- Email: [email protected]
Privacy and electronic communications
Telecoms privacy directive – UK implementation Privacy and electronic communications Mark Crichard, DLA Issues of privacy and marketing are once again topical. AOL is suing the senders of spam which has clogged up its network. Location based marketing is a step closer in the UK with the introduction of the first 3G mobile phones. Yet currently the regulation of direct marketing using electronic communications is, at best, confusing. Different pieces of legislation and codes of conduct have been used to regulate different forms of communications. The Directive on Privacy and Electronic Communications (the “Directive”) aims partly to bring the various threads together. This article considers how effectively it achieves this by examining the main provisions of that Directive relating to privacy and how they will change the current regime in the UK.
A. Background The Directive itself forms the last in the wave of new telecommunications provisions introduced by the European Union. It was adopted on 12 July 2002 and Member States have until 31 October 2003 to implement it. As is now common practice, in March of this year the DTI entered into a twelve week public consultation on how best to implement the Directive in the UK, which will close on 19 June 2003. The Government will then consider the responses to the consultation and plans to publish the final implementing regulations in August. If all goes to plan there will be a familiarisation period before the regulations take effect at the end of October. Details of the consultation can be found on the DTI website at: http://www.dti.gov.uk/industries/ecommunications/ directive_on_privacy_electronic_communications_ 200258ec.html. For the avoidance of doubt, the comments in this article are based upon the Directive and the draft regulations issued as part of the consultation paper (the “Regulations”).
B. Summary of key measures In brief, the main measures of the Directive which are discussed in more detail later in this article are: ■ The introduction of “technologically neutral”
■
■ ■
■
definitions of electronic communications and services, to replace the narrower (previously used) definitions of telecommunication services and networks. Extension of controls on unsolicited direct marketing to all forms of electronic communications. The introduction of controls on the use of “cookies”. The enabling of location based marketing, subject to the consent of the user or subscriber (the person or corporate who has subscribed to the relevant service). The introduction of new information and consent requirements on entries in publicly available directories.
The Directive deals with a number of other areas, such as matters relating to network security and calling/connecting line identification. However, these are not dealt with in this article. Not surprisingly, given the lengthy and heated debates that took place whilst the Directive was being discussed within the EU legislature, the final results are more evolutionary than revolutionary in nature. So much so, the DTI has even looked at the possibility of doing nothing to specifically implement the Directive. According to the consultation, however, the Government currently plans to repeal the Telecommunications (Data Protection and Privacy) Regulations 1999, which contain the current rules on data protection in the telecommunications sector, and to replace it with the Regulations (which will be known as the Privacy and Electronic Communications (EC Directive) Regulations 2003). Even with this approach the Regulations will need to be read alongside other relevant legislation, including the Data Protection Act 1998 (which save for minor amendments relating to enforcement is left unchanged), the Regulation of Investigatory Powers Act 2000, the Computer Misuse Act 1990 and the Electronic Commerce (EC Directive) Regulations 2002 (which implemented the E-Commerce Directive). In practice this means that businesses affected will have to check their compliance with all the relevant pieces of legislation (even if they require
Computer Law & Security Report Vol. 19 no. 4 2003 ISSN 0267 3649/03 © 2003 Elsevier Ltd. All rights reserved
299
Telecoms privacy directive – UK implementation slightly differing things in terms of compliance). And this is even before voluntary codes of conduct, such the Committee for Advertising Practice (CAP) codes are considered. For example the Data Protection Act already provides a basic framework for how personal data is to be processed. It also gives individuals the right to prevent their data being used for direct marketing. Anyone using emails for direct marketing will therefore need to ensure that (at the very least) they meet the requirements of the Data Protection Act and the Regulations. The rest of this article looks in more detail at the key measures mentioned above.
C. Unsolicited direct marketing Used carefully, unsolicited direct marketing can be a powerful tool for marketers. Yet its sheer volume causes problems for some networks and irritates many recipients
Used carefully, unsolicited direct marketing can be a powerful tool for marketers. Yet its sheer volume causes problems for some networks and irritates many recipients. It is estimated, for example, that 40% of global email traffic is spam.
1. The current regime for individuals Currently, specific direct marketing constraints only exist in relation to marketing to individuals by telephone and fax (although all forms of direct marketing have, in any event, to comply with the Data Protection Act). An “opt out” scheme is operated by the Direct Marketing Association (DMA) for direct marketing calls made by telephone. The scheme enables individuals to register with the Telephone Preference Service (“TPS”) if they object to direct marketing calls generally. Direct marketing calls to persons who have registered (or have indeed told the specific caller directly that they object to direct marketing) are therefore already prohibited. The rules for direct marketing to individuals by fax are currently slightly more favourable to individuals. The onus is switched, in that such marketing is prohibited unless the individual has actually given his/her prior consent i.e. has “opted in”.
2. The new regime for individuals The Directive intends to bring together the rules relating to unsolicited direct marketing, irrespective of the means of electronic communication used. It says that where unsolicited direct marketing is made to individuals, whether by fax, email, SMS or using automated calling systems, the consent of the recipient must first be 300
obtained. However, there are certain exceptions to the opt-in rule that will soften the impact of the Directive in related to marketing by email, which includes the use of SMS (this has been dubbed the “soft opt in”). The soft opt in will allow the use of email or SMS details for direct marketing provided that the customer’s details have been obtained directly from them, in the context of an existing customer relationship through the purchase (or the negotiation of the purchase) of goods or services, for the purposes of marketing the sender’s own similar products or services. In other words, if I sold you a book I could send you a text message promoting a magazine subscription. However, under the Directive I would still have had to have consulted with you when I sold you the book that I might use your data for such purposes. I would also need to give you the opportunity to object, or opt-out at any time, free of charge. As for marketing by phone, the Directive has left it to each Member State to decide whether to give individuals opt in or opt out rights. The Government is likely to leave things as they are, with the current opt out scheme continuing.
3. The current regime for corporates Currently, an opt out scheme (again operated by the DMA) also exists to enable corporate subscribers to opt out of receiving direct marketing by fax, in the same way as individuals can for phone based marketing. No other specific rights are presently given to corporates, although they may can rely on the general provisions of the Data Protection Act, if personal data is used to market to them.
4. The new regime for corporates The Directive allows member states to determine what level of protection should be given to corporate subscribers in respect of unsolicited communications. The Government has sought input from businesses on how it should address this. It is currently minded only to give corporate users new rights to opt out in respect of phone based communications (in line with the current practice in respect of faxes). However, it does not intend to extend these rights to email/SMS based communications. In summary therefore the likely implementation of the Directive would lead to the following rights and restrictions.
Telecoms privacy directive – UK implementation The most interesting aspect of these provisions is, probably, the soft opt-in rules relating to email/sms communications. In particular, there is clearly a fair degree of scope for differing views on when an “existing relationship” has been established (for example will an expression of interest in a company’s products be enough?) and what amounts to “similar products or services”.
D. Collection and use of “cookies” The provisions in the Directive relating to cookies were amongst the most hotly debated, with very wide ranging views on how they should be controlled having been expressed. The compromise position in the final, adopted version of the Directive is that the use of cookies (or any similar devices which allow data to be placed on or accessed from the user’s handset or terminal) will only be permissible if the relevant user or the subscriber has been given: ■ “clear and comprehensive information” concerning how cookies are to be used; and ■ an opportunity to refuse to allow cookies to be used in relation to them. This is substantially weaker in scope that some of the earlier proposals, which at one stage include obligations to obtain consent each time cookies are used. The position is made all the more palatable (to those using cookies), as this information (and the right to object) will not need
to be repeated every time the user/subscriber accesses the relevant service. The Directive goes on to provide that these requirements do not apply where the cookie (or the equivalent) is intended for the sole purpose of enabling or facilitating the transmission of a communication (e.g. to enable technical access) or where it is strictly necessary for the provision of an on-line service requested by the user/subscriber. No doubt the interpretation of this exception - when is a cookie necessary as opposed to desirable - will be a key issue in its implementation. One of the most interesting of this is how this process is managed in cases where either a computer has multiple users (individual living persons) or where a subscriber has “consented” to the use of cookies but individual users have not (or vice versa). This is important because a cookie recognises or attaches itself to specific computers rather than specific users or subscribers. The Government looks like it will duck this issue, as the Regulations do not seek to deal with possible “conflicts” between multiple users/subscribers having access to the same machines. Arguably these specific provisions will make little or no substantial changes to the position under these existing rules. Certainly many businesses using cookies on web sites already include details of how and when they are used, either in terms and conditions or privacy policies, and users already have technical means available to
Type of Recipient
Communication method
Type of "consent" required
Individual
Fax Automated calling systems (no human intervention)
Prior consent ("opt in") required.
Individual
Email/SMS
Prior consent ("opt in") required, except where have a prior relationship (in which case the "soft opt in" rules may apply)
Individual
Telephone
Left to member states. The Government is expected to maintain the existing "opt out" regime (including registration through the TPS).
Corporates
Telephone/Fax
Left to member states. The Government is expected to extend existing "opt out" regime to both fax and telephone.
Corporates
Email/SMS
Left to member states. The Government is not expected to extend opt out or opt in rights to this area.
301
Telecoms privacy directive – UK implementation prevent the use of cookies (although this may prevent them from accessing certain sites). Many web sites should, therefore, already be largely compliant.
The Directive
Finally it is, once again, important to remember that these requirements also have to be read in the context of the Data Protection Act, the Regulation of Investigatory Powers Act and the Computer Misuse Act, which already apply a “layer” of rules application to the interception of communications and unlawful use of a third party’s computer.
requires that individual subscribers’ consent must be obtained before their data is included in any directories
E. Location based marketing and related issues 1. Traffic data The Directive makes relatively few changes (from the current rules) to what electronic communications network and service providers may do with traffic data (i.e. data which is processed for the purpose of conveying communications and for billing purposes, such as the length and destination of phone calls). It requires providers to delete or anonymise traffic data once it is no longer required for network management, billing or dispute resolution purposes. Unsurprisingly the exception allowing longer retention where necessary for national security and law enforcement purposes will continue. In a change to the current position, the Directive will, however, allow providers to retain and use traffic data to market “value added services”. The Directive does not seek to restrict the involvement of third parties in the provision of value added services, or to place a limit on the kinds of services that may be offered, but there are some important provisos. In particular the subscriber or user must be informed of the data processing implications of any services; they must give their consent to the service or marketing (i.e. opt in); and they must also be allowed to withdraw that consent at any time.
2. Location data Importantly the Directive will introduce new provisions relating to the use of location data (i.e. data processed within a communications network which indicates the geographical position of a user’s terminal equipment, such as a mobile phone). Under these new provisions providers will be able to introduce value added services based on location data in much the same way as they can using traffic
302
data. Again, no restriction is placed on the kinds of services that may be offered or the involvement of third parties. However location data based services can only be provided where the data involved has been anonymised or with the consent of the relevant individual users or subscriber (to whom the data relates) concerned. For consent to obtained the relevant subscriber or user must be informed of the data processing implications of the service and (as with traffic data related services) they must be allowed to withdraw their consent at any time. They must also be allowed to temporarily withhold their consent, free of charge, at any time. These new provisions will open the door to a range of new services such as location-based advertising to mobile phones, or traffic or weather alert services (once the infrastructure for this is in place!). For such services to have real value i.e. to be tailored to the recipient, however they will require the informed consent of the relevant subscriber or user.
E. Directories The Directive will introduce a number of changes to the way that directories containing subscriber information are operated. According to the DTI consultation these changes should give subscribers clearer rights and simplify the regime for network operators and directory providers. First, the Directive requires those collecting data for directories (normally the relevant network operator) to provide to each individual (i.e. living) subscriber details of the kind of directories in which they may be listed and how those directories will be used, including any non-standard search functions available in any electronic versions. In addition, the Directive requires that individual subscribers’ consent must be obtained before their data is included in any directories. This is a change from the current rules which simply give subscribers the right to be ex-directory, to specify that their entries may not be used for direct marketing purposes, or to omit part of their address or any reference to their gender. The Directive also deals with “reverse searches” i.e. the ability to search for a subscriber’s name and/or address on basis of their phone number, rather than the other way round. The Directive gives Member States the right to impose a separate consent requirement for inclusion in any directory which includes this kind of function. The
Telecoms privacy directive – UK implementation Regulations proposed by the DTI provide that individual subscribers have to be told that this facility will exist and their “express” consent obtained to their data being included in directories where this facility exists.
F. Consequences of noncompliance As is the case with the Data Protection Act, the UK government plans to give anyone who suffers damage as a result of a breach of the new regulations the right to sue. However, it is likely to be a defence to any such action for the person sued to demonstrate that they had taken “such care as in all the circumstances was reasonably required to comply with the relevant requirement”. The result of such a defence must be to make it difficult, at best, for anyone affected to successfully sue. The Information Commissioner’s enforcement powers under the Data Protection Act will also be applied to the new regulations. The Information Commissioner will therefore be able to investigate breaches and, in appropriate circumstances, to bring enforcement proceedings.
G. Conclusions
As seems to be the trend, perhaps the most significant aspect of the Directive is that for businesses that are affected they still have to take advice on and ensure compliance with not just this legislation but also a whole host of related legislation. A business engaged in even the most mundane level of e-commerce therefore needs to think not only of these rules, but also a whole host of other Acts and codes of conduct. Mark Crichard, Solicitor, DLA [email protected]
Until the final Regulations are settled, the full impact of the Directive remains unclear
Until the final Regulations are settled, the full impact of the Directive remains unclear. However there are a number of interesting things that come out of the Directive. Whilst the Directive has attempted to bring together the rules on unsolicited marketing, under one “technology neutral” umbrella, the actual result is that it proposes different rules for different types of communications and different types of recipient. With certain areas left to the discretion of Member States it is also likely that different rules will be introduced in different Member States. There will certainly not be any one size fits all approach. Similarly, whilst the new provisions relating to marketing via email are on the whole welcome, they are unlikely to have much impact on the international aspect of email. Despite the EU having strengthened its existing privacy rules in this area through the Directive, this is unlikely to stop spam originating from outside the EU. In view of the actions being brought by AOL in the US against the originators of spam, it seems unlikely that the Directive will lead to spam-free message boxes!
303
A. Background The Directive itself forms the last in the wave of new telecommunications provisions introduced by the European Union. It was adopted on 12 July 2002 and Member States have until 31 October 2003 to implement it. As is now common practice, in March of this year the DTI entered into a twelve week public consultation on how best to implement the Directive in the UK, which will close on 19 June 2003. The Government will then consider the responses to the consultation and plans to publish the final implementing regulations in August. If all goes to plan there will be a familiarisation period before the regulations take effect at the end of October. Details of the consultation can be found on the DTI website at: http://www.dti.gov.uk/industries/ecommunications/ directive_on_privacy_electronic_communications_ 200258ec.html. For the avoidance of doubt, the comments in this article are based upon the Directive and the draft regulations issued as part of the consultation paper (the “Regulations”).
B. Summary of key measures In brief, the main measures of the Directive which are discussed in more detail later in this article are: ■ The introduction of “technologically neutral”
■
■ ■
■
definitions of electronic communications and services, to replace the narrower (previously used) definitions of telecommunication services and networks. Extension of controls on unsolicited direct marketing to all forms of electronic communications. The introduction of controls on the use of “cookies”. The enabling of location based marketing, subject to the consent of the user or subscriber (the person or corporate who has subscribed to the relevant service). The introduction of new information and consent requirements on entries in publicly available directories.
The Directive deals with a number of other areas, such as matters relating to network security and calling/connecting line identification. However, these are not dealt with in this article. Not surprisingly, given the lengthy and heated debates that took place whilst the Directive was being discussed within the EU legislature, the final results are more evolutionary than revolutionary in nature. So much so, the DTI has even looked at the possibility of doing nothing to specifically implement the Directive. According to the consultation, however, the Government currently plans to repeal the Telecommunications (Data Protection and Privacy) Regulations 1999, which contain the current rules on data protection in the telecommunications sector, and to replace it with the Regulations (which will be known as the Privacy and Electronic Communications (EC Directive) Regulations 2003). Even with this approach the Regulations will need to be read alongside other relevant legislation, including the Data Protection Act 1998 (which save for minor amendments relating to enforcement is left unchanged), the Regulation of Investigatory Powers Act 2000, the Computer Misuse Act 1990 and the Electronic Commerce (EC Directive) Regulations 2002 (which implemented the E-Commerce Directive). In practice this means that businesses affected will have to check their compliance with all the relevant pieces of legislation (even if they require
Computer Law & Security Report Vol. 19 no. 4 2003 ISSN 0267 3649/03 © 2003 Elsevier Ltd. All rights reserved
299
Telecoms privacy directive – UK implementation slightly differing things in terms of compliance). And this is even before voluntary codes of conduct, such the Committee for Advertising Practice (CAP) codes are considered. For example the Data Protection Act already provides a basic framework for how personal data is to be processed. It also gives individuals the right to prevent their data being used for direct marketing. Anyone using emails for direct marketing will therefore need to ensure that (at the very least) they meet the requirements of the Data Protection Act and the Regulations. The rest of this article looks in more detail at the key measures mentioned above.
C. Unsolicited direct marketing Used carefully, unsolicited direct marketing can be a powerful tool for marketers. Yet its sheer volume causes problems for some networks and irritates many recipients
Used carefully, unsolicited direct marketing can be a powerful tool for marketers. Yet its sheer volume causes problems for some networks and irritates many recipients. It is estimated, for example, that 40% of global email traffic is spam.
1. The current regime for individuals Currently, specific direct marketing constraints only exist in relation to marketing to individuals by telephone and fax (although all forms of direct marketing have, in any event, to comply with the Data Protection Act). An “opt out” scheme is operated by the Direct Marketing Association (DMA) for direct marketing calls made by telephone. The scheme enables individuals to register with the Telephone Preference Service (“TPS”) if they object to direct marketing calls generally. Direct marketing calls to persons who have registered (or have indeed told the specific caller directly that they object to direct marketing) are therefore already prohibited. The rules for direct marketing to individuals by fax are currently slightly more favourable to individuals. The onus is switched, in that such marketing is prohibited unless the individual has actually given his/her prior consent i.e. has “opted in”.
2. The new regime for individuals The Directive intends to bring together the rules relating to unsolicited direct marketing, irrespective of the means of electronic communication used. It says that where unsolicited direct marketing is made to individuals, whether by fax, email, SMS or using automated calling systems, the consent of the recipient must first be 300
obtained. However, there are certain exceptions to the opt-in rule that will soften the impact of the Directive in related to marketing by email, which includes the use of SMS (this has been dubbed the “soft opt in”). The soft opt in will allow the use of email or SMS details for direct marketing provided that the customer’s details have been obtained directly from them, in the context of an existing customer relationship through the purchase (or the negotiation of the purchase) of goods or services, for the purposes of marketing the sender’s own similar products or services. In other words, if I sold you a book I could send you a text message promoting a magazine subscription. However, under the Directive I would still have had to have consulted with you when I sold you the book that I might use your data for such purposes. I would also need to give you the opportunity to object, or opt-out at any time, free of charge. As for marketing by phone, the Directive has left it to each Member State to decide whether to give individuals opt in or opt out rights. The Government is likely to leave things as they are, with the current opt out scheme continuing.
3. The current regime for corporates Currently, an opt out scheme (again operated by the DMA) also exists to enable corporate subscribers to opt out of receiving direct marketing by fax, in the same way as individuals can for phone based marketing. No other specific rights are presently given to corporates, although they may can rely on the general provisions of the Data Protection Act, if personal data is used to market to them.
4. The new regime for corporates The Directive allows member states to determine what level of protection should be given to corporate subscribers in respect of unsolicited communications. The Government has sought input from businesses on how it should address this. It is currently minded only to give corporate users new rights to opt out in respect of phone based communications (in line with the current practice in respect of faxes). However, it does not intend to extend these rights to email/SMS based communications. In summary therefore the likely implementation of the Directive would lead to the following rights and restrictions.
Telecoms privacy directive – UK implementation The most interesting aspect of these provisions is, probably, the soft opt-in rules relating to email/sms communications. In particular, there is clearly a fair degree of scope for differing views on when an “existing relationship” has been established (for example will an expression of interest in a company’s products be enough?) and what amounts to “similar products or services”.
D. Collection and use of “cookies” The provisions in the Directive relating to cookies were amongst the most hotly debated, with very wide ranging views on how they should be controlled having been expressed. The compromise position in the final, adopted version of the Directive is that the use of cookies (or any similar devices which allow data to be placed on or accessed from the user’s handset or terminal) will only be permissible if the relevant user or the subscriber has been given: ■ “clear and comprehensive information” concerning how cookies are to be used; and ■ an opportunity to refuse to allow cookies to be used in relation to them. This is substantially weaker in scope that some of the earlier proposals, which at one stage include obligations to obtain consent each time cookies are used. The position is made all the more palatable (to those using cookies), as this information (and the right to object) will not need
to be repeated every time the user/subscriber accesses the relevant service. The Directive goes on to provide that these requirements do not apply where the cookie (or the equivalent) is intended for the sole purpose of enabling or facilitating the transmission of a communication (e.g. to enable technical access) or where it is strictly necessary for the provision of an on-line service requested by the user/subscriber. No doubt the interpretation of this exception - when is a cookie necessary as opposed to desirable - will be a key issue in its implementation. One of the most interesting of this is how this process is managed in cases where either a computer has multiple users (individual living persons) or where a subscriber has “consented” to the use of cookies but individual users have not (or vice versa). This is important because a cookie recognises or attaches itself to specific computers rather than specific users or subscribers. The Government looks like it will duck this issue, as the Regulations do not seek to deal with possible “conflicts” between multiple users/subscribers having access to the same machines. Arguably these specific provisions will make little or no substantial changes to the position under these existing rules. Certainly many businesses using cookies on web sites already include details of how and when they are used, either in terms and conditions or privacy policies, and users already have technical means available to
Type of Recipient
Communication method
Type of "consent" required
Individual
Fax Automated calling systems (no human intervention)
Prior consent ("opt in") required.
Individual
Email/SMS
Prior consent ("opt in") required, except where have a prior relationship (in which case the "soft opt in" rules may apply)
Individual
Telephone
Left to member states. The Government is expected to maintain the existing "opt out" regime (including registration through the TPS).
Corporates
Telephone/Fax
Left to member states. The Government is expected to extend existing "opt out" regime to both fax and telephone.
Corporates
Email/SMS
Left to member states. The Government is not expected to extend opt out or opt in rights to this area.
301
Telecoms privacy directive – UK implementation prevent the use of cookies (although this may prevent them from accessing certain sites). Many web sites should, therefore, already be largely compliant.
The Directive
Finally it is, once again, important to remember that these requirements also have to be read in the context of the Data Protection Act, the Regulation of Investigatory Powers Act and the Computer Misuse Act, which already apply a “layer” of rules application to the interception of communications and unlawful use of a third party’s computer.
requires that individual subscribers’ consent must be obtained before their data is included in any directories
E. Location based marketing and related issues 1. Traffic data The Directive makes relatively few changes (from the current rules) to what electronic communications network and service providers may do with traffic data (i.e. data which is processed for the purpose of conveying communications and for billing purposes, such as the length and destination of phone calls). It requires providers to delete or anonymise traffic data once it is no longer required for network management, billing or dispute resolution purposes. Unsurprisingly the exception allowing longer retention where necessary for national security and law enforcement purposes will continue. In a change to the current position, the Directive will, however, allow providers to retain and use traffic data to market “value added services”. The Directive does not seek to restrict the involvement of third parties in the provision of value added services, or to place a limit on the kinds of services that may be offered, but there are some important provisos. In particular the subscriber or user must be informed of the data processing implications of any services; they must give their consent to the service or marketing (i.e. opt in); and they must also be allowed to withdraw that consent at any time.
2. Location data Importantly the Directive will introduce new provisions relating to the use of location data (i.e. data processed within a communications network which indicates the geographical position of a user’s terminal equipment, such as a mobile phone). Under these new provisions providers will be able to introduce value added services based on location data in much the same way as they can using traffic
302
data. Again, no restriction is placed on the kinds of services that may be offered or the involvement of third parties. However location data based services can only be provided where the data involved has been anonymised or with the consent of the relevant individual users or subscriber (to whom the data relates) concerned. For consent to obtained the relevant subscriber or user must be informed of the data processing implications of the service and (as with traffic data related services) they must be allowed to withdraw their consent at any time. They must also be allowed to temporarily withhold their consent, free of charge, at any time. These new provisions will open the door to a range of new services such as location-based advertising to mobile phones, or traffic or weather alert services (once the infrastructure for this is in place!). For such services to have real value i.e. to be tailored to the recipient, however they will require the informed consent of the relevant subscriber or user.
E. Directories The Directive will introduce a number of changes to the way that directories containing subscriber information are operated. According to the DTI consultation these changes should give subscribers clearer rights and simplify the regime for network operators and directory providers. First, the Directive requires those collecting data for directories (normally the relevant network operator) to provide to each individual (i.e. living) subscriber details of the kind of directories in which they may be listed and how those directories will be used, including any non-standard search functions available in any electronic versions. In addition, the Directive requires that individual subscribers’ consent must be obtained before their data is included in any directories. This is a change from the current rules which simply give subscribers the right to be ex-directory, to specify that their entries may not be used for direct marketing purposes, or to omit part of their address or any reference to their gender. The Directive also deals with “reverse searches” i.e. the ability to search for a subscriber’s name and/or address on basis of their phone number, rather than the other way round. The Directive gives Member States the right to impose a separate consent requirement for inclusion in any directory which includes this kind of function. The
Telecoms privacy directive – UK implementation Regulations proposed by the DTI provide that individual subscribers have to be told that this facility will exist and their “express” consent obtained to their data being included in directories where this facility exists.
F. Consequences of noncompliance As is the case with the Data Protection Act, the UK government plans to give anyone who suffers damage as a result of a breach of the new regulations the right to sue. However, it is likely to be a defence to any such action for the person sued to demonstrate that they had taken “such care as in all the circumstances was reasonably required to comply with the relevant requirement”. The result of such a defence must be to make it difficult, at best, for anyone affected to successfully sue. The Information Commissioner’s enforcement powers under the Data Protection Act will also be applied to the new regulations. The Information Commissioner will therefore be able to investigate breaches and, in appropriate circumstances, to bring enforcement proceedings.
G. Conclusions
As seems to be the trend, perhaps the most significant aspect of the Directive is that for businesses that are affected they still have to take advice on and ensure compliance with not just this legislation but also a whole host of related legislation. A business engaged in even the most mundane level of e-commerce therefore needs to think not only of these rules, but also a whole host of other Acts and codes of conduct. Mark Crichard, Solicitor, DLA [email protected]
Until the final Regulations are settled, the full impact of the Directive remains unclear
Until the final Regulations are settled, the full impact of the Directive remains unclear. However there are a number of interesting things that come out of the Directive. Whilst the Directive has attempted to bring together the rules on unsolicited marketing, under one “technology neutral” umbrella, the actual result is that it proposes different rules for different types of communications and different types of recipient. With certain areas left to the discretion of Member States it is also likely that different rules will be introduced in different Member States. There will certainly not be any one size fits all approach. Similarly, whilst the new provisions relating to marketing via email are on the whole welcome, they are unlikely to have much impact on the international aspect of email. Despite the EU having strengthened its existing privacy rules in this area through the Directive, this is unlikely to stop spam originating from outside the EU. In view of the actions being brought by AOL in the US against the originators of spam, it seems unlikely that the Directive will lead to spam-free message boxes!
303