THE DIRECTIVE ON PRIVACY AND ELECTRONIC COMMUNICATIONS
The DPEC was introduced as part of the process known as ‘convergence’, which occurred in 2002. Convergence is the name given to the process whereby the EC widened European telecommunications law to cover all electronic communications, hence the law on telecommunications, the internet and broadcasting was said to have converged (the application of electronic communications law to the broadcasting sector is limited, covering matters such as video on demand services where the broadcaster and the subscriber send and receive electronic communications). The aim of the DPEC is identified in Article 1.1., which says:
|
This Directive harmonises the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community. |
The DPEC expands upon and complements the Data Protection Directive. Importantly, it provides ‘for the protection of the legitimate interests of subscribers who are legal persons’, which means that companies gain the protection of data protection laws in this specialized area (see Article 1.2.)
Subscribers and users
The protections afforded under the DPEC are enjoyed by ‘subscribers’ and ‘users’. A subscriber may be a living individual or a company, but according to Article 2(a) a user can only be a living individual. The full definition of a user is as follows:
|
‘user’ means any natural person using a publicly available electronic communications services for private or business purposes, without necessarily having subscribed to this service. |
As this definition makes clear, it does not matter whether a user users a publicly available electronic communications service for private or business purposes. The same is true in the case of subscribers, although, of course, a subscriber can also be a user.
Why there is a distinction between subscribers and users
The DPEC distinguishes between subscribers and users because in a normal household or business environment there may be more than one user of a publicly available electronic communications service, but only one subscriber. In a domestic situation the subscriber can be considered to be the person within the household whose name is on the telephone bill, the satellite TV bill or the ISP bill, while the users might be the entire household.
In a business environment the distinction between subscribers and users is just as easy to understand. The business will be the subscriber to the publicly available electronic communications service and every employee will have the potential to be a user.
Publicly available electronic communications services
The DPEC applies ‘to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the [European] Community’ (Article 3.1.). If the electronic communication service is not publicly available, the Directive will not apply. This means that communications over a private network, such as a company intranet, will not be covered by the Directive, because the network is not publicly available. Of course, the Data Protection Directive will still apply if personal data are processed.
The distinction between services and networks
The DPEC makes an important distinction between publicly available electronic communications services and publicly available electronic networks.
The distinction between a service and a network will itself be obvious, but in terms of data protection law the importance of the distinction lies in the fact that most providers of publicly available electronic communications services provide their services over another organization’s network (of course, many organizations, like British Telecom and the mobile telephone companies, are both network and service providers). The likelihood of there being separation of control over networks and services presents many difficulties for data protection law.
Security of services
Article 4.1. of the DPEC requires the provider of a publicly available electronic communications service to ‘take appropriate technical and organisational measures to safeguard security of its services’. If necessary, the service provider must work ‘in conjunction with the provider of the public communications network with respect to network security’, pointing to concerns about the separation of control over networks and services.
In terms of the level of security required the service provider must ‘ensure a level of security appropriate to the risk presented’ and must have regard to the state of the art and the cost of implementing security measures. These obligations mirror the security requirements contained in Article 17 of the Data Protection Directive, implemented in the UK by the seventh data protection principle.
In addition to the obligation to take appropriate technical and organizational measures to safeguard security of the services, the service provider is also under an obligation to inform the subscriber of any particular risk of breach of the network’s security (Article 4.2.). Again, this recognizes the difficulties caused by the separation of control over networks and services. If the risk to network security lies outside of the scope of the technical and organizational measures taken by the service provider, the service provider must inform the subscriber of the remedies available to them and provide an indication of their likely cost.
Confidentiality of communications
The purpose of Article 5 of the DPEC is to ensure that Member States protect the confidentiality of communications and the traffic data generated by communications. The key provisions are as follows:
|
Interception and surveillance
The prohibition against the interception and surveillance of communications and related traffic data is not a complete prohibition. There are three exceptions:
Technical storage of information that is necessary for the conveyance of the communication is permitted, provided that it respects the principle of confidentiality (Article 5.1.).
The users of the electronic communications services can give their consent to interception and surveillance. Valid consent requires consent from both parties to the communication (Article 5.1.).
Interception and surveillance can be authorized by law (Article 5.1. and Article 5.2.).
The first exception recognizes the technical need for storage of information during the conveyance of a communication that is particularly prevalent in the ‘packet-switched’ internet environment. This is discussed in more depth in the section ‘Traffic data, retention and deletion’ below.
The second exception, interception and surveillance with consent, reflects the basic principle at the heart of the Data Protection Directive, namely that processing pursuant to a valid consent will be lawful.
The third exception, interception and surveillance that is authorized by law, has two components. The first component is that the interception and surveillance is legally authorized in accordance with Article 15(1) of the DPEC. The second component, contained in Article 5.2., applies where the law has authorized the recording of communications and related traffic data when carried out in the course of a lawful business practice for the purpose of providing evidence of a commercial transaction or any other business communication. In the UK provisions have been adopted under the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.154
Article 15(1) of the DPEC allows Member States to adopt legislative measures to restrict the scope of Article 5 where that constitutes a ‘necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system’. In the UK legislative measures have been adopted under the Regulation of Investigatory Powers Act 2000 (RIPA) to allow for interception of communications and to allow access to communications data for law enforcement purposes.
The storage of information and the right to refuse
The right to refuse in Article 5.3. of the DPEC is concerned with the storage of information within a network as well as the use of a network to gain access to information stored in the subscriber’s or user’s equipment. However, it is not concerned with technical storage, or access for the sole purpose of carrying out or facilitating the transmission of a communication or technical storage or access that is strictly necessary in order to provide an information society service that is explicitly requested by the subscriber or user (an information society service is defined as ‘any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services’155).
In cases where Article 5.3. is engaged the service provider must provide the subscriber or user with clear and comprehensive information about the processing purpose in accordance with the Data Protection Directive. In addition, the subscriber or user must be told about the right to refuse the processing, which is very similar to being given an ‘opt-out’, meaning that the processing will be lawful until such time as the subscriber or user exercises the right to refuse. The use of cookies, adware and spyware are activities falling within Article 5.3. that the subscriber or user should be given the right to refuse.
Traffic data, retention and deletion
Article 6 of the DPEC is concerned with traffic data. The general rule within Article 6.1. is that traffic data should be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication. This acts as a prohibition against the retention of data, but there are some exceptions. Traffic data may be retained after the communication has ended for the following purposes:
billing and interconnection payments (Article 6.2.);
for the marketing of electronic communications services or for the provision of value added services (Article 6.3.);
for national security, defence, public security, the prevention, detection and prosecution of crime and unauthorized use of communications systems (Article 6.1. and Article 15.1.).
Of course, even if an exception applies, the traffic data must be erased or made anonymous when the exceptional processing purpose has been completed.
What are traffic data?
Traffic data can be considered to be the by-product of an electronic communication and are defined in Article 2(b) as ‘any data processed for the purpose of conveyance of a communication on an electronic communications network or for the billing thereof’. Thus, traffic data is distinguishable from the content of a communication.
Processing for billing and interconnection payments
As an exception to the general rule that traffic data should be erased or made anonymous when it is no longer needed for the purpose of transmission of the communication, Article 6.2. allows for retention of traffic data and its processing for the purposes of subscriber billing and interconnection payments after the communication has been completed, but only up to the end of the period during which the bill may be lawfully challenged or payment pursued. This information needs to be stored for a period to allow calculation of bills and resolution of any disputes about bills.
Processing for marketing purposes and for the provision of value added services
Article 6.3. of the DPEC permits retention and processing of traffic data after the communication has ended for the purposes of marketing electronic communication services or for the purposes of providing value added services, provided that the subscriber or user has given consent. If the subscriber or user has given consent, the duration of the processing can be no longer than is necessary for the marketing purpose and once this time has expired the data must be erased or made anonymous.
Valid consent can only be obtained if the service provider informs the subscriber or user of the types of traffic data that are to be processed and the duration of the processing and this information must be provided before consent is given (Article 6.4.). In addition, the subscriber or user must be given the opportunity to withdraw consent at any time (Article 6.3.).
Processing for the purposes of national security and other matters of national and public importance
Article 6.1. refers to Article 15.1., which has already been mentioned in the context of interception and surveillance of communications. This also allows Member States to adopt legislative measures to restrict the operation of Article 6.1. where the restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security, defence, public security and the prevention, investigation, detection and prosecution of criminal offences and unauthorized use of telecommunications networks. Article 15.1. expressly states that on these grounds Member States may adopt legislative measures providing for the retention of data for a limited period.
In the UK measures have been introduced under the Anti-terrorism, Crime and Security Act 2001 (ATCSA) and measures will soon be harmonized across the EU due to the Communications Data Retention Directive,156 which amends the DPEC. The Communications Data Retention Directive requires Member States to implement legislation to ensure that traffic data are retained by providers of publicly available electronic communications services and networks. The categories of data to be retained are:
data necessary to trace and identify the source of a communication;
data necessary to trace and identify the destination of a communication;
data necessary to identify the date, time and duration of a communication;
data necessary to identify the type of communication;
data necessary to identify the communication device or what purports to be the communication device;
data necessary to identify the location of mobile communication equipment.
These categories of data are to be retained for 12 months, unless the electronic communication used the internet protocol either wholly or partly, in which case the retention period is six months.
Persons who are allowed to process traffic data
Article 6.5. of the DPEC identifies the persons who are allowed to process traffic data, saying that processing must be restricted to persons acting under the authority of the network and service providers who are responsible for handling billing or traffic management, customer enquiries, fraud detection, marketing of electronic communications services or providing a value added service. The processing that may be done by these persons is restricted to that which is necessary for the purpose involved.
Itemized billing
The privacy issue within itemized billing is straightforward: by reading an itemized bill a third party can obtain the telephone number of a person called by the subscriber. This can compromise the subscriber’s privacy, the user’s privacy (if not the subscriber) and the privacy of the person called. For these reasons Article 7.1. of the DPEC gives subscribers the right to receive non-itemized bills.
Of course, itemized bills are very important to some subscribers, enabling them to keep track of calling and spending habits. They also have an important role to play in protecting the subscriber from incorrect billing and in furthering a competitive market. Thus, if the subscriber wishes to receive itemized bills, the interests of any users and the called party need to be taken into account. For this reason Article 7.2. requires Member States to apply national provisions in order to reconcile the rights of subscribers wishing to receive itemized bills and the right to privacy of calling users and called subscribers.
Calling and connected line identification
Article 8 is concerned with calling line identification and connected line identification. The difference between these services is as follows:
Calling line identification shows the telephone number of the caller to the called subscriber.
Connected line identification shows the telephone number of the called subscriber to the caller.
As with itemized billing the privacy issues are straightforward. First, if calling line or connected line identification services are in use, telephone numbers can be revealed to persons other than the participants of the calls. Second, if calling line identification is suppressed by the caller, the called subscriber could be connected to a person to whom they did not want to be connected.
The calling subscriber and user’s right to prevent calling line identification
Article 8.1. of the DPEC is concerned with the privacy of the calling subscriber and the calling user. If calling line identification is offered, the service provider must also offer the calling subscriber and the calling user a free, simple means for preventing the presentation of the calling line identification. The subscriber must be offered this possibility on a per-line basis while the calling user must have this possibility on a per-call basis.
The called subscriber’s right to prevent calling line identification
Article 8.2. of the DPEC is concerned with the privacy of the called subscriber. If the service provider offers calling line identification, it must also offer the called subscriber a free, simple means to prevent the presentation of the calling line identification on incoming calls.
The called subscriber’s right to reject incoming calls
Article 8.3. is also concerned with the privacy of the called subscriber. If the service provider offers calling line identification with presentation of the identification taking place before the call is established but the calling subscriber or calling user prevents presentation of the identification, the service provider must provide the called subscriber with a simple means for rejecting the incoming call.
The called subscriber’s right to prevent connected line identification
Article 8.4. contains the final protection for the called subscriber. If the service provider offers connected line identification (where the called subscriber’s number is presented to the calling subscriber or user) it must also offer the called subscriber a free, simple means for preventing the presentation of connected line identification.
Calling line identification and nuisance or malicious calls
Article 10(a) allows network and service providers to temporarily override the supression of calling line identification when a subscriber receiving nuisance or malicious calls makes a request for the tracing of the number. This is subject to limiting rules for analogue exchanges contained in Article 3.2.
>Calling line identification and emergency services
Article 10(b) gives the emergency services the right to override suppression of calling line identification (and any absence of consent to process location data) on a per-line basis. This is also subject to the limiting rules for analogue exchanges.
Digital exchanges and analogue exchanges
The rules in Article 8 of the DPEC apply to subscriber lines connected to digital exchanges. They also apply to subscriber lines connected to analogue exchanges where that is technically possible, provided that it does not require a disproportionate economic effort (Article 3.2.).
Location data
Location data is defined in Article 2(c) as ‘any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service’. As traffic data can indicate the geographic location of terminal equipment it can also fall within the definition of location data. Article 9 is concerned with the processing of location data, but not traffic data.
The processing of location data
Article 9.1. provides that location data can only be processed where it has been made anonymous, or for the provision of a value added service where the subscribers or users have provided their consent.
Processing for the purposes of value added services
The meaning of value added service is contained in Article 2(9). A value added service is any service ‘which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof’.
Processing for the provision of value added services is only allowed where the subscriber or user has given consent. The consent must be provided before the processing commences and the service provider must provide information about the processing, which consists of:
information about the type of location data that will be processed;
information about the processing purpose;
information about the duration of the processing;
information about any transfers to third parties.
The service provider must give subscribers and users the opportunity to withdraw their consent to processing at any time (Article 9.1.). They must also be given free, simple means for temporarily refusing processing (Article 9.2.).
There are also restrictions on the persons who are allowed to process location data. These are persons acting under the authority of the network provider, the service provider or the value added service provider. Their processing must be restricted to what is necessary for the purposes of providing the value added service (Article 9.3.).
Automatic call forwarding
Article 11 of the DPEC is concerned with automatic call forwarding, requiring Member States to ensure that a subscriber is given a free, simple means for stopping automatic call forward to their terminal by a third party.
Directories
Article 12 is concerned with directories of subscribers that are made available to the public, whether printed or electronic. The rules are as follows:
Subscribers who are individuals should be informed of a directory’s purpose prior to being included in it and they should also be told about any further usage possibilities based on search functions embedded in electronic directories (Article 12.1.). Member States are also required to have regard to the legitimate interests of subscribers who are not individuals.
Subscribers who are individuals should be given the opportunity to determine whether their personal data are to be included in a public directory as well as the right to verify, correct or withdraw their data. No charge will be made to subscribers who decide not to be in a directory or who decide to verify, correct or withdraw an entry (Article 12.2). Member States are also required to have regard to the legitimate interests of subscribers who are not individuals.
Member States are entitled to require additional consents of subscribers for any purpose of a directory that extends beyond a simple search for contact details against a person’s name (Article 12.3.).
Unsolicited communications
Article 13 is concerned with direct marketing using electronic communications, specifically the use of automatic calling machines, direct marketing by fax, by email and by telephone. The UK rules are discussed in Chapter 4 of this book.
Remedies, liability and sanctions
Chapter III of the Data Protection Directive, entitled ‘judicial remedies, liability and sanctions’, discussed in Chapter 7 of this book, also has effect within DPEC because of the provisions of Article 15.2.