New technologies, and in particular the Internet and electronic messaging services, call for specific requirements to ensure that users have a right to privacy. This EU Directive contains provisions that are crucial to ensuring that users can trust the services and technologies they use for communicating electronically. The main provisions apply to spam, ensuring the user’s prior consent (“opt-in”), and the installation of cookies.
Advertisement
ACT
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
SUMMARY
Directive 2002/58/EC forms part of the “Telecoms Package”, a new legislative framework designed to regulate the electronic communications sector and replace the existing regulations governing the telecommunications sector. The “Telecoms Package” includes four other Directives on the general framework, access and interconnection, authorisation and licensing and the universal service.
This Directive tackles a number of issues of varying degrees of sensitivity, such as the retention of connection data by the Member States for police surveillance purposes (data retention), the sending of unsolicited electronic messages, the use of cookies and the inclusion of personal data in public directories.
Confidentiality of communications
The Directive reiterates the basic principle that Member States must, through national legislation, ensure the confidentiality of communications made over a public electronic communications network. They must in particular prohibit the listening into, tapping and storage of communications by persons other than users without the consent of the users concerned.
Data retention
On the sensitive issue of data retention, the Directive stipulates that Member States may withdraw the protection of data only to allow criminal investigations or to safeguard national security, defence and public security. Such action may be taken only where it constitutes a “necessary, appropriate and proportionate measure within a democratic society”.
Unsolicited electronic messages (“spamming”)
The Directive takes an “opt-in” approach to unsolicited commercial electronic communications, i.e. users must have given their prior consent before such messages are addressed to them. This opt-in system also covers SMS text messages and other electronic messages received on any fixed or mobile terminal.
Cookies
Cookies are hidden information exchanged between an Internet user and a web server, and are stored in a file on the user’s hard disk. Their original purpose was to retain information between sessions. They are also a useful and much decried tool for monitoring a net surfer’s activity.
The Directive stipulates that users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. To that end, users must also be provided with clear and precise information on the purposes and role of cookies.
Public directories
European citizens will have to give prior consent in order for their telephone numbers (landline or mobile), e-mail addresses and postal addresses to appear in public directories.
Changes made by Directive 2006/24/EC
In March 2006 the European Parliament and the Council adopted a Directive on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks services and amending Directive 2002/58/EC.
The Directive seeks to harmonise the provisions of the Member States concerning obligations incumbent on the providers of electronic communications services with respect to data retention. The aim is to ensure the availability of these data for the purpose of investigating, detecting and prosecuting infringements.
In particular, the Directive defines the following:
- the categories of data to be retained;
- the shelf-life;
- the storage requirements for retained data;
- the principles to be observed in the area of data security.
REFERENCES
Directive 2002/58/EC [adoption: codecision COD/2000/0189]
Entry into force: 30.07.2002
Deadline for transposition in the Member States: 31.10.2003
Official Journal: OJ L 201 of 31.07.2002
Amending act:
Directive 2006/24/EC [adoption: codecision COD/2005/0182]
Entry into force: 3.5.2006
Deadline for transposition in the Member States: 15.9.2007
Official Journal: OJ L 105 of 13.04.2006
RELATED ACTS
Proposal for a Directive of the European Parliament and of the Council amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on consumer protection cooperation [COM(2007) 698 final – Not published in the Official Journal].
The legislative reform designed to amend the current regulatory framework consists of two proposals which aim to better protect consumers, improve the existing legislative procedure in the area and complete the market in electronic communications. It also contains a third proposal on setting up a European authority for the electronic communications market.
Codecision procedure (2007/COD/0248)
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [Official Journal L 281/31 of 23.11.95].
This Directive is the reference text, at European level, on the protection of personal data. It sets up a regulatory framework which seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the EU.
Regulation 45/2001/EC of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data [Official Journal L 8 of 12.01.2001]
This Regulation aims to protect personal data within EU institutions and bodies. The text provides for:
- rules to ensure a high level of protection for personal data processed by the Community institutions and bodies;
- the creation of an independent supervisory body to monitor the application of these rules.
