In December 2003, the Directive on Privacy and Communications (2002/58/EC) was implemented in the UK with much fanfare and controversy. Its critics claimed (and still do claim) that it would do nothing to reduce unsolicited e-mails as most offenders are based outside the EU and that it would simply create a disproportionate regulatory burden for reputable and law-abiding organisations. The Directive was one of several directives forming the EU’s regulatory framework for communications.
In June 2006, the European Commission published a consultation on changes to that framework. Although the consultation focuses on the Commission’s policy on spectrum management, the aim of the review is to bolster consumers’ and users’ rights, especially in the area of data security and privacy and the review suggests amendments to the Directive. However, the consultation also needs to take into account the calls by the industry to reduce the level of regulation in the sector.
The EU’s Article 29 Data Protection Working Party has published an opinion on the review of the regulatory framework as part of the consultation. The Opinion focuses on the Directive and issues concerning the processing of personal data by electronic means, alongside the linked security issues.
Working Party Opinion
The Working Party has emphasised the fact that, currently, the provisions of the Directive apply only to the provision of publicly available electronic communications services in public communication networks. This is unacceptable to the Working Party because private networks are increasing in importance with risks increasing accordingly. An example of this is monitoring employees’ behaviour by means of traffic data. The Working Party also considers that the scope of the Directive needs to be reconsidered because services are tending to be a mixture of public and private services.
According to the Working Party, the definitions of ‘electronic communication services’ and ‘to provide an electronic communications network’ are not clear and need to be explained in order to permit a clear and unambiguous interpretation by both data controllers and users. The Opinion raises the example of a cyber café and whether it can be considered a provider of an electronic communications network.
There is a perceived unevenness of enforcement of the Directive. However, the Working Party considers that this may not be down to the Directive itself but to the different interpretations of the various Member States as well as different maximum penalties. The Working Party also raises the issue that in some Member States data protection authorities have limited investigatory powers. Furthermore, as mentioned above, many spammers fall outside the jurisdiction of authorities within the EU and consequently there needs to be close co-operation with regulators in third countries, which is not always particularly efficient.
The Working Party also reiterates the point raised in its previous opinion on the Directive regarding the use of cookies. The Working Party supports the point of view that it should always be possible for users to refuse the storage of a cookie on their personal computers. The position in Article 5(3) of the Directive is that Web site users should be able to opt out of the use of cookies but, according to Recital 25 of the Directive, Web sites can make accepting a cookie a condition of being able to use the site. Consequently, many Web sites do indeed stipulate that access to specific Web site content is conditional on the acceptance of a cookie. The Working Party find this acceptable and considers that the Directive needs to be clarified or revised. Whether this is a tenable position to take in view of the many Web sites that require cookies and the practical advantages to Web site users (such as not having to re-enter data for each visit to the site) remains to be seen.
The Working Party sees it as important that the consultation review does not address network competition and network topics. It wishes to see the concept of ‘security’ being interpreted in its widest sense so that it does not just deal with specific security issues but also the fundamental right to privacy and including issues, for example, such as authentication versus anonymity. The Opinion welcomes the proposal to require notification of security breaches. However, it points out that currently no sanction is proposed for failing to do so.
The Working Party is keen to ensure that heavy-handed regulation is avoided. The consultation states that the present framework allows too much room for service providers to assess the adequacy of their own security measures. The consultation expresses the wish that there be new obligations such as measures to deal with security incidents, a requirement to follow regulators’ guidance and contractual provisions informing consumers of actions to be taken in the event of a security breach. The Working Party does not consider that any of these proposals would add anything to the existing framework.
The Working Party also considers that it may be worthwhile to investigate whether regulations on the processing of personal data and the protection of privacy in the electronic communications sector need to make it clearer which organisations are the target audience of the regulations.
The Opinion forms a useful contribution to the debate and some of its points should be welcome to the electronic communications industry, mainly because its approach to the issue of data security shows a reassuring level of common sense. It recognises that heavy-handed regulations have not shown any significant successes in protecting personal data and consequently the Working Party’s preference seems to be for a lighter touch in enforcement.
However ISPs and telecoms operators may be concerned about the Working Party’s support for the Commission’s proposal that service providers should be required to inform regulators and users about security breaches. It is likely that the Information Commissioner’s Office will welcome the Commission’s proposal to provide for more effective sanctions for breaches of data protection provisions. The Information Commissioner recently called on the UK government to introduce custodial sentences for breaches of data protection legislation. Furthermore a consultation was published by the Department for Constitutional Affairs in July 2006 on increasing the penalties for deliberate and wilful misuse of personal data which is likely to consider the Opinion.
Finally, the Working Party repeated some recommendations it made when the Directive was initially adopted – for example, the comments made about cookies. When the Directive was adopted the various Member States were unable to reach consensus on these issues. As a result it seems unlikely that the Commission will prioritise on these issues when it comes to draft the relevant new laws, especially with an expanded EU and consequently more stakeholders to consider.
Helen Hart is a solicitor in the Corporate and Commercial department at Stevens & Bolton LLP in Guildford. Previously she spent time as sole counsel for Europe at Palm Europe Limited, as well as working in-house at the AA and British Gas. She can be contacted on helen.hart@stevens-bolton.co.uk or 01483 734238.
