Directive on Privacy and Electronic Communications
Encyclopedia
Directive 2002/58 on Privacy and Electronic Communications, otherwise known as E-Privacy Directive, is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive
. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam
and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.
and applies to all matters which are not specifically covered by that Directive. In particular, the subject of the Directive is the “right to privacy in the electronic communication sector” and free movement of data, communication equipment and services.
The Directive does not apply to Titles V and VI (Second and Third Pillar) . Likewise, it does not apply to issues concerning public security and defence, state security and criminal law. At present, the interception of data is covered by the new EU Data Retention Directive the purpose of which is to amend E-Privacy Directive.http://eur-lex.europa.eu/LexUriServ/site/en/oj/2006/l_105/l_10520060413en00540063.pdf
Contrary to Data Protection Directive, which specifically addresses only individuals, Article 1(2) makes it clear that E-Privacy Directive also applies to legal persons.
The second general obligation is for the confidentiality of information to be maintained. The addressees are Member States, who should prohibit listening, tapping, storage or other kinds of interception or surveillance of communication and “related traffic”, unless the users have given their consent or conditions of Article 15(1) have been fulfilled.
allows the payment to be lawfully pursued. Data may be retained upon user’s consent for marketing and value added services. For both previous uses, the data subject must be informed why and for how long the data is being processed.
Subscribers have the right to non-itemised billing. Likewise, the users must be able to opt-out of calling-line identification.
Where data relating to location of user or other traffic can be processed, Article 9 provides that this will only be permitted if such data is anonymized, where users have given consent or for provision of value-added services. Like in the previous case, users must be informed beforehand of the character of information collected and have the option to opt out.
Two categories of emails (or communication in general) will also be excluded from the scope of the prohibition. The first is the exception for existing customer relationships and the second for marketing of similar products and services.
The sending of unsolicited text messages, either in the form of SMS messages, push mail messages or any similar format designed for consumer portable devices (mobile phones, PDAs) also falls under the prohibition of Article 13.
is Article 5(3). Recital 25 of the Preamble recognizes the importance and usefulness of cookies for the functioning of modern Internet and directly relates Article 5(3) to them but Recital 24 also warns of the danger that such instruments may present to privacy. The change in the law does not affect all types of cookies. For cookies that are deemed to be ‘strictly necessary’ the consent of the user is not needed. An example of a ‘strictly necessary’ cookie is when you press ‘add to basket’ or ‘continue to checkout’ when shopping online. It is important that the browser remembers information from a previous web page in order to complete a successful transaction.
The article is technology neutral, not naming any specific technological means which may be used to store data. This reflects the EU legislator’s desire to leave the regime of the directive open to future technological developments.
The addressees of the obligation are Member States, who must ensure that the use of electronic communications networks to store information is only allowed if the user is provided with “clear and comprehensive information”, in accordance with Data Protection Directive
, about why the information is being processed and is offered the right to opt out.
The regime so set-up can be described as opt-out
with an added information request. This effectively means that the consumer must be given the opportunity to opt out of receiving cookies. The UK Regulations allow for consent to be signified by browser settings allowing use of cookies and for initial consent to be carried over into repeated use of a website. The Directive does not give any guidelines as to what may constitute an opt-out.
Directive 95/46/EC on the protection of personal data
The Data Protection Directive is a European Union directive which regulates the processing of personal data within the European Union...
. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam
Spam (electronic)
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.
Subject-matter and Scope
The Electronic Privacy Directive has been drafted specifically to address the requirements of new digital technologies and ease the advance of electronic communications services. The Directive complements the Data Protection DirectiveDirective 95/46/EC on the protection of personal data
The Data Protection Directive is a European Union directive which regulates the processing of personal data within the European Union...
and applies to all matters which are not specifically covered by that Directive. In particular, the subject of the Directive is the “right to privacy in the electronic communication sector” and free movement of data, communication equipment and services.
The Directive does not apply to Titles V and VI (Second and Third Pillar) . Likewise, it does not apply to issues concerning public security and defence, state security and criminal law. At present, the interception of data is covered by the new EU Data Retention Directive the purpose of which is to amend E-Privacy Directive.http://eur-lex.europa.eu/LexUriServ/site/en/oj/2006/l_105/l_10520060413en00540063.pdf
Contrary to Data Protection Directive, which specifically addresses only individuals, Article 1(2) makes it clear that E-Privacy Directive also applies to legal persons.
Main provisions
The first general obligation in the Directive is to provide security of services. The addressees are providers of electronic communications services. This obligation also includes the duty to inform the subscribers whenever there is a particular risk, such as a virus or other malware attack.The second general obligation is for the confidentiality of information to be maintained. The addressees are Member States, who should prohibit listening, tapping, storage or other kinds of interception or surveillance of communication and “related traffic”, unless the users have given their consent or conditions of Article 15(1) have been fulfilled.
Data retention and Other Issues
The Directive obliges the providers of services to erase or anonymize the traffic data processed when no longer needed, unless the conditions from Article 15 have been fulfilled. Retention is allowed for billing purposes but only as long as the statute of limitationsStatute of limitations
A statute of limitations is an enactment in a common law legal system that sets the maximum time after an event that legal proceedings based on that event may be initiated...
allows the payment to be lawfully pursued. Data may be retained upon user’s consent for marketing and value added services. For both previous uses, the data subject must be informed why and for how long the data is being processed.
Subscribers have the right to non-itemised billing. Likewise, the users must be able to opt-out of calling-line identification.
Where data relating to location of user or other traffic can be processed, Article 9 provides that this will only be permitted if such data is anonymized, where users have given consent or for provision of value-added services. Like in the previous case, users must be informed beforehand of the character of information collected and have the option to opt out.
Spam
Article 13 prohibits the use of email addresses for marketing purposes. The Directive establishes the opt-in regime, where unsolicited emails may be sent only with prior agreement of the recipient. A natural or legal person who initially collects address data in the context of the sale of a product or service, has the right to use it for commercial purposes provided the customers have a prior opportunity to reject such communication, either where it was initially collected or subsequently. Member States have the obligation to ensure that unsolicited communication will be prohibited, except in circumstances given in Article 13.Two categories of emails (or communication in general) will also be excluded from the scope of the prohibition. The first is the exception for existing customer relationships and the second for marketing of similar products and services.
The sending of unsolicited text messages, either in the form of SMS messages, push mail messages or any similar format designed for consumer portable devices (mobile phones, PDAs) also falls under the prohibition of Article 13.
Cookies
The Directive provision applicable to cookiesHTTP cookie
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
is Article 5(3). Recital 25 of the Preamble recognizes the importance and usefulness of cookies for the functioning of modern Internet and directly relates Article 5(3) to them but Recital 24 also warns of the danger that such instruments may present to privacy. The change in the law does not affect all types of cookies. For cookies that are deemed to be ‘strictly necessary’ the consent of the user is not needed. An example of a ‘strictly necessary’ cookie is when you press ‘add to basket’ or ‘continue to checkout’ when shopping online. It is important that the browser remembers information from a previous web page in order to complete a successful transaction.
The article is technology neutral, not naming any specific technological means which may be used to store data. This reflects the EU legislator’s desire to leave the regime of the directive open to future technological developments.
The addressees of the obligation are Member States, who must ensure that the use of electronic communications networks to store information is only allowed if the user is provided with “clear and comprehensive information”, in accordance with Data Protection Directive
Directive 95/46/EC on the protection of personal data
The Data Protection Directive is a European Union directive which regulates the processing of personal data within the European Union...
, about why the information is being processed and is offered the right to opt out.
The regime so set-up can be described as opt-out
Opt in e-mail
Opt in email is a term used when someone is given the option to receive "bulk" email, that is, email that is sent to many people at the same time. Typically, this is some sort of mailing list, newsletter, or advertising...
with an added information request. This effectively means that the consumer must be given the opportunity to opt out of receiving cookies. The UK Regulations allow for consent to be signified by browser settings allowing use of cookies and for initial consent to be carried over into repeated use of a website. The Directive does not give any guidelines as to what may constitute an opt-out.
Literature
- Full text.http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:NOT
- History of the decision making.http://ec.europa.eu/prelex/detail_dossier_real.cfm?CL=en&DosId=158278
- On spam: Asscher, L, Hoogcarspel, S.A, Regulating Spam: A European Perspective after the Adoption of the E-Privacy Directive (T.M.C. Asser Press 2006)
- Edwards, L, “Articles 6 – 7, ECD; Privacy and Electronics Communications Directive 2002” in Edwards, L. (ed.) The New Legal Framework for E-Commerce in Europe (Hart 2005)