  • direct marketing association
  • receivers of unsolicited commercial messages.

Engagement between system agencies and regulated parties

Complaints about spam are received via an online form, email or through SMS text. Complaints are triaged to understand the level of engagement (or potential investigation) required. DIA engages with regulated parties via email, phone and face-to-face interaction regarding guidance on complying with the legislation. DIA has taken a proactive approach to prevention to mitigate associated harms.

Fitness-for-purpose assessment

Reviews/assessments of the Unsolicited Electronic Messaging regulatory system

In the past year there have been no reviews or assessments of the system. These regulatory arrangements are stable and appear to be operating effectively under the current law.

Review/assessment findings

Effectiveness

The extent to which the system delivers the intended outcomes and impacts

The sector’s level of resourcing is commensurate with the risks addressed by the system. Compliance effort is targeted according to the level of risk and nature of harm. To ensure that regulators operate effectively within an ever-changing environment, the sector is active in national and international forums that monitor developments in information and communication technologies and how they are exploited and utilised to send unsolicited electronic messages. However, it is difficult to measure the level of compliance or the impact of unsolicited commercial messaging due to the extent of the problem.

Efficiency

The extent to which the system minimises unintended consequences and undue costs and burdens

DIA has recently managed a project that provides regulated parties with relevant information that encourages compliance while also addressing the growing number of complaints received. Even complainants with issues considered low level are provided with prevention advice. For example, since November 2017, DIA has issued 269 specific guidance packs to these types of businesses. As a result, these entities are provided with predictability, certainty and an increased understanding of their compliance requirements.

Durability and resilience

How well the system copes with variation, change and pressures

DIA has a good relationship with the Marketing Association and key stakeholders which allows DIA to influence their behaviour rather than relying on statutory enforcement. However, with the changing technological environment it is likely that keeping pace may become more difficult. For example, there has been a shift from consumers being overwhelmed by bulk spam to more sophisticated and malevolent spam. This problem is transnational, impacting commercial entities and the general population. The public are not protected by existing legislation, which indicates that the Act will need to be reviewed to ensure it effectively covers the threats of cybercrime.

DIA’s responsibilities relate to delivery and enforcement, whereas MBIE is accountable for policy. These agencies are working together to develop their relationship to ensure any legislative constraints are addressed. In any future review, it may be useful to consider whether stewardship of the system would be enhanced by locating all the functions in one agency.

Fairness and accountability

How well the system respects rights and delivers good process

The sector’s compliance approach and enforcement response guidelines ensure fair and consistent decisions. They achieve this by taking a risk-based approach which is tailored to the specific circumstances of the case and entity concerned. DIA has good relationships with these entities, which encourages compliance. However, influencing small and medium enterprises is becoming an increasing challenge due to their growing numbers and diversity, which is further compounded by limited resources.

Plans for regulatory and operational improvements

Key regulatory changes planned for 2019/20

No reviews or regulatory changes are planned for 2019/20.

Key service design and operational changes planned for 2019/20

DIA is embarking on a ’Complaint, Analysis and Triage Review’ project, which will be worked on over the next 12 to 18 months. The project is in an early phase; however it will aim to update the Spam Intelligence Database, which holds complaints received and spam data.