Processing Personal Data and Privacy

June 30, 1998

The European Directive 97/66/EC on the Processing of Personal Data and theProtection of Privacy in the Telecommunications Sector contains measuresdesigned to protect not only the privacy of individuals but also ‘thelegitimate interests’ of business users. It is hoped that once implemented itwill substantially reduce the numbers of unsolicited calls, faxes and otherelectronic communications received. The Directive applies in connection with theprovision of publicly available telecommunications services in particular viaISDN and public digital mobile networks. It also encompasses a wide and growingrange of services including video on demand and interactive TV.

This article is a brief resume of the main points of the Directive.


This Directive is designed to supplement the Data Protection Directive95/46/EC and, like that Directive, is due to be implemented by 24 October 1998.It has two objectives:

  • To harmonise the laws of Member States to prevent obstacles to trade within the internal market and so ensure the free flow of personal data within the community.
  • To encourage the growth of the telecommunications industry.

The Directive recognises that the success of new technologies is partlydependent upon consumer confidence in the protection of privacy. This is notjust a matter of protecting an individual’s right to privacy, it is also aboutbusinesses being satisfied that using the telecommunications network, inwhatever form, does not expose them to risk. Business users must be satisfiedthat their communications are secure and that information about businessactivities which is available because of use of the network is not then used byothers for commercial gain.

Subscribers and Users

The Directive differentiates between subscribers of the service and users.

Subscribers are natural or legal persons who are party to a contract for thesupply of telecommunications services. Users are natural people using theservices who may not necessarily be subscribers. Both are afforded protectionunder the Directive although to differing degrees.


The Directive imposes obligations upon service providers to implementtechnical and organisational measures to protect the security of their services.The measures must be appropriate to the security risk involved. Consideration isto be given to the financial implications of such measures and also as towhether the technology is available to implement them. Where there may be abreach of security, subscribers must be informed of the risks and likelyremedies.

As the Directive affects only activities governed by community law, MemberStates will still be entitled to take steps necessary to protect publicsecurity, state security, defence, crime prevention or investigation and for theenforcement of criminal law.

Article 5 provides that a state must legislate to prevent unauthorisedinterception or surveillance of communications by whatever means without theconsent of the users concerned; these provisions need to be in place before 24October 2000. However they will not prevent the lawful recording ofcommunications in the course of lawful business practice for the purpose ofproviding evidence of a commercial transaction or of any other businesscommunication.

Billing Data

In accordance with Article 6, the processing of traffic and billing data isto be restricted and, although these provisions will not affect some dataalready being processed, subscribers must be given the opportunity to object.

Article 7 provides for subscribers to have the right to receive non-itemisedbills and in order to reconcile the right to privacy of the parties concernedMember States must ensure alternative methods of payment are available whichwill allow anonymous or strictly private access to telecommunications services.

Line Identification

Article 8 covers the presentation and restriction of calling and connectedline identification. For calls originating within the EU, a calling user orsubscriber must be able to withhold the presentation of calling lineidentification whatever the destination of the call.

With incoming calls from inside or outside the community, a subscriber musthave the capacity to prevent calling line and connected line identification andalso to reject calls where the caller withholds his number. There must be publicawareness of these options.

The option to withhold calling line identification may be suspended to tracemalicious or nuisance callers and whilst this process is going on details ofcalls to the line may be stored. There are also exceptions designed to assistthe emergency services.

A subscriber may, free of charge, prevent automatic call forwarding by thirdparties.

Personal Data

Personal data held in directories (in paper or electronic form) ofsubscribers who are natural persons must be limited to that necessary foridentification purposes unless the subscriber has given his unambiguous consent.A subscriber has the option, free of charge, to ask for certain details to beomitted or to request that personal data may not be used for direct marketingpurposes. Those who wish not to appear at all may do so upon payment of a feewhich should not be of such a size as to act as a disincentive.

Member States must also guarantee that the legitimate interests ofsubscribers who are not natural persons are also sufficiently protected .

Unsolicited Calls

Initially it is in the area of unsolicited calls that most of us will noticethe most benefit. Article 12 provides that the use of automated calling machinesor fax machines may be used for direct marketing only if the subscriber hasgiven prior consent. As regards other unsolicited calls Member States have theoption of introducing measures which prohibit them unless a subscriber givesconsent or which prohibit them where a subscriber indicates he does not wish toreceive them. These provisions apply where the subscriber is a natural personbut Member States must also take steps to protect the legitimate interests ofother subscribers.


To prevent artificial barriers, Member States must not impose mandatoryrequirements for specific technical features and where necessary the Commissionwill draw up common European standards.

Welcome News and Continuing Issues

This legislation is welcome news for most businesses, recognising as it doesthe need for business communications to take place in a secure environment.However, the Directive does not explain what is meant by the legitimateinterests of a business user and the preamble makes it clear that there is noobligation upon Member States to afford legal persons the same degree ofprotection that is required for individuals. It is to be hoped that thelegislators can find a formula which protects business subscribers from theworst excesses of unsolicited calls and faxes but does not stifle the directmarketing industry.