A number of concerns over privacy have built up in recent years due to the nature of technological developments. Examples include being able to see a caller’s telephone number on a mobile phone before deciding whether to answer, or the storage of ‘cookies’ on computers which record information about a user’s website habits. These concerns have required legislation to be passed at both European and national levels to protect individual rights to privacy and prevent abuses of these rights from occurring through electronic communications.
The legislative framework in this area can be found in a Directive of the European Parliament and of the Council, which governs, in general terms, the protection of personal data in this area. Initially, Directive 97/66/EC dealt with the protection of privacy in the telecommunications sector, and was implemented into UK law by the Telecommunications (Data Protection and Privacy) Regulations 1999. Subsequent technological advancements required a legislative response, so Directive 2002/58/EC, dealing with privacy in the electronic communications sector, was passed, and later implemented into UK law by the Privacy and Electronic Communications (EC Directive) Regulations 2003, which repealed the 1999 Regulations.
The Directive on privacy and electronic communications
Directive 2002/58/EC deals with most aspects of protecting privacy in electronic communications, including security, confidentiality, location data (such as that available on mobile phones), billing, automatic call forwarding and unsolicited marketing. Although much of the Directive is beyond the scope of this article, these areas are considered briefly below. The Directive also provides definitions of terms such as user, traffic data, location data and communication, which generally go to aid any interpretation difficulties. The 2003 Regulations implemented by the UK more or less restate the provisions of the Directive, but include extra provisions on matters which are left to individual Member States. Reference in this article is made to the Directive.
Article 4 of the Directive requires the provider of a publicly available electronic communications network to take appropriate technical and organisational security measures. Subscribers to the network must be informed if there is a risk that security will be breached. If the risk cannot be averted by measures which are proposed to be taken, subscribers must be informed of other possible remedies and their likely costs. Any subcontractors hired to deal with security threats will be subject to the provisions of the data processing Directive (Directive 95/46/EC). A contract between a network provider and a subcontractor must impose the necessary security obligations on the subcontractor
Article 5 requires Member States to enact legislation to ensure the confidentiality of communications made through a public network and through public electronic communications services. Member States are required to prohibit listening, tapping and storing unless this is required, among other things, for national security or to prevent crime. The Regulation of Investigatory Powers Act 2000 also prohibits the interception of communications and only allows surveillance in certain circumstances. Recording communications and related data in order to provide evidence of commercial transactions in the course of lawful business, however, is allowed. This applies, for example, when buying insurance over the telephone.
For more information on:
- Location data
- Automatic call forwarding
- Unsolicited marketing