e-Privacy Directive – Directive 2002/58/EC – (2002)

Full title: Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

Scope:

  • Applies to the processing of personal data of users of “publicly available electronic communications services” (e.g. telecom companies, ISP). Users don’t have to be service subscribers.
  • Does not apply to private electronic communications networks or information society services (OTT).

KEY PROVISIONS:

  • Art. 4 – Security
    • (1) The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services.
    • (2) In case of a particular risk of a breach…must inform the subscribers concerning such risk…possible remedies, including an indication of the likely costs involved. (i.e. “Risk notification” requirement)
  • Art. 5 – Confidentiality of the communications
    • (1) ensure confidentiality of communications and the related traffic data…prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data… except when legally authorised.
    • (3) the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller.
      • Note: Art. 5(3) on storing cookies in browsers requires giving users the option to “Opt-out” (i.e. right to refuse such processing). See Recitals 24, 25.
  • Art. 6 – Traffic data
    • (1) Traffic data relating to subscribers and users… must be erased or made anonymous when it is no longer needed….(unless necessary for) subscriber billing and interconnection payments.
  • Art. 9 – Location data other than traffic data
    • (1) location data…can be processed…when they are made anonymous, or with the consent of the usersThe service provider must inform the users or subscribers…of the type of location data…processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service. Users or subscribers shall be given the possibility to withdraw their consent for the processing of location data other than traffic data at any time.
  • Art. 13 – Unsolicited communications
    • (1) The use of automated calling systems [calls, fax, email] without human intervention…for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.
  • Art. 15 – Application of Directive 95/46/EC:
    • (3) WP29 to oversee certain tasks in the electronic communications sector.

November 2009 Amendments to the e-Privacy Directive of 2002.

Full title: Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (Text with EEA relevance).

Key Amendments:

  • Art. 4 – Security
    • Strengthened Risk Notification requirement.
    • Added Data Breach Notification requirement for users and national authorities in event of a breach.
  • Art. 5 – Confidentiality of the communications
    • (3) storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.
      • Note: Art. 5(3) storing cookies requires user consent through “Opt-in“ (i.e. user concerned has given his or her consent).
  • Art. 13 – Unsolicited communications
    • Strengthened user consent in opting out of direct marketing and unsolicited marketing.
  • Article 15 – Application of Data Protection Directive 95
    • Inserted Article 15(1b) that requires providers to create internal procedures for data subject access requests (DSARs).
  • Article 15a – Implementation and enforcement
    • Inserted Article 15a that made permission certain derogations for member states, and requires members states to institute penalties, including criminal sanctions, for violations in particular for failure to notify data breaches.

Draft e-Privacy Regulations (currently ongoing)