This article will critically assess the protection of privacy in the electronic communications sector according to European Directive 2002/85/EC and the resultant privacy and Electronic Communication (EC Directive) Regulations 2003.

Introduction:

As a direct result of the explosion in the provision and availability of telecommunications services in the 1980s and early 1990s, concerns arose over the privacy of individuals regarding the use and operation of telephones and related devices. Such concerns have been multiplied with the advent of digital technology, the availability of calling line identification, the explosion of internet trading, mobile phones and new services and technologies such as text messages, location data and cookies. Although data protection legislation applies to the electronic communication sector in the same way as it does to other industries, the European Union considered that extra safeguard were required.

The most recent EU legislation in this rapidly changing area of commercial life is the directive concerning the processing of personal data and the protection of the privacy in the electronic communication sector (2002/58/EC) ( the Directive on Privacy and Electronic Communication).The UK implemented the Directive on Privacy and Electronic Communication by way of secondary legislation namely the Privacy and Electronic Communications ( EC Directive) regulation2003.

The Electronic Privacy Directive acknowledges that electronic communications over the internet open new possibilities for users, but also new risk for their personal data and privacy therefore, it seeks to ensure the confidentiality of electronic communications and related traffic data via public networks, including email, Short Messaging Service ("SMS") and requires Member States to prohibit interception or surveillance of communications. The main objective of the Electronic Privacy Directive is that consumers should be able to obtain the same level of protection regardless of the technology by which a particular service is delivered. In addition, the new Directive harmonizes the provisions of the Member States relating to privacy with respect to the electronic processing of personal data, and the free movement of such data and related communications equipment within the Community.

This article will critically assess the protection of privacy in the electronic communications sector according to European Directive 2002/85/EC and the resultant privacy and Electronic Communication (EC Directive) Regulations 2003. This Directive attempts in particular to grapple with two main controversies which are central to the topic of privacy protection: Spam and Cookies. It also contains interesting attempts to control the retention and collection of traffic data and location data, and to restrict the placing of personal information on in public directories.

1- Spamming:

The bulk sending of unsolicited marketing emails is known as "spamming". The new Directive prohibits anonymous spamming or sending spam under a false identity. However, the view has been expressed by commentators that most spam originates in countries outside the EEA. Since the Directive applies only to data controllers established in the EEA or using equipment in the EEA for processing personal data, it is not expected to have much impact on spam coming into the EEA.

The new Directive provides safeguards that should be provided against the nuisance caused by automatic call forwarding by others. It must be possible for subscribers to stop the forwarded calls from being passed on to their terminals by a simple request to the provider of the publicly available electronics communications service. This provision applies to call forwarding to email addresses and fax numbers through the internet. However, it is often difficult to contact the appropriate webmasters. In order to avoid this type of harassment, subscribers should instead be assured by means of blocking the forwarded communications.

This is the most significant change brought finally in by the Privacy Directive, following years of incremental struggle, the requirement of opt-in to receiving electronic junk mail or spam. Importantly the definition of 'electronic mail' in article 2 is wide enough to cover not just Email but also text, voice, sound and image messages sent over a public communication network and which can be stored until collected. The increasingly ubiquitous mobile phone text spam is thus also subject to opt-in requirement. Again however, the banning of unsolicited spam is subject to a potentially damagingly wide exception. Prior consent according to the draft regulations, was not required if the details of the recipient were previously obtained 'in the context of a sale of a product or service so long as (a) the recipient was given a clear, simple and free opportunity to opt-out of receiving spam each time a new communication is sent, and (b) the goods or services were 'similar' to those now being marketed. Privacy advocates might suggest that the correct way to interpret this provision is to regard the exception as only operating where an actual prior sale had occurred-i.e. not where the consumer had merely browsed the site to check out goods, decided not to buy, but perhaps inadvertently given away their details, e.g., by registering to gain access to the website at all. The UK Regulations however again take a different approach. So long as the business has 'legitimately obtained the contact details, no actual sale should be required. Details may be obtained in the course of sale or negotiations for the sale. Furthermore, 'similar' goods or services, according to the DTI, should only be restricted by the reasonable expectations of the buyer at the time they gave their contact details. In other words, if a consumer buys baked beans on-line from ASDA, it is reasonable for ASDA to then market TVs and DVDs (say) to that consumer without prior consent, because the consumer could reasonably have known that ASDA sold all these types of goods at the time she first gave away her personal information; however if ASDA, subsequent to the baked bean purchase, acquired, say, a horse-riding stables business, it would not be reasonable for them to market horse-riding lessons to the consumer. Again, this seems a technical and privacy-minimizing interpretation which is unlikely to be harmonious with several other member states which have already banned spam entirely and long ago-nor is it likely to instill the trust in consumers which is the whole object of the exercise.
Article 13 of Directive 2002/58 deals with the question of unsolicited communications. The idea is to provide safeguards for subscribers against intrusion of their privacy by unsolicited communications for direct marketing purposes in particular by means of automated calling machines, fax machines and emails including SMS messages. For example, the use of a Cookie in a website offering travel itineraries may help avoid that the user may need to restate his town of departure for each connection. Art.13(4) prohibits the sending of electronic mail for purposes of direct marketing which disguise or conceal the identity of the sender on whose behalf the communication is made, or without a valid address to which the recipient may send a request that such communications cease. Indeed to ensure the effective enforcement of the rules on unsolicited commercial communications it is important to prevent the use of false identities or false return addresses.

Moreover, In order to encourage consumers to take their privacy choices seriously, it is important to remove from the range of outcomes they must have in mind instances where consumers cannot really benefit from sharing their data and losing privacy. Spamming is one clear example of a practice which benefits neither consumers nor legitimate commerce. It would give consumer's confidence when considering what data they will release to know that whatever happens, they will not be inundated with spam. This of course is an enormous problem only one part of which can be met by more stringent control of the ...

This is a preview of the whole essay

2- Cookies:

The question of Cookies is addressed in the Directive, both in Recitals (24 and 25) and implicitly in Article 5. The proposal put forward by the European Parliament at first reading that prior explicit consent is required every time a cookie is delivered did not find its way in the Directive due to industry opposition. The cookie contains a unique identifier assigned by a website which enables it to recognize the repeat visitor and collect information regarding each of the user's visits. Cookies are used by websites to monitor use of the site and to customize the contents of the website for the visitors' use, which, according to industry, actually assists users of the internet. For example, if a data cookie has been planted on the user's terminal, then the visitor will not have to re-enter certain user names and passwords and may enjoy a personalized shopping experience to a website. However, as pointed out by the UK Information Commissioner, only some cookies serve a useful purpose, for example, facilitating online "shopping baskets". Other cookies are used to track movements on the web. This raises the question of whether there are different kinds of cookies which is an issue not addressed by the Directive, but the Directive limits the use of technical storage or access to information stored in terminal equipment for sole purpose of carrying out or facilitating the transmission of a communication over an electronic communication network or to facilitate the provision of information society services.

Article 5 (3) conditions the use of Cookies to the provision of clear and precise information in accordance with Directive 95/46 about the purpose of the Cookies or similar devices so as to ensure that users are made fully aware of the information being placed on the terminal that they are using, it also conditions the use of cookies to the possibility for the user to refuse to have a cookie or similar devices stored on their terminal equipment. However, the article implicitly admits that in the event that one refuses the placing of a cookie for legitimate purpose, access to specific web site content may be refused. Indeed according to the terms of the Directive, the refusal: “ shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user”. “One may indeed question the legitimacy of such a practice : in an off-line world it would be like tagging each individual entering a shop, whether or not he merely enters for a few moments or decides to buy goods. If he refuses the tagging he would be refused the entrance to the shop. Can one still speak of the freedom of movement?”

The information and the right to refuse might be offered, according to the recital, once for the use of various devices to be installed on the user’s terminal equipment during the same connection any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or request consent should be made as user friendly as possible.

It is interesting to note that the Directive does not mention any limits as to the conservation period of the device. Indeed, in many cases cookies are placed on the user’s terminal equipment for very long period of time, which seem to exceed those necessary to pursue the legitimate purpose (30- 50 years). If one to respect the provision of Directive 95/46, these devices should only be placed on the terminal equipment only for as long as necessary to achieve the legitimate purpose.

The UK Information Commissioner's current best practice recommendation on cookies is that a company should place a statement of privacy policy on its home page which discloses that it uses cookies to enhance a visitor's experience and to collect information about them. Good practice, according to the UK Information Commissioner, is to ask for consent for collection of all data and to get consent for processing of sensitive personal data.
The UK government has indicated in its consultation document and in the Privacy and Electronic Communications EC Directive Regulations 2003 which implement the Privacy Directive an approach which is, disappointingly un-privacy friendly. On the question of how consumers should be offered the right to refuse cookies, the Regulations are entirely silent, except for asserting that the right to refuse cookies need not be offered more than once. The draft guidance suggested that the requirement to offer a way of refusing cookies would in fact be met if websites merely offered guidance on how consumers might use the facilities of their browser programme (e.g. Internet Explorer) to reject cookies. This is entirely inadequate to provide most consumers with a 'user friendly' way to vindicate their legal right to refuse. The position is muddied further where the consumer is using a computer while at work; here it seemed the person with the right to refuse cookies might well be the employer, not the employee/consumer. Following consultation, rule 6 now provides that either the 'subscriber or user' must be given the right to refuse. On the question of what is 'strictly necessary' in response to a request by the consumer, the Regulations again say nothing, although the guidance notes did specify that the regulations would apply to all cookies, specifically including session specific cookies, but presumably including third party cookies.
Traffic Data:

Directive 2002/58 foresees that interception or surveillance of communications and the related traffic data is prohibited, except when legally authorised in accordance with Art.15(1). We have to remember that it is a legal principle to interpret exceptions restrictively.

The principle is that traffic data must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication. Here again, without prejudice to Art.15(1), as well as Art.6(2) (billing purposes), Art.6(3) (marketing of electronic communications services or for the provision of value added services), and Art.6(5) (customer enquires, fraud detection, etc.).

The extension of the concept of "traffic data" is supposed to be determined by national regulations, even if this could generate different interpretations of the very concept of traffic data by the Member States, which could lead to certain obstacles in the internal market. This is because the obligation to store more data in one country than in other can create obstacles to the provision of services. Consumers would be more interested in using the service which respect more their privacy.

Exceptions:

The scope of rights of both Arts 5 and 6 can only be restricted, according to Art.15(1) if it constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security, defense, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communication system. Member States may adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down above. All the measures referred to in this paragraph shall be in accordance with the principles of Community law, including those referred in Art.6(1) and (2) of the Treaty of the European Union.

One last thing to mention and to consider is that, as internet crime figures soar and the victims of such crimes, be they individuals, institutions or sovereign states, find their property, security and sensibilities cynically violated by unidentified, unidentifiable criminals, who remain free to perpetrate--and perpetrate again such crimes. Privacy, personal liability and even individual and institutional security are already the subject of the ultimate infringement by such criminals. If society is to be protected from continued and most likely surging threats then such criminals must be deterred. That will only happen if there is certainty of detection, prosecution and punishment. Cyberspace is the new Wild West. It is a virtual haven for criminals but their victims are far from virtual. The victims of cybercrime are real and they have a right to expect the perpetrators to be brought to justice. They and we have a right to expect protection by the sovereign states in which we live. Protection demands effective policing and such special police units or "cyber cops" as they may come to be called, must be given appropriate methods, procedures, powers and means to detect not only the crime but the perpetrator of the crime and to secure evidence which is admissible in the ultimate prosecution. “If individual rights to privacy or personal liability have to be infringed that may be a price worth paying.” When it is commonly said in electronic freedom circles in relation to the Internet pornography debate, that there is no reason why citizens should have less freedom of expression on-line than off-line.

Conclusion:

The new Electronic Privacy Directive is the first piece of privacy legislation clearly applicable to emails and SMS sent to mobile phones. It boldly bans the sending of spam, imposes prior consent requirements for processing location data and for sending unsolicited commercial emails or SMS to mobile phones, except with respect to existing customers. The Directive requires that safeguards be provided against the nuisance of automatic call forwarding and subscribers must be able to stop the forwarded calls by a simple request to the service provider. Importantly, the new Directive requires websites to inform visitors of the existence of cookies and provide the right to refuse receipt of the cookies. However, the fact that the visitor need to be informed only once before the deposit of a large number of cookies undermines these protections. The right of websites to make access conditional on acceptance of cookies also weakens privacy rights. Nevertheless, the new Directive represents an important first step in protecting privacy in cyberspace.

Certain initiatives at European level have shown the will to restrict the right to privacy as concerns the retention of traffic data. It is hoped that this restriction would only take place giving strict consideration to the conditions described in Art.15(1) and the supranational and international instruments protecting human rights.

Generally, one useful starting point in Europe would be for the EC Privacy Directive to be implemented in the strongest possible form, so as to enforce the requirement of opt-in to unsolicited direct marketing as a matter of minimum harmonization. Still more importantly, the attempts that are now being made to reach some kind of international, not just European, consensus on how to deal with spam and cookies must be continued and intensified.

(THE PAGE LIMIT FOR THIS COURSEWORK IS : 12 PAGES)

Article 1 directive 2002/58/EC

Directive 2002/58/EC L201/37, will be referred to in this article as the Directive.

The Privacy and Electronic Communications Regulations 2003 (SI 2003/2426), will be referred to in this article as the Regulations.

European Economic Area

Art 13(1), Privacy Directive. For a brief history of attempts to require opt-in to spam in Europe

LILIAN EDWARDS, Consumer Privacy, On-Line Business And The Internet: Looking For Privacy In All The Wrong Places, IJL&IT 2003.11(226)

Ibid

A cookie is a text file which can be left, unseen, on the internet browser software of a visitor to a website

Directive 2002/58/EC, Article 5 (3)

Sophie Louveaux & Maria Veronica Perez Asinari, New European Directive 2002/58/EC on the processing of personal data and protection of privacy in the Electronic Communication Sector –some initial remarks, C.T.L.R. 2003,9 (5), 133-138.

Ibid

Supra N. 6

Traffic data" is defined as "any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof. Art.2(b) of the Directive

Art.5(1) of the Directive.

See Recitals 26 and 27 of the Directive.

Art.6 (ex Art.F) EUT (European Union Treaty).

"1. The Union is founded on the principles of liberty, democracy, respect for human rights and fundamental freedoms, and the rule of law, principles which are common to the Member States.

2. The Union shall respect fundamental rights, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms signed in Rome on 4 November 1950 and as they result from the constitutional traditions common to the Member States, as general principles of Community law."

Natasha Jarvie, CONTROL OF CYBERCRIME - IS AN END TO OUR PRIVACY ON THE INTERNET PRICE WORTH PAYING? PART 1, C.T.L.R. 2003, 9(3), 76-81.