November 2003 - Legislation to regulate the use of Electronic Communications Networks and Services and the implications for Data Protection Privacy comes into force

On the 6th of November 2003 the Minister for Communications, Marine and Natural Resources signed Regulations1 transposing into Irish Law the provisions of EU Directive 2003/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector.

This legislation is designed to regulate amongst other activities the use of unsolicited email, telephone calls, SMS, automated diallers and fax messaging for direct marketing.

It also seeks to impose rules to govern the confidentiality of communications across electronic networks, the proper use of traffic data, and the collection of personal data for the purposes of directories and sets out the powers of the Data Protection Commissioner and the Commission for Communications Regulation to police and enforce the Regulations.

The Data Protection Act 1988 and 2003, the Postal and Telecommunications Services Act, 1983 and the European Communities Directive (2001/31/EC) Regulations 2003 (S.I. No. 68 of 2003) have been amended.

Services to which the Regulations apply

The Regulations apply to the following -

• Processing of Personal Data within the State or within the EU in connection with the provision of publicly available electronic communications services.
• Subscriber lines connected to digital exchanges and to subscriber lines connected to analogue exchanges (unless there is a dis-proportionate economic cost).
• Publication by undertakings within the State of directories where Personal Data is processed.

Security

Any business or undertaking which provides publicly available electronic communications services must take the appropriate technical and organisational measures to safeguard the security of its services.

The measures to be taken must be proportionate to the risks presented having regard to what is technologically available and the costs involved. If there is a particular risk that security in the public communications network will be breached the undertaking concerned must inform its subscribers without delay setting out the possible remedies and the likely costs involved.

Confidentiality of Communications (use of cookies)

Cookies may not be used to store information or to access information on a user's terminal equipment unless the user is first provided with a clear and comprehensive notification and explanation which is prominently displayed and easily accessible. The user must be free to refuse to accept such cookies.

Cookies may be used without explicit consent for the sole purpose of transmitting or facilitating the transmission of the communication over the relevant electronic communications network or if strictly necessary to provide the subscriber with the service that has been requested.

Traffic data

All traffic data information relating to subscribers required for the transmission of the communication or for billing purposes must be erased or made anonymous once it is no longer required for that purpose.

Storage of traffic data for billing or interconnection payment purposes must not extend beyond the period that the bill may be lawfully challenged or outstanding payments pursued and in circumstances where proceedings have been brought during that period the information may be stored until those proceedings have been disposed of.

Any undertaking who has not by the date that the Regulations came into force - informed its subscribers of the types of information that is processed and stored for traffic data reasons - has three months from the 6th of November 2003 to do so.

The Regulations provide that having obtained prior consent, an undertaking may use traffic data to market electronic communication services so long as the subscriber has been informed of this particular use and its duration.

The Regulations provide that undertakings (who have not already done so) must within three months from the 6th November 2003 inform their subscribers of any traffic data processing that is already underway.

If the subscriber does not object within a period of two months they will have been deemed to have given their consent. However subscribers must be given the opportunity to withdraw their consent at any time subsequently.

Calling and connected line identification

Subscribers to publicly available telephone networks must be informed of the existence of calling and connected line identification, of all the associated services which are offered as well as the privacy options that are available.

Calling parties must be able to withhold, using simple means on a per call basis the identification of the line from which the call is being made and the called party must be able to reject calls from unidentified lines where the caller has prevented identification.

In addition subscribers opting for connected line identification must be able, using simple means to prevent the identification of the connected line to the caller.

The privacy options must be offered on a per line basis and do not have to be available as an automatic network service but should be made available and obtainable through a simple request procedure to the provider.

Location data (other than traffic data)

Digital mobile networks process location data, which gives the geographic position of the subscriber's mobile phone in order to enable the transmission of the call.

However, digital mobile networks also have the capacity to process such location data in a way that is more precise than is strictly necessary to facilitate the transmission of the call and which may be used for to provide additional services to the subscriber.

Such additional use of location data for purposes other than the transmission of the call is only permissible where the subscribers have given their consent.

For the purpose of getting such consent, digital mobile network operators must inform their subscribers of the type of location data (other than traffic data) which will be processed, the reasons why, the duration of such use and whether or not the data concerned will be transmitted to third parties for the purposes of providing additional services over the mobile phone to the subscriber.

Subscribers must be able to withdraw their consent for the use of location data for such purposes.

Where consent has been obtained subscribers must be able, using simple means that are free of charge to temporarily deny the use of location data for the purposes of providing such additional services.

Exceptions

The rights of subscribers to privacy concerning calling and connected line identification and location data may be over-ridden if it is necessary to allow an investigation into malicious or nuisance calls to proceed or for calls to the emergency services using either the National Emergency Call Number (999) or the single European Emergency Call Number (112) and for responding to such calls.

Automatic call forwarding

Providers of public telephone networks must enable subscribers to request the blocking of calls that are automatically forwarded to the subscriber's terminal by third parties without consent. Such blocking requests must be dealt with as soon as possible after the receipt of the request and must be free of charge.

Undertakings who have not already done so should inform their subscribers of the requirements in relation to blocking automatic call forwarding on request.

Directories

Directories of subscribers to electronic communications services are by their nature widely distributed and publicly accessible. Therefore a balance must be struck between the right to privacy of the individual and legitimate interests of the business to contact the subscriber in connection with their business activities.

Persons collecting subscriber data for inclusion in electronic directories must inform subscribers beforehand what Personal Data is to be included, the reasons why and any further possible future usages based on the functions that are embedded within the electronic version.

Subscribers must be able to establish whether their Personal Data is included in the directory. They must be given the opportunity to decide for themselves which of their Personal Data is included, the extent to which it may be used and also to correct, verify or withdraw the Personal Data from the directory.

Persons who have compiled directories in hard copy or electronic form prior to the commencement of the Regulations must, before publishing the next issue provide their subscribers with a complete set of information about the purposes of the directory and any further usage possibilities based on the search functions within the electronic version.

If the subscriber has not indicated an objection within two months of being informed then they will be deemed to have given their consent.

Unsolicited communications

The Regulations outlaw sending unsolicited communications for direct marketing purposes whether by means of automated calling machines, fax, SMS or email to a subscriber who is a natural person unless that individual has given their prior consent.

Automated calling machines or fax machines may not be used to transmit unsolicited direct marketing material to business recipients where the individual business recipient has notified the sender that it does not consent to receive such communications or has entered its preference in the National Directory Database for the lines concerned.

It is unlawful to make unsolicited telephone calls for direct marketing purposes to any subscriber where the subscriber has notified the person that he/she does not consent to the receipt of such calls or where he/she has entered the preference not to receive such calls in the National Directory Database.

Anybody making unsolicited calls for direct marketing purposes must identify himself or herself and any calls made by an automatic calling machine or by fax must identify the address of the caller and the telephone number for the line on which that person may be contacted.

Sending unsolicited direct marketing material by email to business recipients is unlawful if the recipient has notified the sender that they do not consent to the receipt of such communications to that email address.

Anybody sending unsolicited direct marketing material by email must identify himself or herself and must provide a valid email address at which they may be contacted. It is unlawful to use false identities or false return email addresses.

If a business has obtained its customers email address in connection with the sale of a product or service then it is lawful for that same business to use that email address for direct marketing of similar products or services.

The customer must be given the clear and distinct opportunity to object to the receipt of future communications in a manner that is simple and free of charge, which should be repeated in each subsequent email communication.

Breach of the rules against sending unsolicited communications is an offence. Each individual unsolicited communication constitutes a separate offence. On summary conviction a maximum fine of €3,000 may be imposed per message.

For further information or general enquiries contact: -
Patrick Ryan
Email: pryan@kilroys.ie
Telephone: +3531-439 5600
Fax: +3531-439 5601/439 5602

© Kilroys Solicitors November 2003

1 European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (S.I. No. 523 of 2003)