Privacy and data protection in the information society

The Privacy and Electronic Communications Directive (2002/58/EC) was adopted in 2002 as a complement to the existing Framework Data Protection Directive (1997/66/EC). It regulates privacy and data protection issues as a result of new online marketing practices. One of the most controversial aspects of the directive was the introduction of an ‘opt in’ system requiring prior customer consent for unsolicited e-mails (spam). In November 2007, the Commission proposed to review the directive to take the latest technological developments into account.

The e-Privacy directive was the latest piece of legislation to be added to the telecoms package, which includes four other directives. 

Its underlying objective is to permit the free movement of lawfully obtained personal data within EU member states. It lays down confidentiality as the basic principle applicable to all forms of electronic communications, including the Internet and regular telephone lines. 

As a consequence, any form of interception or storage of private communications was prohibited without the users' prior consent (the so-called 'opt-in' system, with the user identified as a private individual or a business).

Last November, Information Society Commissioner Viviane Reding included an amendment of the e-privacy directive in her proposal for a review of the telecoms package as since its introduction, several new challenges to privacy on-line have appeared. 

Search engines offer new services based on the use of personal data and social-networking websites are among the most used in the Web. Moreover, radio frequency identification chips have invaded the market and are being used for increasingly different purposes.

Against this fast-changing background, the Commission has adopted a proposal to reform the current legislation.

So far the most discussed and controversial aspects of the directive relate to the 'opt-in' system that applies to direct marketing practices. The 'opt-in' regime introduced by the directive requires direct marketers to ask for permission before sending unsolicited messages to potential clients (e-mails or text messages, for example). This is the opposite of the US 'opt-out' regime which permits such marketing practices until a given recepient tells them to stop.

The EU's opt-in regime is considered to offer greater safeguards against spam or junk e-mail that undermine consumer confidence in electronic communication and e-commerce. In contrast, the US opt-out regime (the 2003 CAN-spam act) has often been described as a legal authorisation to spam.

However, businesses have frequently found themselves in difficult situations when seeking to comply with the the opt-in requirements of the EU directive. According to the directive, exceptions to the opt-in rule can be granted to businesses who have already obtained the person's contact details in the context of the sale of a product or service. Marketing activities directed at such persons could then take place only if they relate to similar products or services and if customers are given the opportunity to unsubscribe free of charge in an easy manner.

Thus far, member states' interpretation of this provision has differed significantly, leading to confusion over which practices are tolerated. Indeed, varying degrees of protection were granted to businesses accross the EU, which made complying with the directive a difficult task.

The e-privacy directive also sets out specific conditions for installing so-called Internet 'cookies' on computers. Cookies are small electronic files which are automatically stored on peoples' computers when they browse the Internet. In their legitimate form, they serve as locating devices for website operators to coordinate interaction with their viewers. 

In other, sometimes borderline uses, cookies can help webmasters track back and identify each individual visitor of a website. Once a visitor has revealed his or her identity (for example by filling an online form), their subsequent visits can be traced and followed closely, revealing browsing behaviour that helps direct marketers tailor personalised advertising sent by e-mail, including unsolicited ones (spam).

Here again, the issue lies in the legitimacy of the business world's approach to clients. Those who feel that their use of cookies is a legitimate way of handling direct marketing operations wonder how visitors could expect to be "offered the opportunity to refuse" a cookie.

Another controversial provision of the e-privacy directive relates to data retention. According to this provison, businesses providing communication networks (telecom operators for instance) can retain traffic data (telephone calls and e-mails) only for the purpose of billing. Afterwards, traffic data has to be erased or made anonymous. However, national law enforcement authorities can require network operators to retain this information for criminal enquiries, providing this is made in accordance with fundamental human rights. 

In fact, a separate directive is being examined that would break away from such strict rules. It would require operators to retain their traffic data for periods of up to 24 months which, according to the NGO Statewatch, is unlawful and based on the false pretext of the fight against terrorism. Telecoms operators fear the costs incurred by such measures.

European consumer organisation BEUC isconcerned about the common practice of unfair data collection and profiling of consumers in online marketing through the use of cookies. 

EMOTA, the European mail order and distance-selling trade association, has been concerned that legitimate e-mails are being blocked as spam following the introduction of the opt-in system to the e-privacy directive.

ETIS, the association that brings together the major telecommunications providers in Europe on key information and communication technology issues, proposes to share best practices in anti-spam among providers to counter the spread of unsolicited emails.

European law enforcement agencies have previously criticised the EU's current data processing legislation. They feel that it is a data retention issue and not a data protection one. They argue that the existing 1995 EU directive on the processing of personal data (applied in 1998) has made it harder for the police to track criminals and to combat online crime rings. Under existing EU legislation, law enforcement agencies are forced to seek permission for each individual electronic communications tap or evidence search. The amount of time that communications firms are allowed to keep data before it has to be destroyed is also strictly regulated.

Civil liberties groups are terrified that, following the Council of Europe's Cybercrime Treaty, sweeping powers would be granted to police forces from countries that have a history of abuse of power by the law enforcement authorities. They are worried by the provisions on the interception of electronic communications, and fear that protection of personal data and the right to anonymity may be jeopardised.

On data retention, European business union UNICE fears that businesses will have to bear the costs of retaining personal data. This might include everything from bank records and web-surfing data to the records of people who travel through toll-road pass-key systems. It says it is committed to co-operating with government authorities to combat terrorism but wants the privacy of customers to be respected and businesses to keep thriving.

Subscribe to our newsletters