Explanatory Memorandum to COM(2000)385 - Processing of personal data and the protection of privacy in the electronic communications sector - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2000)385 - Processing of personal data and the protection of privacy in the electronic communications sector. |
|---|---|
| source | COM(2000)385  |
| date | 12-07-2000 |
The proposed Directive is intended to replace Directive 97/66/EC concerning the processing of personal data and the protection of privacy in the telecommunications sector, which was adopted by the European Parliament and the Council on 15 December 1997 and had to be transposed by 24 October 1998 at the latest.
The proposal is not intended to create major changes to the substance of the existing Directive, but merely adapts and updates the existing provisions to new and foreseeable developments in electronic communications services and technologies.
The majority of provisions of the existing Directive are therefore carried over in the new proposal, subject to minor drafting changes.
Contents
- 2. Aims and objectives
- 3. proposed changes
- Traffic data
- Location data
- Directories of subscribers
- Unsolicited communications
- 4. Privacy compliance of software and hardware used for electronic communications services
- 5. Description of articles
- Article 2 - Definitions
- Article 4 - Security
- Article 5 - Confidentiality of communications
- Article 6 - Traffic data
- Article 8 - Presentation and restriction of calling and connected line identification
- Article 16 - Transitional arrangements
One of the regulatory principles as set out in the context of the 1999 Review of the regulatory framework for electronic communications services, is the aim to creates rules which are technology neutral, this is not to impose, nor discriminate in favour of, the use of a particular type of technology, but to ensure that the same service is regulated in an equivalent manner, irrespective of the means by which it is delivered.
This also implies that consumers and users should get the same level of protection regardless of the technology by which a particular service is delivered. Maintaining a high level of data protection and privacy for citizens is one of the declared aims of the 1999 Review.
Definitions and terminology
In the present proposal the existing definitions of telecommunications services and networks in Directive 97/66/EC will be replaced by definitions of electronic communications services and networks to align the terminology with the proposed Directive establishing a common framework for electronic communications services and networks. The update of these definitions is necessary to ensure that all different types of transmission services for electronic communications will be covered regardless of the technology used.
Moreover, four new definitions are added of calls, communications, traffic data and location data to strengthen the common understanding of these terms and thereby improve the harmonised implementation of the relevant articles throughout the Community.
In the existing Directive 97/66/EC Article 6 on traffic data only refers to calls, which, if interpreted in the strict sense, only refers to so-called circuit switched connections (traditional voice telephony) but not to packet switched transmissions (data transmission, use of the Internet). It is not technology neutral to protect traffic data generated in the setting-up of traditional telephone calls but not similar traffic data generated in the process of transmission of communications over the Internet.
Therefore, the existing term to establish a call in Article 6.1 is replaced by the transmission of a communication so as to cover all traffic data in a technology neutral way.
A further change is made to Article 6 i by creating a possibility for further processing of traffic data, not just billing data, for the purpose of value added services with the consent of the subscriber or user. With the extension of the data protection safeguards to traffic data generated by any transmission network for electronic communications, the existing possibility for further processing of traffic data, limited to billing data and only for the direct marketing of the service providers electronic communications services, has become too narrow. Today, value added services have been developed and can be offered based on particular traffic data and there is no reason to prohibit such services in cases where the subscriber has consented to the use of traffic data for the purpose of these services.
On the other hand, it is very important for subscribers to be fully informed about the type of data which are being processed and the purposes for which this is done. For this reason, an explicit obligation to inform subscribers of the personal data which are being collected, is added in Article 6 i. This empowers the subscribers to control and, where necessary, object to ongoing data processing.
Finally, it is proposed to delete the Annex to Directive 97/66/EC on traffic and billing data. With the advent of many different electronic communications services which are billed in many different ways (metered, flat fee, pre-paid), the existing Annex does not stand the test of technological neutrality. The data mentioned in the Annex were only valid for traditional tarification methods for traditional voice telephony. For many services which exist today, the Annex includes too many data (those which are not relevant for billing) and for other services, the list missed out certain data which are relevant for other types of payment.
In today's mobile communications networks, location data giving the geographic position of mobile users or, strictly speaking, that of their terminal equipment, already exist. This information is necessary to enable the transmission of communications from and to a user without a fixed location. For cellular networks the location data may be relatively imprecise, depending on the surface of the cell within which the mobile user happens to be. For satellite communications systems, location information necessary for transmitting communications is even less precise. This type of crude location information, which is actually a by-product of the communication transmission service, is already covered by the existing Directive under traffic data.
However, a new type of service is available over cellular and satellite networks which allows the exact positioning of a mobile user's terminal equipment. Here the location data are far more precise and are specifically processed by the network for the purpose of providing value added services to users and subscribers. An example of such services are road transport telematic services providing traffic information and guidance to drivers.
Precise location data are also useful for emergency services to be able to send assistance or rescue teams to mobile users in distress who may not always be able to describe where they are exactly.
While mobile location based services must be welcomed as they can be of great use to the public, it is also necessary to ensure appropriate data protection and privacy safeguards. The capacity of processing very precise location data in mobile communications networks should not lead to a situation where mobile users are under permanent surveillance with no means to protect their privacy, other than not using mobile communications services at all.
For those location data which are not covered by Article 6 on traffic data, a new article is proposed, stipulating that such data may only be used with the consent of the subscriber, and providing subscribers and users with a simple means to temporarily deny processing of their location data in the same way as such means exist for calling line identification under Article 10.
The only exceptions to the principle of prior consent would be the use of location data by emergency services and the existing derogations for Member States for the purposes of public and national security and criminal investigations. For this purpose an override is created in Article 11 along the lines of the existing override for blocked calling line identification which can be used by emergency services. In addition, a reference to the new Article 9 is included in Article 15 i (ex Article 14(1)) to allow Member States to use location data where this is necessary for the purposes mentioned above.
The present article on Directories of subscribers in Directive 97/66/EC assumes that the default for subscribers listing is to be in a public directory, as it has traditionally been the case for fixed voice telephony services. It was therefore necessary to create a rather detailed list of possibilities which subscribers should have in deviation from the default option (right to be omitted from the directory, right to omit part of their address, right to have no reference to their gender) to enable them to protect their privacy.
The maintenance of including subscribers to fixed voice telephony services as a default situation in the existing Directive 97/66/EC, has been defended on the grounds that public directories of subscribers are in the interest of the public and part of universal service.
However, for new electronic communications services such as GSM and e-mail, it is no longer appropriate to assume that as a default subscribers to such services are in public directories. On the contrary, most subscribers do not want to make public their mobile telephone numbers and e-mail addresses and most service providers have in practice respected the wishes of their subscribers for good commercial reasons.
It is therefore necessary to align the Article on Directories of subscribers with this changed situation, by giving subscribers the right to determine whether they are listed in a public directory and with which of their personal data. This also allows a substantial simplification of the article because as it is no longer necessary to spell out the various privacy options which the subscriber should have. Obviously, the intention of the article is not to force directory service providers to include subscriber data beyond the purpose of the directory. The subscriber cannot insist on the inclusion of data outside the range which has been determined by the directory provider.
With a view to taking into account the various usage possibilities of , in particular, electronic public directories (such as reverse search functions enabling users of the directory to discover the name and address of the subscriber on the basis of a telephone number or other criteria), it is necessary to inform the subscribers of the respective purposes and to ensure that their consent to be included in the directory is based on full information about the ways in which their personal data can be used.
The existing Article 12 of Directive 97/66/EC provides protection against unsolicited calls for direct marketing purposes. However, since the term call has been interpreted in a narrow sense some of the national transposition law has only created protection against unsolicited voice telephony calls for direct marketing purposes, with the exclusion of direct marketing messages by e-mail or other new forms of communications.
To render the Article technology neutral, the term call is replaced by the term communication.
Moreover, electronic mail for direct marketing purposes other than at the request of a subscriber (so-called spam), will be covered by the same type of protection as exists for faxes. This means that spamming will be prohibited except with respect to subscribers who have indicated that they want to receive unsolicited e-mails for direct marketing purposes.
Four Member States already have bans on unsolicited commercial e-mail and another is about to adopt one. In most of the other Member States opt-out systems exist. From an internal market perspective, this is not satisfactory. Direct marketers in opt-in countries may not target e-mail addresses within their own country but they can still continue to send unsolicited commercial e-mail to countries with an opt-out system. Moreover, since e-mail addresses very often give no indication of the country of residence of the recipients, a system of divergent regimes within the internal market is unworkable in practice. A harmonised optin approach solves this problem.
In the context of the 1999 Review public consultation, some commentators have raised the question of existing software and hardware which processes personal data of the users and makes them available to third parties without the knowledge or consent of these users. The Working Party of Data Protection Commissioners established under Article 29 of Directive 95/46/EC i on the processing of personal data, had already addressed the problem of so-called invisible and automatic processing of personal data on the Internet performed by software and hardware. In its Recommendation 1/99 of 23 February 1999, the Working Party has described the problem of privacy invading features embedded in software and hardware used for communications over the Internet. The Working Party called on software and hardware industry to develop privacy-compliant products in line with data protection rules of the general data protection Directive 95/46/EC and the telecommunications data protection Directive 97/66/EC i. Since one of the objectives of the 1999 Review of the telecommunications regulatory framework is to ensure a consistent, technology neutral application of existing rules and propose amendments were technological neutrality is not guaranteed, the possibility to address the matter in the revision of Directive 97/66/EC has been examined.
Under the Directive providers of public telecommunications services and networks are under specific legal obligations to guarantee the security of their networks, to ensure the confidentiality of communications and to delete traffic data. At the same time some of the software which is necessary for new telecommunications services such as software used for sending e-mails and browsers used for surfing the Internet, does not comply with data protection rules as the Article 29 Working Party has noted. Clearly, there is no technological neutrality in a situation where the privacy of the user is protected depending on whether certain functionalities necessary for a telecommunications service are in the network or in the software.
However, the option of amending the Directive by extending its coverage from electronic communications services and networks to terminal equipment including software, is considered inappropriate. Instead, the Commission might propose measures under Article 3(3)(c) of Directive 1999/5/EC on telecommunications terminal equipment i which explicitly foresees the possibility of requiring manufacturers of terminal equipment to construct their product in such a way that they incorporate safeguards to ensure that the personal data and privacy of the user and of the subscriber are protected. Such measures could be proposed if privacy compliance of software and hardware remains unsatisfactory.
Article 1 - Object and Scope
Harmonises data protection requirements in order to allow free movement of data and of electronic communications equipment and services;
Explains link with general data protection Directive and confirms the exclusion of Title V and VI matters from scope of Directive.
(Unchanged except for replacement of telecommunication services by electronic communications services)
Aligns definitions with those of new Framework Directive, adds definitions of call, communication, traffic data and location data.
(Updated and extended)
Article 3 - Services concerned
Limits scope to electronic communications services available to the public;
Creates derogation option for analogue exchanges.
(Unchanged except for replacement of telecommunication services by electronic communications services and deletion of reference to ISDN and digital mobile networks for technological neutrality.)
Imposes responsibility for the security of services and networks on providers and obliges them to inform subscribers in case of residual security risks.
(Unchanged except for replacement of telecommunication services by electronic communications services)
Guarantees confidentiality of communications including the relevant traffic data and prohibits tapping or other forms of surveillance by third parties.
(Unchanged except for replacement of telecommunication services by electronic communications services and addition of traffic data necessary in view of the introduction of definitions for communication and traffic data)
Prohibits the use of traffic data except for billing purposes; extends coverage to all types of transmissions of electronic communications (not just calls); introduction of possibility for further data processing for value-added services based on consent of user/subscriber.
(Updated and extended)
Article 7 - Itemised billing
Gives subscribers right to non-itemised bills; obliges Member States to ensure availability of sufficient modalities for privacy friendly communications and payments.
(Unchanged except for small drafting change adding privacy enhancing)
Provides subscribers and users with safeguards to protect their privacy in view of calling line and connected line identification services (CLI).
(Unchanged)
Article 9 - Location data
Introduces privacy safeguards for subscribers and users with regard to mobile location information services. (New article)
Article 10 - Exceptions
Allows access to blocked CLI information for emergency services and for tracing of malicious calls; to be extended to new article on mobile location information.
(Unchanged except for inclusion of new Article 9)
Article 11 - Automatic call forwarding
Gives subscribers the right and means to undo the forwarding of calls to their line.
(Unchanged)
Article 12 - Directories of subscribers
Gives subscribers the right to determine whether and which of their personal information shall be included in a public directory and be fully informed of the purposes of the directory.
(Article simplified and deletion of possibility to charge for the right to be excluded from a directory; takes account of new electronic communications services and new types of directory services)
Article 13 - Unsolicited communications
Gives subscribers the right to refuse unsolicited communications for direct marketing purposes; Extended to cover all forms of electronic communications.
Electronic mail to be included under the opt-in system.
(Updated and extended)
Article 14 - Technical features and standardisation
Guarantees that data protection considerations may not lead to barriers to the single market for terminal equipment and software free movement and ensures that any mandatory requirements on terminal equipment and software to protect personal data and privacy may only be imposed through Community procedures.
(Update of references and terminology to new Radio and telecommunications terminal equipment Directive (1999/5/EC))
Article 15 - Application of certain provisions of Directive 95/46/EC
Specifies where Member States may restrict provisions of the Directive to safeguard public security and conduct criminal investigations;
Extends provisions of General data protection Directive on legal remedies and proceedings of working party to this Directive.
(Unchanged except for inclusion of new Article 9 in scope of derogation for public security reasons, replacement of telecommunication services by electronic communications services and deletion of committee procedure as their only role in the context of this directive was the amendment of the Annex which has disappeared).
Transitional arrangement for editions of public directories already existing before the transposition of the Directive.
(Part of previous transitional arrangements has been deleted as they are no longer relevant following transposition of Directive 97/66/EC)
Article 17 - Transposition
Provides ultimate date of transposition.
(Date adapted)
Article 18 - Entry into force
(Standard clause)
Article 19 - Addressees
(Standard clause)
Conclusion
The present proposal aims to ensure that a high level of protection of personal data and privacy will continue to be guaranteed for all electronic communications services regardless of the technology used.