Privacy and electronic communications

General issues

A number of concerns over privacy have built up in recent years due to the nature of technological developments.  Examples include being able to see a caller’s telephone number on a mobile phone before deciding whether to answer, or the storage of ‘cookies’ on computers which record information about a user’s website habits.  These concerns have required legislation to be passed at both European and national levels to protect individual rights to privacy and prevent abuses of these rights from occurring through electronic communications.      

Legislative framework

The legislative framework in this area can be found in a Directive of the European Parliament and of the Council, which governs, in general terms, the protection of personal data in this area.  Initially, Directive 97/66/EC dealt with the protection of privacy in the telecommunications sector, and was implemented into UK law by the Telecommunications (Data Protection and Privacy) Regulations 1999.  Subsequent technological advancements required a legislative response, so Directive 2002/58/EC, dealing with privacy in the electronic communications sector, was passed, and later implemented into UK law by the Privacy and Electronic Communications (EC Directive) Regulations 2003, which repealed the 1999 Regulations.

The Directive on privacy and electronic communications

Directive 2002/58/EC deals with most aspects of protecting privacy in electronic communications, including security, confidentiality, location data (such as that available on mobile phones), billing, automatic call forwarding and unsolicited marketing.  Although much of the Directive is beyond the scope of this article, these areas are considered briefly below.  The Directive also provides definitions of terms such as user, traffic data, location data and communication, which generally go to aid any interpretation difficulties.  The 2003 Regulations implemented by the UK more or less restate the provisions of the Directive, but include extra provisions on matters which are left to individual Member States.  Reference in this article is made to the Directive.

Security

Article 4 of the Directive requires the provider of a publicly available electronic communications network to take appropriate technical and organisational security measures.  Subscribers to the network must be informed if there is a risk that security will be breached.  If the risk cannot be averted by measures which are proposed to be taken, subscribers must be informed of other possible remedies and their likely costs.  Any subcontractors hired to deal with security threats will be subject to the provisions of the data processing Directive (Directive 95/46/EC).  A contract between a network provider and a subcontractor must impose the necessary security obligations on the subcontractor

Confidentiality

Article 5 requires Member States to enact legislation to ensure the confidentiality of communications made through a public network and through public electronic communications services.  Member States are required to prohibit listening, tapping and storing unless this is required, among other things, for national security or to prevent crime.  The Regulation of Investigatory Powers Act 2000 also prohibits the interception of communications and only allows surveillance in certain circumstances.  Recording communications and related data in order to provide evidence of commercial transactions in the course of lawful business, however, is allowed.  This applies, for example, when buying insurance over the telephone.

Location data

It is now possible to track the movement or location of a mobile phone.  This naturally gives rise to serious questions of personal privacy, especially if a person wants to keep their location secret.  Under Article 9 of the Directive, if this type of data can be processed then it must remain anonymous unless the user consents.  The data may only be processed to the extent necessary to provide a value added service (as defined in the Directive), such as providing local weather information.  Location data may also be used without a user’s or subscriber’s consent under Article 10.  For example, a person lying injured in open countryside or deep forest may be unable to accurately identify their location.  If they use their mobile phone to contact the emergency services, the emergency services are allowed to use the location data provided by the phone to find the user and assist them.

Billing

Public communication network providers need to process data relating to their customers’ calls so that they can accurately bill their customers.  This data would include the subscriber’s name and number, the date and duration of the call, where it was to, and the applicable rate.  Under Article 6 this data must be erased or made anonymous once the lawful period for challenging or pursuing the bill has expired.  The data may only be processed by persons authorised by the network providers.  Under Article 7, subscribers have a right to receive non-itemised bills.

Automatic call forwarding

Article 11 of the Directive gives subscribers the right to prevent automatic call forwarding by a third party to their terminal.  This service must be provided free of charge.  The purpose of this Article is to prevent, for example, business calls being forwarded to a person’s private residence late at night, which could be seen as an invasion of privacy.

Unsolicited marketing

Many people will have received unsolicited telephone calls from businesses trying to sell them something.  This ‘cold-calling’ is often seen as intrusive.  By subscribing to the Telephone Preference Service it can be reduced to a minimum if not completely stopped.  Under Article 13 of the Directive, direct marketing is only allowed where subscribers have given their consent.  Where an organisation has obtained customer details for electronic mail from the sale of a product or the provision of a service, it may use these details to directly market its own similar products or services.  The customer, however, must be given the opportunity to object when their contact details are collected.  Otherwise, Member States must ensure that unsolicited communications for the purposes of direct marketing are not allowed, either without the consent of the subscribers concerned, or in respect of subscribers who do not want to receive these communications.