Spam legislation and enforcement | ACMA

Spam legislation and enforcement

Woman on laptop_640x360 jpg

The ACMA is responsible for enforcing the Spam Act 2003, which prohibits the sending of ‘unsolicited commercial electronic messages’ (known as spam) with an 'Australian link'. A message has an Australian link if it originates or was commissioned in Australia, or originates overseas but was sent to an address accessed in Australia.

The Spam Act covers email, mobile phone text messages (SMS), multimedia messaging (MMS), instant messaging (iM), and other electronic messages of a commercial nature. However, the Act does not cover voice or fax telemarketing. Telemarketing calls and faxes are covered by the Do Not Call Register.

The ACMA can take any of the following actions for breaches of the Act:

  • Issue a formal warning.

  • Accept an enforceable undertaking from a person or company—these undertakings usually contain a formal commitment to comply with specific requirements of the Act. A failure to abide by an undertaking can lead to the ACMA applying for an order in the Federal Court.

  • Issue infringement notices.

  • Seek an injunction from the Federal Court to stop a person sending spam.

  • Prosecute a person in the Federal Court.

The penalty units referred to in the Spam Act are equal to $210 each. For example, the penalty under section 25(5)(b) of the Spam Act for a company with a previous record of spamming and who sent two or more spam messages on a given day without consent is a maximum fine of 10,000 penalty units. This equates to a maximum penalty of $2,100,000.

Search and seize powers

The Spam Act gives the ACMA powers to search premises and seize equipment where the Act is breached, and to impose and enforce penalties. The Act also provides for orders for forfeiture of profits derived from spam, and payment of compensation to spam victims.

Botnets and criminal activity

It is illegal for any person or organisation to remotely use and control another person’s computer without their knowledge or consent. Under the Criminal Code Act 1995 criminal penalties apply in the following circumstances:

  • Unauthorised access and modification of data via a carriage service. For example, accessing another person’s computer to install a bot. The penalty—a two-year maximum prison sentence.

  • Unauthorised modification of data via a carriage service. For example, installing a bot on another person’s computer. The penalty—a 10-year maximum prison sentence.

  • Possession of data with intent to commit a computer offence. For example, possession of bot binaries and exploiting tools or installers. The penalty—a three-year maximum prison sentence.

  • Producing, distributing or obtaining data with intent to commit a computer offence. For example, writing a bot code or selling a bot code, or similar actions. The penalty—a three-year maximum prison sentence.

Consumers can directly report such alleged misuse through the Australian Cybercrime Online Reporting Network (ACORN).

Last updated: 19 October 2018