Table of Contents:
Data protection in the electronic communications sector
Outline of the Community (European Union) legislation about Data protection in the electronic communications sector
Topics
These categories group together and put in context the legislative and non-legislative initiatives which deal with the same topic.
Internal market > Single market for services
Data protection in the electronic communications sector
Document or Iniciative
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [See amending acts].
Summary
Directive 2002/58/EC forms part of the “Telecoms Package”, a new legislative framework designed to regulate the electronic communications sector and amend the existing regulations governing the telecommunications sector. The “Telecoms Package” includes four other Directives on the general framework, access and interconnection, authorisation and licensing and the universal service. The “Telecoms Package” was amended in December 2009 by the two Directives “Better law-making” and “Citizens’ rights”, as well as by the establishment of a body of European regulators for electronic communications (BEREC).
This Directive principally concerns the processing of personal data relating to the delivery of communications services.
Processing security
The provider of an electronic communications service must protect the security of its services by:
- ensuring personal data is accessed by authorised persons only;
- protecting personal data from being destroyed, lost or accidentally altered;
- ensuring the implementation of a security policy on the processing of personal data.
In the case of an infringement of personal data, the service provider must inform the person concerned, as well as the National Regulatory Authority (NRA).
Confidentiality of communications
The Directive reiterates the basic principle that Member States must, through national legislation, ensure the confidentiality of communications made over a public electronic communications network. They must in particular prohibit the listening into, tapping and storage of communications by persons other than users without the consent of the users concerned. The subscriber or user who stores their information must first be informed of the purposes of the processing of their data. They have the option to withdraw their consent on the processing of traffic data.
Data retention
The Directive determines that traffic data and location data must be erased or made anonymous when they are no longer required for the conveyance of a communication or for billing, except if the subscriber has given their consent for another use. On the sensitive issue of data retention, the Directive stipulates that Member States may withdraw the protection of data only to allow criminal investigations or to safeguard national security, defence and public security. Such action may be taken only where it constitutes a “necessary, appropriate and proportionate measure within a democratic society”.
In order to ensure the availability of communication data for the purpose of investigation, detection and prosecution of criminal offences, the Directive lays down provisions for the retention of data.
Unsolicited communications (“spamming”)
The Directive takes an “opt-in” approach to unsolicited commercial electronic communications, i.e. users must have given their prior consent before such communications are addressed to them. This opt-in system also covers SMS text messages and other electronic messages received on any fixed or mobile terminal. However, exceptions are provided.
Cookies
The Directive states that users must give their consent for information to be stored on their terminal equipment, or that access to such information may be obtained. In order to do this, users must receive clear and comprehensive information about the purpose of the storage or access. These provisions protect the private life of users from malicious software, such as viruses or spyware, but also apply to cookies.
Cookies are hidden information exchanged between an Internet user and a web server, and are stored in a file on the user’s hard disk. Their original purpose was to retain information between sessions. They are also a useful and much decried tool for monitoring a net surfer’s activity.
The Directive encourages the use of methods, which are as user-friendly as possible, see effective technical tools.
Public directories
European citizens must give prior consent in order for their telephone numbers (landline or mobile), e-mail addresses and postal addresses to appear in public directories.
Controls
Member States must implement a system of penalties, including legal sanctions in the case of infringements to the provisions of this Directive, and ensure that the national competent authorities have at their disposal the necessary powers and resources to monitor and control compliance with the national provisions adopted during the transposition of this Directive.
References
| Act | Entry into force | Deadline for transposition in the Member States | Official Journal |
|---|---|---|---|
|
Directive 2002/58/EC |
30.07.2002 |
31.10.2003 |
OJ L 201 of 31.07.2002 |
| Amending act(s) | Entry into force | Deadline for transposition in the Member States | Official Journal |
|---|---|---|---|
|
Directive 2006/24/EC |
3.5.2006 |
15.9.2007 |
OJ L 105 of 13.04.2006 |
|
Directive 2009/136/EC |
19.12.2009 |
25.5.2011 |
OJ L 337 of 18.12.2009 |
Related Acts
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [Official Journal L 281/31 of 23.11.95].
This Directive is the reference text, at European level, on the protection of personal data. It sets up a regulatory framework which seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the EU.
Regulation 45/2001/EC of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data [Official Journal L 8 of 12.01.2001]
This Regulation aims to protect personal data within EU institutions and bodies. The text provides for rules to ensure a high level of protection for personal data processed by the Community institutions and bodies and the creation of an independent supervisory body to monitor the application of these rules.