Contents
  • 1. Introducing the Electronic Privacy Directive
  • 2. The Essentials
  • 3. Case Study
  • 4. Other Data Privacy News
1. Introducing the Electronic Privacy Directive

This Bulletin focuses on the new Electronic Privacy Directive (the Directive for the Protection of Personal Data and Privacy in the E-Communications Sector – 2002/58/EC ). This was adopted by the European Council on 25 June 2002 and has just come into force1; Member States must implement its provisions into their national laws before 31 October 2003. A copy of the Electronic Privacy Directive can be found here.

As part of the harmonising, European legislative tide, the Electronic Privacy Directive is aimed at bolstering data protection in the electronic communications sphere and replaces the Telecoms Directive2 in its entirety, while complementing and building upon the Data Protection Directive3. The new Directive also introduces protection for subscribers to electronic communications services where those subscribers are legal persons as well as natural persons. The UK Information Commissioner’s Office is reportedly already in discussions with the DTI and OFTEL regarding the implementation of the Directive.

The Electronic Privacy Directive goes further than the updating and adapting referred to in the European Commission’s original July 2000 proposal; it introduces a number of changes, for example, to the regulation of direct marketing via email, which will have important implications for businesses. Some of the key changes are set out below.

1The Directive came into force on being published in the Official Journal of the European Communities on 31 July 2002.
2The Directive Concerning the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector - 97/66/EC.
3The Directive on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data 95/46/EC.

2. The Essentials

The main features

  • Marketing via Electronic Communications
  • Cookies
  • Security
  • Directories
  • Retention of Traffic Data

When does the Directive apply?
The Electronic Privacy Directive builds upon the Data Protection Directive and therefore (broadly) applies to data controllers established in the EEA or using equipment there for processing personal data4. Its impact will be felt widely by businesses, ranging from those which process personal data in connection with providing publicly available electronic communications services5 in public communications networks6 in the Community to those which merely operate a web site.

4Article 4 of the Data Protection Directive.
5Electronic communications services consist of ‘the conveyance of signals on electronic communications networks’ usually for remuneration but they exclude services where editorial control is exercised over the content transmitted e.g. broadcasting.
6A public telecommunications network is an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services.

How long before businesses have to comply?
Businesses now have at least a 15 month breathing space in which to prepare themselves for compliance. However, based on previous experience of the tardiness of some Union countries, it may be after 31 October 2003 before all Member States have in fact implemented the Directive. After 31 October 2003 businesses should not rely upon their national government’s failure to implement as an absolute defence to non-compliance.

Direct Marketing using "Unsolicited Electronic Communications"
This Directive goes some way towards harmonising the divergent national attitudes currently prevailing across the European Union. For example, at present the UK Information Commissioner recommends opt-in as best practice for direct marketing by email, while recognising that opt-out is lawful for most, non-sensitive situations. 'Opt-in' is used to describe a situation where an individual is assumed not to consent unless s/he takes some positive step to indicate consent. Data protection authorities in Germany and Italy, by way of contrast with the UK, require opt-in for direct marketing.

Once the Directive is implemented, each Union country will require prior, positive consent (i.e. opt-in) for direct marketing via automated calling machines, fax, email and mobile text messaging (e.g. SMS), except in the case of email or mobile text message marketing to existing customers (see below).

In what was intended as a compromise but has turned into something of a legislative ‘fudge’, the new Directive treats direct marketing by email (and also by text message) differently according to whether the intended recipient is an existing customer or a new one. For existing customers, a modified opt-out system applies in relation to sending them direct marketing emails, provided that five conditions are met:

  1. the existing customer's email address has been obtained from that customer in the course of a sale of a product or service;
  2. the email address was obtained in compliance with the Data Protection Directive;
  3. the direct marketing relates to products or services of a similar category;
  4. the direct marketing is by the same entity as that which made the original sale/s; and
  5. the existing customer must be able to opt-out (free of charge) from receiving such emails at the time when the email address is collected and on the occasion of each message.

The same arrangement applies to the collection of mobile telephone numbers for mobile text messaging direct marketing.

If the recipient is not an existing customer, the use of email or mobile text messages for direct marketing will only be permitted if the recipient has given prior consent (i.e. an opt-in system).

Spam
The practice of spamming - the bulk sending of unsolicited marketing emails - is already regulated by a number of measures under European law. In addition to the direct marketing measures discussed above, the new Directive makes false identity/anonymous spamming unlawful, although enforcing this ban will, of course, be quite a different matter.

A large proportion of spam received in Europe originates from outside the EEA and is sent in such a way that it is untraceable. The Electronic Privacy Directive will have no effect on such practices originating from outside the EEA, since the new Directive, like the Data Protection Directive, broadly only applies to data controllers established in the EEA or using equipment in the EEA for processing personal data. In answer to the question “will this Directive reduce the quantity of spam cluttering up our in-boxes every day?” the answer is “probably not”.

Cookies
A cookie is another marketing tool, comprising a small text file containing a unique identifier assigned by a web site and deposited on the hard drive of the web site visitor’s computer when the particular web site is accessed. Its purpose is to enable the web site to ‘recognise’ a repeat visitor by linking the cookie to information the web site has collected about the user’s previous visits. Most web sites use cookies to monitor web site use and tailor users’ experience of the site, for example, by making it unnecessary to re-enter information provided during a previous visit. (Click here for our April Bulletin, which discussed cookies in greater detail).

Under the new Directive, cookies are permitted on an opt-out basis provided that the recipient of the cookie is provided with clear and comprehensive information in line with the earlier Data Protection Directive. The information provided must include details of the purposes for which the information collected via the cookie will be processed. Recipients must also be given an opportunity to opt-out of receiving cookies.

Recital 25 of the new Directive provides the following points of guidance:

  • Information and the right to refuse may be offered once for the use of various devices (e.g. cookies) to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections;
  • The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible; and
  • Access to specific web site content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose (stated to include: analysing the effectiveness of web site design and advertising and verifying the identity of users engaged in online transactions).

Security
The security provisions of the now replaced Telecoms Directive can now be found in the Electronic Privacy Directive. However, there is now an additional obligation on providers of publicly available electronic communications services to inform users if there is a security risk to the network where that security risk lies outside the scope of the provider’s security measures. Service providers must also inform users of any possible remedies, including an indication of any likely costs. This requirement to inform does not discharge a service provider’s obligation to take immediate, appropriate action to remedy any new, unforeseen risks at its own cost in order to restore the normal security level of the network.

Directories
At present, individuals are automatically included in public directories, but are provided with the opportunity to opt-out of such inclusion. Once the Directive is implemented, individuals will have to be informed, free of charge and before they are included in any public directory, of the
purpose(s) of the directory and any further, future usage possibilities based on search functions embedded in electronic versions of the directory. Reverse search functions may therefore still be permissible. Individuals must be given the opportunity to opt-out in respect of some, or all, of their data being included in the directory.

Traffic data
Under the new Directive, traffic and billing data should be erased or anonymised by electronic communications service providers upon termination of a communication except to the extent that such data are:

  • necessary for the purposes of billing (until the end of the period during which the bill can be lawfully challenged or payment pursued);
  • necessary for the purposes of marketing the service provider’s own services, provided that prior consent has been obtained from the subscriber; or
  • necessary for the purposes of complying with Member State legislation which restricts the privacy protections provided under the Electronic Privacy Directive in accordance with the provisions of Article 15.

What are the main implications for businesses?
Businesses offering electronic communications services (for example, real-time chat room facilities, email accounts, etc.) will have to comply with the more onerous security provisions and amend their general terms and conditions of use to include the appropriate information.

Another clear development is that the drafting of fair obtaining notices will become even more of an art in the future. The fair obtaining notice should:

  • Identify the data controller or his representative;
  • Describe the purposes of the processing (where applicable, it will be necessary to include marketing as one of the purposes);
  • Provide any other additional information which is necessary in the circumstances in order to make the processing fair in those particular circumstances. In particular, if the personal data are to be shared with third parties, data subjects should be informed of that fact.

Direct marketing via email (and mobile text messaging) to new customers will have to be on the basis of informed, prior, positive consent i.e. opt-in. As far as direct marketing via email or mobile text message to existing customers is concerned, where the customers’ information has been validly collected through the opt-out method, then, subject to the conditions set out above, it will be permissible to continue to market them in this way. Whether new or existing customers, the “fair and lawful” processing requirements set out in the Data Protection Directive must be complied with. Following the new Directive, in order to obtain clear consent to market via email, it is recommended that a fair obtaining notice is employed at the time the data are collected.

Web sites using cookies must ensure that the site’s privacy policy or terms and conditions contain sufficient information in order to comply with the new information requirements. In particular, the user should be provided with information as to which data are collected through the site, by whom, what will be done with the data, how long they will be kept, how they will be processed and how to disable cookies temporarily.

Marketers must balance their desire for maximum flexibility for future processing opportunities against the risk of invalidating the collection of the data by insufficiently clear and precise notices: in other words, the marketing/data protection tension continues.


3. Case Study: Bliss Records and Banner Advertising

In our April Bulletin we introduced the (fictitious) UK business, Bliss Records Ltd. We thought readers might once again find it helpful if we illustrated some of the likely effects of the Electronic Privacy Directive by reference to a hypothetical case study.

Bliss continues to operate a successful on-line book, CD and DVD store via its corporate web site. Its customers enjoy the personalised shopping experience they encounter, thanks to Bliss’s effective use of cookies. In addition to sales income, it receives a moderate advertising revenue from its sister company, Joy Hi-Fi Ltd, which places banner adverts on the Bliss web site.

Currently, the web site sends a Bliss cookie to the computer of each new visitor to the Bliss web site. Joy also sends a cookie to new visitors to Bliss’s site.

Visitors to the site are required to register with Bliss prior to making a purchase. As well as name, postal address and payment details (the last collected over an encrypted link), Bliss requests the user’s email address, telephone number, mobile telephone number and fax number. The online registration form states at the bottom:

“We would like to use the details you have provided to contact you to tell you about special book, CD or DVD offers we think may be of interest to you.

Please contact me by telephone [ ], by mobile text message [ ]. Please send me information by fax [ ] [please put a cross in the boxes if you agree].

We would like to send you information by post. If you would prefer us not to, please put a cross in this box [ ].

We would like to send you information by email. If you would prefer us not to, please put a cross in this box [ ].

We would like to share your details with our sister company, Joy Hi-Fi Ltd, to allow it to contact you with information about its products which may be of interest. If you would prefer us not to share your details with Joy Hi-Fi, please put a cross in this box [ ].”

Bliss follows the UK Information Commissioner’s current best practice recommendation on cookies by explaining on its home page, firstly, that it uses cookies to enhance the visitor’s experience and, secondly, that Joy Hi-Fi collects information about visitors using its own cookies.

Note that for the purposes of this case study we have assumed that the products sold by Bliss are such that no sensitive personal data (which require explicit consent to process under the Data Protection Act 1998) will be collected by Bliss at the registration stage7.

On the basis of the consents obtained, Bliss flags the customer records in its database and acts accordingly. So far, Bliss has been sending out direct marketing information by email to those customers who have not opted out. Joy has also been sending emails to Bliss customers who have not opted out of being contacted by Joy.

Generally, Bliss is in a good position to meet the demands of the new Directive. Provided the UK legislation implementing the Directive does not adopt a more restrictive approach than in the Directive, Bliss will need to act as follows. For the purposes of marketing by email and mobile text messaging, Bliss must distinguish between its (then) existing customers and new ones. ‘Customer’ in the new Directive means more than a mere visitor to Bliss’s web site: customers must have provided their data in the process of buying a product or service. Existing customers who have not opted out may continue to be sent direct marketing via email and/or mobile text messaging by Bliss, provided that (1) the offers Bliss promotes relate to similar goods/services and (2) Bliss allows customers an opportunity to opt-out each time it sends a marketing email or text.

Joy, on the other hand, will not be able to continue direct marketing even those existing customers of Bliss who had not opted out from being contacted by Joy (unless, of course, they are also customers of Joy); a positive opt-in must be obtained in order for Joy to be able to direct market Bliss customers, both existing and future.

Another way in which the web site must adapt is to allow visitors to opt-out of receiving cookies and also by providing a clear and user-friendly way of achieving this. Bliss should revisit the information currently on its home page and consider whether this goes far enough to inform visitors about cookies. Due to the importance of cookies to Bliss’s online business, Bliss may want to consider making use of its online ordering service conditional on the acceptance of a cookie by the user; it will be entitled to do so under the new Directive.

7In our April Bulletin we explained that customers' choice of books, CDs, etc., could include sensitive personal data.


4. Other Data Privacy News

Richard Thomas has been appointed as the next Information Commissioner. He is expected to take on the role in December 2002 when the current Information Commissioner, Elizabeth France, starts in her new post as Telecoms Ombudsman.

The Information Commissioner’s Annual Report for 2001-2 was published on 10 July and is available from the Office of the Information Commissioner’s web site – to view a copy, click here and go to ‘Annual Reports’. As well as statistics on prosecutions and enforcement of the Data Protection Act 1998 during the last 12 months, the report also outlines the Office’s policy aims for the next year. In particular, the Commissioner would like to see a change in the law to enable her office to prosecute those who knowingly or recklessly commit criminal offences under the Act, and cause significant detriment in doing so, without the need to go down the enforcement notice route.

© Herbert Smith 2002

The content of this article does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances.

For more information on this or other Herbert Smith publications, please email us.