Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

EU proposes a new Electronic Communications Data Directive [2000] PLBIRp 38; (2000) 55 Privacy Laws and Business International Report 10

EU proposes a new Electronic Communications Data Directive

A report by Tilmann Kupfer

THE TELECOMMUNICATIONS DATA PROTECTION DIRECTIVE is being reviewed in order to widen its application and to harmonise the rules regarding opt-out. The industry view is, however, that the general Data Protection Directive already ensures appropriate protection, and that new measures would be costly.

This year the European Commission launched a major review of the European telecommunications legislation in order to adapt it to the more competitive communications market, taking into account convergence and technical developments. This "Communications Review" covers areas such as how to define market dominance and universal service obligations.

Whilst these elements deal with the regulation of the communications market, the European Commission has proposed a further measure, the update of Directive 97/66/EC concerning the processing of personal data and the protection of privacy in the telecommunications sector, better known as the Telecommunications Data Protection Directive. The purpose of this update is "to ensure that data protection rules in the communications sector are technologically neutral and robust."^[1]

Basically, this means that in addition to the provisions of the general Data Protection Directive (95/46/EC)^[2], many aspects of the telecommunications- specific Data Protection Directive may in the future not only affect telecommunications companies, but a wide range of businesses using electronic communications in any way and more specifically those in the e-commerce/Internet, mobile communications and interactive broadcasting industries.

THE MAIN CHANGES PROPOSED

The European Commission's proposals concern:

1. Definitions and terminology to ensure that all different types of transmission services for electronic communications (not only telecommunications) are covered, including e-mail;

2. Traffic data to cover all traffic data in a technology neutral way, i.e. those of traditional circuit switched telephony connections as well as packet switched Internet transmissions;

3. New - based on prior consent - provisions for the use of geographic location data, which are collected in the context of mobile services;

4. Provisions on directories to give subscribers the right to determine whether, and how, they are listed;

5. Constraints on unsolicited communications to be expanded to include e-mail on the basis of an opt-out regime.

Further, with regard to hardware and software used for terminal equipment, the Commission may, in the future, consider measures under Article 3.3.c) of Directive 1999/5/EC on Telecommunications Terminal Equipment. The article explicitly foresees the possibility of requiring manufacturers to construct their products in such a way that they incorporate safeguards to protect personal data and privacy of users and subscribers.

INDUSTRY CONCERNS

Already during the hearing on the Communications Review, which the Commission held in mid-May, industry heavily criticised the European Commission's proposed measures. In sum, there are three fundamental concerns by industry.

Firstly, a sector specific directive is considered to be unnecessary. The general Data Protection Directive already ensures an appropriate legal protection of personal data. In particular, its provisions are already technologically neutral and also fit with the requirements of a liberalised communications market where data is transmitted between many independent operators. A review of the current telecoms specific Directive with the purpose of making it technologically neutral should logically, therefore, lead to the conclusion that it be abolished. In contrast, the new proposal contains additional burden and costs. It discriminates against the communications sector, as other industries are subject only to the requirements of the general Data Protection Directive. The new Directive would create a second and overlapping layer of regulation, which affects any use of electronic communications, and in particular the wide range of industries operating in electronic commerce. Such an approach appears to be contrary to the Commission's own objective to focus more on codes of conduct and industry self-regulation.

Secondly, the review of the Telecommunications Data Protection Directive is premature and should be postponed. Given the fact that most Member States are still in the process of implementing the two Data Protection Directives^[3], little experience exists about the functioning of the current legislation. Consequently, it would make sense to postpone the review at least until the evaluation of the general Data Protection Directive. As stipulated by Article 33 of the latter, this will be next year. The evaluation should take into account "developments in information technology" and "the state of progress in the information society". A postponement of the telecoms data protection review would not only ensure the maintenance of consistency between the two Directives, but also provide more time to learn from the experience of the existing regime and for a thorough consultation on what is feasible and reasonable.

OPT-IN OR OPT-OUT

Thirdly, the Commission proposes to move to a European-wide opt-in regime for unsolicited communications, which would affect, in particular, direct marketing by e-mail. The existing legislation leaves it to Member States to decide whether direct marketing should require an opt-in by the addressee, or whether it would be sufficient to provide the receiver with the possibility to object to the direct marketing at any time and to be listed in so-called opt-out registers.

Industry argues that a compulsory opt-in would be inconsistent with the desire to promote e-commerce and in contradiction with the recently adopted Electronic Commerce Directive itself. This new Directive simply requires Member States to lay down in their legislation "that unsolicited commercial e-mails are clearly identifiable as such, and to take measures to ensure that service providers consult regularly and respect opt-out registers." However, the Commission writes in its new proposal that already four Member States had opt-in regimes for commercial e-mails and another one was about to adopt one, whilst in the other Member States an opt-out system exists. From an internal market perspective this was not satisfactory, as direct marketers were confronted with different regimes. Moreover, due to the non-geographical nature of e-mail addresses, which very often give no indication of the country of residence of the recipient, a system of divergent regimes within the EU was unworkable in practice. As a consequence, the Commission proposes to make opt-in the harmonized standard in particular in order to stop "spam".

INDUSTRY SELFREGULATION CALLED FOR

According to the industry, however, "spam" has nothing to do with direct marketing. It originates from surreptitious collection of e-mail addresses from newsgroups or chat-rooms. These practices are already illegal under the existing data protection legislation. Among others, individuals have to be notified when their personal data is collected so that they can exercise their right to opt-out.

"Spammers" don't respect these rights. Furthermore, "spam" is a problem also for ISPs because their systems cannot cope with the large volumes of mail generated. This is why many ISPs block mass mailings before they ever reach the inbox of their subscribers. Therefore, industry argues that the solution lies in the enforcement of existing legislation and industry self-regulation. The focus should be on keeping the consumer fully informed about the way their data is going to be used and to provide them the opportunity to to opt-out of receiving direct marketing e-mails at any time - in particular when they are contacted as part of an e-mail campaign. In most Member States, opt-out registers already exist for traditional direct marketing by mail, fax or telephone. Industry is now expanding these preference services to e-mail and launched initiatives to coordinate these lists also at a global level.

The new proposed Directive contains many other important aspects, such as how operators can process traffic data for the development and marketing of new value-added services, or which personal data is going to be listed in directories. However, one can already see now that the issues of "spam" and opt-in/opt-out are going to dominate political debate in the European Parliament, which is having its first reading on the new Directive this autumn.

Footnotes

[1] Proposal for a Directive concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, COM (2000) 385, 12 July 2000, can be found at http://www.ispo.cec.be/ infosoc/telecompolicy/review99/ welcome.html

[2] http://europa.eu.int/comm/internal_ market/en/media/dataprot/law/ index.htm

[3] For an overview of the implementation see http://europa.eu.int/comm/ internal_market/en/media/dataprot/ law/impl.htm

This report was written for Privacy Laws & Business by Tilmann Kupfer, European Regulatory Manager, BT Brussels Representative Office. He can be contacted by e-mail: tilmann.kupfer@bt.be