PrivacyandElectronicCommunications

19 December 2003

Grietje Baars

The regulation of “spam” and “cookies” has aroused much debate, and will impact on every business involved in every form of electronic communication, be it by (mobile) phone, fax, email or otherwise. Such new rules need to be introduced at a national level to implement the Directive on Privacy and Electronic Communications (2002/58/EC) (DPEC) which was adopted in 2002. Member states were required to implement the DPEC by 31st October 2003. The DPEC has belatedly been transposed into UK law as from 11th December by S1 2003 No. 2426, The Privacy and Electronic Communications (EC Directive) Regulations 2003. These Regulations will amend the Data Protection Act 1998, and replace the current Telecommunications (Data Protection and Privacy) Regulations 1999.

The overriding aim of the EU Directive is to take account of technological developments and to make the provisions as technology-neutral as possible. At the same time, it contains measures aimed at maximising public participation in e-commerce, by giving individuals the confidence that their privacy will be protected when they supply personal information on-line.

What are the major changes required by DPEC?

The new Directive (and consequently the UK implementing Regulations) impacts in the following areas:

Technological neutrality:

DPEC replaces existing definitions for “telecommunications services and networks” with new definitions for “electronic communications and services” to ensure technological neutrality and clarify the position of e-mail and use of the internet. It specifically mentions SMS services and should cover any anticipated future means of electronic communications.

Location-based services:

DPEC enables the provision of value added services based on location and traffic data, subject to the consent of subscribers (for example, location based advertising to mobile phone users).

Public directories:

The DPEC introduces new information and consent requirements on entries in publicly available directories (this includes phone books, but also for example the directories used by directory enquiries services delivered over the phone). Under these new requirements subscribers must be informed of all the possible uses of publicly available directories - e.g. reverse searching in order to obtain a name and address from a telephone number. The DPEC also removes the possibility for a subscriber to be charged for exercising the right not to appear in public directories.

Unsolicited direct marketing

DPEC extends controls on unsolicited direct marketing to all forms of electronic communications including unsolicited commercial e-mail (UCE or Spam) and SMS to mobile telephones. Spam and SMS will be subject to a prior consent requirement, so the receiver is required to agree to receive it in advance. This will mean a substantial reduction in the number of entries in a company’s marketing database. There is an exception to opt-in in the context of an existing customer relationship, where companies may continue to email or SMS on an 'opt-out' basis. This exception is only available for marketing “similar products and/or services” – though this is likely to be given a wide interpretation. The rationale behind this exception is that it concerns marketing materials an individual would reasonably expect (or even wish) to receive. The UK Regulations provide that, in general, every form of electronic communication, on every occasion, must provide the consumer with the right to reject future marketing (“unsubscribe” information).

The Information Commissioner, who will enforce the Regulations (see below), has issued guidance on the Regulations and in particular how existing email marketing lists will be treated. (This guidance will be covered in our next bulletin).

Transfer to third parties

An individual must give his consent to the sender of the direct marketing (or to the body at whose instigation the marketing is done), rather than a third party. This will have a big impact on businesses who sell or lease their databases to others to use for direct marketing.

Retention of traffic and location data

DPEC clarifies that the Directive does not prevent Member States from introducing provisions on the retention of traffic and location data for law enforcement purposes.

Cookies

DPEC introduces controls on the use of “cookies” on websites. Cookies and similar tracking devices will be subject to a new transparency requirement - anyone that employs these kinds of devices must provide information on them and allow subscribers or users to refuse to accept them if they wish. In the UK it was already a requirement of the Data Protection Act 1998 to provide information on what cookies do, and this was usually done in privacy statements or specific cookie statements. The right to refuse cookies is new, but it is softened by the fact that businesses are not obliged to provide services to individuals refusing cookies.

The UK Regulations provide an exception for the information and consent requirements where a cookie is required, for example, solely to determine a user’s technical accessibility to a site format, or where a cookie is ‘strictly necessary’ for a service required by the user. An example of the latter would be the use of a “shopping basket” on a website, but the exception is likely to be interpreted narrowly.

Caller ID

The Directive also contains provisions on the use of Calling Line Identification Facilities or, more commonly, caller ID. It regulates, amongst others, the practice of harvesting customer data by means of caller ID screening. Oftel published Guidelines on this topic on 28 August 2003.

The legislation

The DPEC is one of the measures that resulted from the European Commission's 1999 Review of the regulatory framework for electronic communications, of which the key directives were the Framework Directive (2002/21/EC), the Access Directive (2002/19/EC), the Authorisation Directive (2002/20/EC) and the Universal Service Directive (2002/22/EC), implemented in the UK by the Communications Act 2003.

The DPEC, which was adopted on 12 July 2002, makes a number of changes, in the light of technological developments, to the current Telecoms Data Protection Directive (97/66/EC).

Cause of the delay in implementation

The delay in transposition of DPEC into national law was due to the fact that there were some important issues which were not decided by DPEC (e.g. whether “legal persons” (such as companies) as well as natural persons would be protected by the legislation). This issue was left open by the Directive for each member state to regulate as it sees fit. Although it is difficult to apply the concept of privacy to companies, but it is clear that, for example, spam can be a major problem to any business. Partnerships and sole traders have the right to opt out of fax and telephone direct marketing under the UK Regulations. Although companies have some rights in respect of fax direct marketing, they cannot use the Telephone Preference Service to opt out of phone marketing (but this is to be reviewed next year).

Enforcement of the Regulations

Enforcement of the Regulations in the UK is the responsibility of the Information Commissioner, Richard Thomas. He can either initiate an investigation himself or on the basis of a complaint received. If contravention is shown, the Information Commissioner can impose the sanctions available under the Data Protection Act 1998, extended to cover the new contraventions of the new Regulations.

The Information Commissioner most commonly imposes so-called “Enforcement Notices”, requiring action to be taken to remedy a breach of data protection legislation. Failure to comply with such a notice may amount to an offence punishable by way of a fine of up to £5,000 per offence if the case is heard in a Magistrates’ Court, or an unlimited fine if the case is heard in a County Court.

Company directors or managers may be held personally liable for a breach committed by them, with their knowledge, or by virtue of their negligence. Also, any individual who has suffered damage as a result of the breach of his privacy may bring a claim for compensation.

Commissioner’s view on enforcement

The public consultation sought respondents’ views on whether the enforcement powers available to the Information Commissioner should be expanded in view of the new Regulations. The Commissioner has commented that the current enforcement notice procedure is too cumbersome to deal with relatively straight-forward breaches such as the sending of unsolicited faxes. He urges the government to introduce enforcement provisions modelled on the “Stop Now Orders” used elsewhere in EC regulation. This would allow the Commissioner to apply to the Court for an order that the offender halts the offending behaviour immediately. Breach of such an order should then also be punishable. The Commissioner does concede, however, that all infringement issues should first be attempted to be resolved informally.

To learn more

If you would like further advice on the impact the Directive and the new UK legislation may have on your business, or if you would like us to send you a copy of the Regulations or the Commissioner’s guidance on the Regulations, please contact our Data Protection specialists Ruth Boardman or Hazel Grant at Bird & Bird on 020 7415 6000.


Important - The information in this article is provided subject to the disclaimer. The law may have changed since first publication and the reader is cautioned accordingly.