The EU finally replaced the existing Telecoms Directive with the new Privacy and Electronic Communications Directive (Directive Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector 2002/58/EC) on 31 July of this year. The new Directive contains some controversial provisions that will affect cookies, spam and data retention. EU Member States are required to pass domestic legislation implementing the new Directive by 31 October 2003.
Background
The existing Telecoms Directive was passed in 1997 and does not specifically address the use of cookies or other software devices that can be used to monitor the browsing habits of internet users. Although it does regulate direct marketing by fax and telephone it does not specifically deal with more modern forms of direct marketing via emails and mobile phone text messages. The aim of the new Privacy and Electronic Communications Directive is to provide technology neutral legislation that is applicable to all types of current electronic communications.
The passing of the Directive completes the ‘telecoms package’, which is a set of interlinked new Directives from the EU which will establish a new regulatory framework for communications services. Although the European Commission’s explanatory note to the original proposal stated the new Directive was not intended to create major changes to the existing Telecoms Directive it will in fact have major implications for business.
What has changed?
Cookies
At its simplest, a cookie enables a web site
to "recognise" a repeat visitor to that website. For this reason, cookies
have been described as giving web sites "memory". They are used by the
majority of websites to both customise the presentation of the website for
individual users and also to collect information to build user profiles.
Cookies are to be permitted under the new Directive provided that recipients are informed of the purposes for which the information collected will be processed and recipients are also given a chance of opting-out of receiving cookies. The Directive provides some guidance on acceptable methods for giving information, offering a right to refuse and requesting consent. The general rule of thumb is that it must be user friendly. The guidance does permit some websites to refuse access without the well-informed acceptance of a cookie or similar device. Information and the right to refuse may be offered once for the use of various devices to be installed on a user’s terminal equipment during the same connection and also for any future connections.
Spam
The impact of the new Directive on direct
marketing by email depends on whether the recipient is an existing
customer. Existing customers can be sent direct marketing emails without
first obtaining the customer’s consent provided:
- the customer’s email address has been obtained during the course of a sale of a product or service;
- the email address was obtained in accordance with the Data Protection Directive;
- the direct marketing relates to similar products or services;
- the direct marketing is by the same company as that which made the original sale/s; and
- the existing customer must have been able to opt out (i.e. refuse) free of charge from receiving such emails at the time when the email address was collected and also on the occasion of each subsequent message.
If the recipient is not an existing customer the use of email (which includes SMS messages) for direct marketing will only be permitted if the recipient has given prior consent (opt-in).
For automated calling and automated fax machines the existing opt-in requirement will apply to all customers in relation to direct marketing.
Data retention
In order to protect the privacy of the
users of communication networks (e.g. telephone systems and the internet)
the Directive prohibits the interception and surveillance of the contents
of communications and also limits the length of time that traffic data in
relation to the communication can be retained. Those provisions are
similar to the existing Telecoms Directive. In certain circumstances the
new Directive permits Member States of the EU to pass laws that are
inconsistent with those restrictions. The Member State must be able to
justify the law as being “a necessary appropriate and proportionate
measure within a democratic society to safeguard national security, (State
security) defence, public security, the prevention, investigation,
detection and prosecution of criminal offences or of unauthorised use of
the electronic communication system.” The UK already has in place laws
which provide the government with the ability to require the retention of
data relating to users (see the article above in relation to RIPA – the
Regulation of Investigatory Powers Act).
Conclusion
Companies engaged in electronic commerce will need to reconsider their current practices in light of the new Directive. Although it is not due to be implemented until 2003, the changes required are unlikely to be able to be effected overnight. In particular, consideration will need to be given to how customer data is collected and the information provided to customers on websites regarding the customer’s rights in relation to such collection. Direct marketing practices will also need to be reviewed and appropriate information included on websites to enable the organisation to maximise its ability to use the information it collects about its customers.
The impact of the new data retention provisions is not yet clear as the Directive merely provides the framework for the Member States of the EU to pass domestic data retention laws. It has however provided the most controversial aspect of the new Directive as the EU is currently debating whether there should be uniform data retention laws in light of terrorist fears following the attacks on the US on 11 September, 2001. Any data retention requirements do however have the potential to impose extra cost burdens on business.
Please click through for a copy of the Directive on privacy and electronic communications.
© Herbert Smith 2002
The content of this article does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances.
For more information on this or other Herbert Smith publications, please email us.
