Closing the loopholes
Glyn Morgan reports on a controversial EC draft directive aimed at tightening legislation governing online communications
August 08, 2001 at 08:03 PM
9 minute read
The European Commission's (EC's) draft directive on the processing of personal data in the electronic communications sector, which is likely to come into force this year, proposes a number of changes in relation to data protection and privacy online.
If adopted in its current form, the directive will have an impact on the collection and processing of all personal data in the context of electronic communications. It is intended to replace a current directive dealing with the specific area of data protection in the telecommunications sector.
The new directive will (like the existing one) supplement the provisions of the general Data Protection directive (implemented in the UK by the Data Protection Act 1998).
There are a number of problems with the current directive. First, it is not 'technology neutral'. It was drafted when telecommunications was principally concerned with voice telephony.
The terminology it uses reflects this. For example, it refers to "calls" and there has been some divergence of views across the EU about whether or not this should be treated as including e-mail. The UK view has been that the current directive does not extend to e-mail, data collection and transfer via the web, SMS messaging and the like.
Secondly, the current directive does not reflect new technology. For example, location-based data is likely to become more important over the next few years in the mobile communications market and will spawn a collection of innovative services that will involve new uses of personal data. This type of development was not foreseen at the time the current directive was drafted.
As a result, if nothing was done, the proposed use of location data via the next generation of mobile phones would not be legal – the current directive is very restrictive on what network and service operators can do with things such as traffic and location data.
The new draft directive is designed to address these problems, by extending the relevant data protection regime to all types of electronic communication. A number of key provisions of the draft directive will have potentially significant effects.
The draft directive reproduces many of the provisions of the existing directive, but widens their effect by applying them to all forms of electronic communication (not just 'calls') and also adds some new provisions, for example, in relation to additional permitted uses of traffic data and location data.
As with the existing directive, there is an emphasis on security of electronic communication, and ensuring EU member states make sure networks and services remain confidential. In particular, they have to make sure that listening, tapping, storage, interception and surveillance by anyone other than users can only happen if the users have consented or where it is specifically authorised by law.
The Regulation of Investigatory Powers Act 2000 was enacted to provide such specific authorisation and to bring UK law into line with the current directive.
The current provisions about erasing traffic data (data processed in the course of, or for the purpose of transmitting a communication over an electronic communications network) are retained along with a new provision on marketing services to consenting subscribers. In addition, there are new provisions on location data (data processed in an electronic communications network indicating the geographic position of a user's terminal equipment).
For direct marketing purposes, the directive covers opt-in and opt-out regimes, and its provisions will be mandatory for natural persons. Member states may, if they wish, extend them to legal persons, such as companies, so as to regulate business-to-business direct marketing.
Timewise, it is intended that the directive, if and when adopted, will have to be implemented by national legislation in all relevant EU member states by 31 December, 2001.
Impact of the directive
So what does this all mean? The draft directive says it is not intended to create major changes to the substance of the existing directive, but just to adapt and update it to take account of new and foreseeable developments in electronic communications services and technologies.
However the directive, if implemented in its current form, will still have some fairly important effects.
The ambit of the directive, in terms of who is going to have to comply with it, is wider than the directive it replaces. For example, it may affect someone providing an electronic communications service for remuneration that goes wider than just content provision. It may also affect someone who uses the internet for marketing purposes.
The new directive expressly extends to data services, for example e-mail, as well as standard voice and fax telephony.
Consent and suppression
Some key effects are that anyone providing an electronic communications network or service will have to design it so as to make sure that it takes account of the requirements of the directive. For example, location-based value-added services and the electronic communications network via which they are delivered will have to be designed so that they can be suppressed by the user whenever he or she wishes to do so.
Also, user/subscriber databases will have to be designed to incorporate fields to indicate different levels of consent or refusal to various elements of the relevant service or any marketing relating to it. Finally, processing of user/subscriber data will need to be analysed to ensure that all of its elements comply with the directive.
For example, use of anything falling within the description of traffic data will be restricted. Some uses will only be possible with consent.
It is possible that some of the directive goes further than first thought. For example, 'location data' is not going to be restricted to locating a mobile handset by technical means. Various types of data network may be theoretically "capable of processing location data".
The definition of 'traffic data' is also interesting. For example, many internet services use cookies that they install on users' machines often without seeking explicit consent first. Cookies can collect and store data generated by the user on search requests, websites visited and information (e.g. addresses) input to websites. Some or all of this data may fall within the definition of traffic data or location data (or both).
Depending on what data is collected by the cookie, the use of a cookie and how it operates may have to be on the basis of an 'opt-in' methodology.
As user consent is emphasised as a key element of both the delivery and marketing of services, to comply with the directive, it will be necessary to provide users/subscribers with a clear explanation of the service and the key elements of data processing involved in it.
The user's/subscriber's consent will need to be obtained as part of the sign-up process and more than a single global consent will be required. It will have to be possible, for example, to consent to the basic provision of a given value-added service but refuse the direct marketing by the service provider of other services.
Security
In relation to security, providers of all electronic communications networks or services will be obliged to implement reasonable levels of security in relation to their networks or services.
Subject to them being reasonably straightforward to implement at a reasonable cost, this obliges network and service providers to implement industry standard security measures. Network and service providers are likely to want to pass at least some of the cost of this onto the users/subscribers, possibly tied to an explanation of the risks and a presentation of the available options to combat them. Network or service providers who do not yet have reasonable levels of security will have to consider how to implement them.
Service providers will also have to explain the key security risks to users/subscribers, as well as outlining possible remedies and costs. This may cause varying levels of service provision and security and costs to match.
Direct marketing
The growing use of e-mail for direct marketing purposes will be tightly controlled. Opt-in for each recipient will be essential, which may be more beneficial as it ensures that e-mail marketing will be highly targeted, since it will only be directed at those who have asked to receive it. The UK, among others, opposes this provision and is presently lobbying for e-mail to be subject to an 'opt out' regime instead.
Any current or proposed electronic communications network or service, or any marketing involving electronic communications, will need to be assessed for compliance with the directive and planned and implemented accordingly. Key issues to think about include:
network infrastructure /service design;
what data relating to users/subscribers is collected and how it is processed and what for i.e. consideration of things such as the use of cookies;
provision of information to users and
subscribers;
user/subscriber consent; and network/service security (including the provision of information on this to users).
The directive has not yet been adopted formally and it may change prior to this occurring. Lobbying continues in relation to its provisions. For example, there has been a widely publicised suggestion that it should oblige providers of electronic communications networks and services to store and retain all traffic data for seven years to assist law enforcement. This proposal has generated considerable opposition from a civil rights and data protection/ privacy perspective, and it remains to be seen if it will be incorporated.
Glyn Morgan is a partner in the IT practice at Taylor Joynson Garrett.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Skadden to Close in Shanghai and Make Cuts to China Corporate Practice
DWF Group's Canadian Firm Set to Add Fourth Office With 16-Lawyer Montreal Team
UK Law Firms Face £75M Money Laundering Investigations Alongside Russia Scrutiny
3 minute readTrending Stories
- 1The Law Firm Disrupted: Playing the Talent Game to Win
- 2A&O Shearman Adopts 3-Level Lockstep Pay Model Amid Shift to All-Equity Partnership
- 3Preparing Your Law Firm for 2025: Smart Ways to Embrace AI & Other Technologies
- 4BD Settles Thousands of Bard Hernia Mesh Lawsuits
- 5A RICO Surge Is Underway: Here's How the Allstate Push Might Play Out
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
