Privacy and data protection in the information society

The e-Privacy directive was the latest piece of legislation to be added to the telecoms package, which includes four other directives. 

Its underlying objective is to permit the free movement of lawfully obtained personal data within EU member states. It lays down confidentiality as the basic principle applicable to all forms of electronic communications, including the Internet and regular telephone lines. 

As a consequence, any form of interception or storage of private communications was prohibited without the users' prior consent (the so-called 'opt-in' system, with the user identified as a private individual or a business).

Last November, Information Society Commissioner Viviane Reding included an amendment of the e-privacy directive in her proposal for a review of the telecoms package as since its introduction, several new challenges to privacy on-line have appeared. 

Search engines offer new services based on the use of personal data and social-networking websites are among the most used in the Web. Moreover, radio frequency identification chips have invaded the market and are being used for increasingly different purposes.

Against this fast-changing background, the Commission has adopted a proposal to reform the current legislation.

So far the most discussed and controversial aspects of the directive relate to the 'opt-in' system that applies to direct marketing practices. The 'opt-in' regime introduced by the directive requires direct marketers to ask for permission before sending unsolicited messages to potential clients (e-mails or text messages, for example). This is the opposite of the US 'opt-out' regime which permits such marketing practices until a given recepient tells them to stop.

The EU's opt-in regime is considered to offer greater safeguards against spam or junk e-mail that undermine consumer confidence in electronic communication and e-commerce. In contrast, the US opt-out regime (the 2003 CAN-spam act) has often been described as a legal authorisation to spam.

However, businesses have frequently found themselves in difficult situations when seeking to comply with the the opt-in requirements of the EU directive. According to the directive, exceptions to the opt-in rule can be granted to businesses who have already obtained the person's contact details in the context of the sale of a product or service. Marketing activities directed at such persons could then take place only if they relate to similar products or services and if customers are given the opportunity to unsubscribe free of charge in an easy manner.

Thus far, member states' interpretation of this provision has differed significantly, leading to confusion over which practices are tolerated. Indeed, varying degrees of protection were granted to businesses accross the EU, which made complying with the directive a difficult task.

The e-privacy directive also sets out specific conditions for installing so-called Internet 'cookies' on computers. Cookies are small electronic files which are automatically stored on peoples' computers when they browse the Internet. In their legitimate form, they serve as locating devices for website operators to coordinate interaction with their viewers. 

In other, sometimes borderline uses, cookies can help webmasters track back and identify each individual visitor of a website. Once a visitor has revealed his or her identity (for example by filling an online form), their subsequent visits can be traced and followed closely, revealing browsing behaviour that helps direct marketers tailor personalised advertising sent by e-mail, including unsolicited ones (spam).

Here again, the issue lies in the legitimacy of the business world's approach to clients. Those who feel that their use of cookies is a legitimate way of handling direct marketing operations wonder how visitors could expect to be "offered the opportunity to refuse" a cookie.

Another controversial provision of the e-privacy directive relates to data retention. According to this provison, businesses providing communication networks (telecom operators for instance) can retain traffic data (telephone calls and e-mails) only for the purpose of billing. Afterwards, traffic data has to be erased or made anonymous. However, national law enforcement authorities can require network operators to retain this information for criminal enquiries, providing this is made in accordance with fundamental human rights. 

In fact, a separate directive is being examined that would break away from such strict rules. It would require operators to retain their traffic data for periods of up to 24 months which, according to the NGO Statewatch, is unlawful and based on the false pretext of the fight against terrorism. Telecoms operators fear the costs incurred by such measures.

European consumer organisation BEUC isconcerned about the common practice of unfair data collection and profiling of consumers in online marketing through the use of cookies. 

EMOTA, the European mail order and distance-selling trade association, has been concerned that legitimate e-mails are being blocked as spam following the introduction of the opt-in system to the e-privacy directive.

ETIS, the association that brings together the major telecommunications providers in Europe on key information and communication technology issues, proposes to share best practices in anti-spam among providers to counter the spread of unsolicited emails.

European law enforcement agencies have previously criticised the EU's current data processing legislation. They feel that it is a data retention issue and not a data protection one. They argue that the existing 1995 EU directive on the processing of personal data (applied in 1998) has made it harder for the police to track criminals and to combat online crime rings. Under existing EU legislation, law enforcement agencies are forced to seek permission for each individual electronic communications tap or evidence search. The amount of time that communications firms are allowed to keep data before it has to be destroyed is also strictly regulated.

Civil liberties groups are terrified that, following the Council of Europe's Cybercrime Treaty, sweeping powers would be granted to police forces from countries that have a history of abuse of power by the law enforcement authorities. They are worried by the provisions on the interception of electronic communications, and fear that protection of personal data and the right to anonymity may be jeopardised.

On data retention, European business union UNICE fears that businesses will have to bear the costs of retaining personal data. This might include everything from bank records and web-surfing data to the records of people who travel through toll-road pass-key systems. It says it is committed to co-operating with government authorities to combat terrorism but wants the privacy of customers to be respected and businesses to keep thriving.

Non-assigned links

• European Commission:Proposed review of the e-privacy directive(13 November 2007)
• Eur-Lex:Directive 2002/58 on privacy and electronic communications[ FR FR DE
• Eur-Lex:Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data[ FR FR DE
• DG Internal Market:Data Protection website
• ScadPlus:Data protection in the electronic communications sector[ FR FR DE
• Eurobarometer:Data protection[ FR FR Executive summary FR Executive summary FR FR Executive summary FR Highlights
• France:Commission Nationale de l'Informatique et des Libertés (CNIL)| Administration électronique et protection des données personnelles
• Germany:Bundesbeauftragter für den Datenschutz(Federal Data Protection Commissioner)
• UK information commissioner:Privacy and electronic communications| Data protection
• UK Department of Trade and Industry:The Directive on Privacy and Electronic Communications(2002/58/EC)
• US Federal Trade Commission:Privacy initiatives| Safe harbour overview
• Council of Europe:Convention on Cybercrime(23 November 2001) [FR]
• Council of Europe:Data protection [FR]
• CEN Information Society Standardisation System (ISSS):Final report of the Initiative for Privacy Standardization in Europe (ISPE) expert report to the European Commission(13 February 2002)
• CEN Information Society Standardisation System (ISSS):Data Protection & Privacy Workshop (DPP)
• Organisation for Economic Cooperation and Development (OECD):Protection of privacy and personal data
• Organisation for Economic Cooperation and Development (OECD):OECD guidelines on the protection of privacy and transborder flows of personal data[ FR
• Federation of European Direct Marketing (FEDMA):Self-Regulation for Data Protection - FEDMA defends Codes in Preference to Law(7 October 2002)
• European Competitive Telecommunications Association (ECTA):ECTA position on the implementation of the 1995 Data Protection directive(4 October 2002)
• European Competitive Telecommunications Association (ECTA):ECTA attacks EU Government plans to undermine internet users privacy and increase costs(11 September 2002)
• European ICT Assciation (EICTA):Position for the second reading on the directive concerning the processing of personal data and the protection of privacy in the electronic communications sector(14 February 2002)
• Online Privacy Alliance:Guidelines for Online Privacy Policies
• Direct Marketing Association:Privacy
• European Mail Order and Distance Selling Trade Association (EMOTA):Legitimate businesses risk 'drowning in a sea of spam'(3 March 2004)
• European Mail Order and Distance Selling Trade Association (EMOTA):Consultation on the 1995 Data Protection Directive(28 August 2002)
• ETIS:Best practices in anti-spam(September 2007)
• UNICE, EICTA, ICC, INTUG:Press release: Industry join forces to avert data retention laws(4 June 2003)
• UNICE, EICTA, ICC, INTUG:Common industry statement on storage of traffic data for law enforcement purposes(4 June 2003)
• Interactive Advertising Bureau UK:All about cookies
• European Consumers' Organisation (BEUC):Position on the proposal for a directive concerning the processing of personal data and the protection of privacy in electronic communications of July 2000[ FR
• Center for Democracy and Technology (CDT):Privacy dossier
• Electronic Privacy Information Centre (EPIC):Home Page
• Global Internet Liberty Campaign (GILC):Privacy issue
• Privacy International:Home Page
• Statewatch:Observatory on Surveillance in Europe
• Droit et nouvelles technologies:Dossier: Vie privée et communications électroniques(3 February 2004)
• Statewatch:EU - Mandatory retention of telecommunications data would be unlawful
• Statewatch:EU - Majority of governments introducing data retention of communications