Last November, Information Society Commissioner Viviane Reding included an amendment of the e-privacy directive in her proposal for a review of the telecoms package as since its introduction, several new challenges to privacy on-line have appeared.
Search engines offer new services based on the use of personal data and social-networking websites are among the most used in the Web. Moreover, radio frequency identification chips have invaded the market and are being used for increasingly different purposes.
Against this fast-changing background, the Commission has adopted a proposal to reform the current legislation.
So far the most discussed and controversial aspects of the directive relate to the 'opt-in' system that applies to direct marketing practices. The 'opt-in' regime introduced by the directive requires direct marketers to ask for permission before sending unsolicited messages to potential clients (e-mails or text messages, for example). This is the opposite of the US 'opt-out' regime which permits such marketing practices until a given recepient tells them to stop.
The EU's opt-in regime is considered to offer greater safeguards against spam or junk e-mail that undermine consumer confidence in electronic communication and e-commerce. In contrast, the US opt-out regime (the 2003 CAN-spam act) has often been described as a legal authorisation to spam.
However, businesses have frequently found themselves in difficult situations when seeking to comply with the the opt-in requirements of the EU directive. According to the directive, exceptions to the opt-in rule can be granted to businesses who have already obtained the person's contact details in the context of the sale of a product or service. Marketing activities directed at such persons could then take place only if they relate to similar products or services and if customers are given the opportunity to unsubscribe free of charge in an easy manner.
Thus far, member states' interpretation of this provision has differed significantly, leading to confusion over which practices are tolerated. Indeed, varying degrees of protection were granted to businesses accross the EU, which made complying with the directive a difficult task.
The e-privacy directive also sets out specific conditions for installing so-called Internet 'cookies' on computers. Cookies are small electronic files which are automatically stored on peoples' computers when they browse the Internet. In their legitimate form, they serve as locating devices for website operators to coordinate interaction with their viewers.
In other, sometimes borderline uses, cookies can help webmasters track back and identify each individual visitor of a website. Once a visitor has revealed his or her identity (for example by filling an online form), their subsequent visits can be traced and followed closely, revealing browsing behaviour that helps direct marketers tailor personalised advertising sent by e-mail, including unsolicited ones (spam).
Another controversial provision of the e-privacy directive relates to data retention. According to this provison, businesses providing communication networks (telecom operators for instance) can retain traffic data (telephone calls and e-mails) only for the purpose of billing. Afterwards, traffic data has to be erased or made anonymous. However, national law enforcement authorities can require network operators to retain this information for criminal enquiries, providing this is made in accordance with fundamental human rights.
In fact, a separate directive is being examined that would break away from such strict rules. It would require operators to retain their traffic data for periods of up to 24 months which, according to the NGO Statewatch, is unlawful and based on the false pretext of the fight against terrorism. Telecoms operators fear the costs incurred by such measures.