From the same series which is presenting the European legal framework regarding privacy and personal data aiming the help the readers be aware about their legal rights in order to better protect those legal rights, today it is presenting:
Directive 2002/58 on Privacy and Electronic Communications, otherwise known as E-Privacy Directive
The scope of his Directive is to complement the Data Protection Directive 95/46/EC. The objective is pursued by the harmonization of the provisions of the Member States (MS) in order to secure a uniform and equivalent level of protection of fundamental rights and freedoms among all the MS. It addresses the right to privacy when processing personal data in the electronic communication field (i.e. communication environment which allow content to be delivered digitally through networks, such as the Internet, as opposed to the analog telecom features); and it also secures the free movement of personal data and electronic communications. The Directive does not address issues regarding security and defense, covered by the title V of the Treaty on European Union. Criminal law is addressed by the Council Framework Decision 2008/977/JHA, formerly under title VI of the Treaty on European Union. While the Data Protection Directive refers just to natural persons, the 2002/58/EC Directive refers to legal persons as well.
Under Article 2 “Definitions” new terms are provided for the electronic services providers, in order to supply better protection for the users of such services with regards to:
i) the user: identified as a any private person that is using a publicly available electronic communication service for personal or business purposes, which does not have necessary to be subscribed to a determined service (e.g. visiting a website does not require subscription, but personal data could be retrieved).
ii) traffic data: refers to any data necessary for carrying a communication on an electronic communication network (such as IP address, user name, email address) but not limited to billing purpose (i.e. to establish the cost of the services provided). The electronic communication providers argued that they needed to keep traffic data for billing purposes.
iii) location data: refers to any data processed in an electronic communication network which determines a geographic position or location with regards to a user or the user’s equipment while using publicly available electronic communication services. This definition is important for users which use for example a cellular as a terminal for their communication instead of a computer. Using a cellular (mobile phone, which is different then a fixed computer station), user’s particular location may be determined by the communication service provider based on the signals sent and received to the closest communication “cell” in the proximity of that user, as any cellular has an unique identity number (IMEI). The Internet Protocol (IP) address used by computers for Internet connections can identify a user located in a certain geographical area. For example, when one logs into their computer while in The Netherlands, his web browser provides information in Dutch, while another person in the UK is provided the same information in English, and there is a clear differentiation made between their geographical location.
iv) communication: is identified as an information exchange between users when using publicly available communication services (e.g. email). It does not refer to TV or radio broadcasting. The communication could take the form of text, audio, video or photo, or code.
v) call: refers to any connection performed through a publicly available telephone service, by allowing a two-way communication in real time.
vi) consent: refers to user or subscriber approval given to any entity for processing, retrieving, using, etc. data in accordance with the Directive 95/46/EC stipulations.
vii) value added service: refers to any service that requires the processing of traffic or location data other than the traffic data required for the communication itself or billing purpose.
viii) electronic mail: refers to any sound, voice, text, image, or message sent through a public communication network that can be stored in the network or on the user’s terminal. By establishing the “electronic mail” term to more than a “written message” clarifies that under electronic mail (as Web 2.0 is in use), can fall any kind of communication between users such as family pictures, music, or videos.
Establishing these definitions is an important step taken in eliminating confusion between users and providers, ensuring that now both parties have the same understanding and terms of reference when dealing with “communication”, “location data”, “electronic mail”, “user”, and “consent”, etc.
Under Article 4 (1) “Security”, the Directive established as a general obligation for the provider of electronic services to supply security of services by ensuring that technical and organizational measures are in place in order for personal data concerning the users is appropriately protected. Under Article 4 (2) “Security” the Directive established new obligations for the electronic service providers by requiring them to inform the subscribers when risks (e.g. viruses, malwares) are detected in the network or are imminent to occur.
Article 5 sets forward another obligation for the providers of electronic communication, as they have to provide confidentiality of the information regarding their users. The Directive clearly prohibits any type of listening, tapping, storage, interception, and surveillance of communication and traffic data if the users did not expressly give their consent or if no exemptions apply such as: necessary, appropriate and proportionate measures to safeguard national security, defence, public security, or prevention, investigation, detection and prosecution of criminal offences or of unauthorized use of the electronic communication system, as indicated under Article 15 (1).
Article 6 concerns traffic data and expressly requires the providers of public communication networks to erase or make it anonymous when it is no longer required for the transmission of a communication. Furthermore no electronic communication provider can keep this data for marketing, advertising or value added services without the consent of the users. This consent could be withdrawn at any time. The provider should inform the user which type of data is processed, for how long, and the scope of the processing. The processing of the data should be done just by the legitimate and authorized personnel from the provider’s side or on its behalf with regards to billing, marketing, fraud detection, and customer services and it must be restricted to what is necessary for providing the communication service.
Under Article 9, location data is dealt with such that data, which provides a geographical position or location obtained through a public communication network, but which is not traffic data, and can be processed only when the users are made anonymous or they gave their consent. The purpose of data processing, duration, and transition to third parties can be done only when the users expressed their consent. Once the user has given their consent, they can also withdraw it. The users could discretionarily give consent regarding each time when location data is processed, transmitted or manipulated by the service providers. The transmission to third parties of location data is restricted to the scope of offering value added services.
Article 12 requires providers of electronic communication to inform the users before they are included in any kind of directory of the purpose of the directory and the usage availability of that directory whether is offline or online. The users have the right to identify that data, modify or withdraw from the directory.
Under Article 13, the Directive establishes rules and defines unsolicited email (e.g. Spam) and restricts the use of email addresses for marketing purpose. This Article establishes an opt-in regime when the users give prior agreement. Under the scope of this Article falls also the text messages, push mail (i.e. the message is received from the server where it is stored; always-on e-mail receiving capabilities) or similar forms, which target users’ portable devices such as, smartphones, PDA’s (e.g. iPhone, HTC).
Directive 2002/58 is a continuation of the Data Protection Directive and addresses a number of new important issues, which come along with the new advanced digital technologies in the field of the communication networks. This Directive also implements specific requirements regarding the protection of personal data, which at the time when Directive 95/46/EC came into place, have not been foreseen due to the technological developments available at that time (i.e. 1995). The development of the information society comes with new electronic communication services such as digital networks, which facilitate a faster, and more global transfer of personal data between users. Besides the economical and technological benefits, the users’ privacy should be properly protected with up-to-date regulatory measures
Stay tuned for the next post that will present the Directive 2006/24/EC known as “Data retention Directive”.
Any questions can be submitted to: email@example.com
Additional information can be found at: www.e-crimeexppert.com
Did you know about this Directive? Do you think that it effectively protects your rights in relation to the electronic communication field?
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.
- @k3rstin Hi Kerstin. Im fine thank you. Still in Brussels. Can we collaborate on any project/assignment? Best regards, Dan. 1 year ago
- 6 Essential Tips on How to Prevent Online Shopping Fraud wp.me/p1N1s0-jD 3 years ago
- Cyberbullying wp.me/p1N1s0-jz 3 years ago
- 10 Ways to Prevent Your Identity From Being Stolen wp.me/p1N1s0-jv 3 years ago
- Infographic-Privacy and Security on Facebook wp.me/p1N1s0-jp 3 years ago