Privacy Law and Policy Reporter
This article provides an overview of the provisions of the second draft Directive of the European Council and Parliament concerning the protection of personal data and privacy in the context of digital telecommunications networks, in particular, the Integrated Services Digital Network (ISDN) and digital mobile networks (the Directive) which was released in July 1994.
Directives are binding rules which, once adopted, apply to the 12 member States of the European Union (EU).
The original draft of the Directive was released concurrently with the General Data Protection Directive in July 1990. The general directive deals with privacy issues across all sectors whereas the Directive is a sectoral directive. The Directive is built on the provisions of the general data protection directive. Accordingly, amendments to the first draft of the general data protection directive took place prior to the revision of the Directive.
These directives are based on the need to ensure the rights and freedoms of a natural person to privacy as it relates to the processing of personal data in order to ensure the free flow of personal data within the EU.
The establishment of a directive is regarded as a way of providing an appropriate environment within which telecommunications can develop within the EU. It is also seen as a way of harmonising divergent legal, technical and regulatory provisions relating to privacy in the context of telecommunications across some EU member countries.
This proposal is premised upon the introduction of digitised public telecommunications networks throughout Europe. This technology has not been implemented in all countries and has limited operation in others. The Directive deals with several privacy concerns arising out of the application of this technology and related developments including: the security of personal data; itemised billing; calling number display; call return and call forwarding systems; the use of computerised telephone directories; and unsolicited phone calls especially where automatic calling equipment is used.
Some of these services flow from the existence of calling line identification technology which permits information to be generated, recorded and transferred across telecommunications networks. Thus telephone companies are able to provide customers with bills detailing the date, duration of calls and also the telephone number of the called party.
1. Major changes have taken place from the first draft of the Directive. The application of the subsidiary principle is responsible for many of these changes. This principle requires that directives do not provide unnecessary detail when this could properly be dealt with at individual member country level. The principle of subsidiary seeks a balance between the requirement to have a law covering the EU countries and the level of functional detail it prescribes.
It was determined that this Directive only required broad principles to be laid down, not the means of implementation. As a consequence of the application of this principle much of the detail contained in the original draft of the Directive has been deleted and only the broad principles remain.
2. The Directive was set in the context of 1988-1990 when the European Community, as it was then called, saw telecommunications as pivotal to the proper functioning of the Community. A number of the member countries had embarked on reforms to create a competitive environment in the industry.
Since then, the scope of global communications generally has broadened so that interactive media forms a substantial part of it. This wider vision of the use of communications media and the privacy issues it raises makes the proposed Directive seem a smaller, yet integral, part of the overall picture.
The Directive only relates to the processing of personal data by telecommunications networks within the European Union. Other communications media issues are left to be dealt with under the provisions of the proposed general data protection directive referred to earlier.
3. The Directive also applies to ''service providers' as well as telecommunications carriers. Service providers mean organisations which supply public digital telecommunications services to the public over public telecommunications networks. Service providers specifically include a person providing ''wholly or partly the transmission and routing of signals on a public telecommunications network, with the exception of radio broadcasting and television'. Thus, service providers do not include providers of private networks, for example, the Society for Worldwide Interbank Financial Telecommunications, nor will it extend to providers of interactive media which includes radio or television broadcasting. In this sense the Directive is quite narrow.
Security (art 4) Where a particular risk of breach of security exists, telecommunications organisations and service providers must advise subscribers of the risk and offer encryption facilities. The example cited is the use of mobile phones. There is some risk of these conversations being intercepted so that customers should be advised of the risks and the means of the encryption available to prevent it.
Billing data (arts 5 & 7) As indicated earlier, the use of calling line identification technology has permitted, inter alia, itemised billing. This provision sets out the information to be provided including details of the called number and the type and duration of the call. The Directive provides that access to the storage of this data must be restricted and the data shall only be stored up to the end of the statutory period during which the bill could be challenged.
Member countries must ensure that the privacy of ''calling users and called subscribers' is preserved. This refers to the debate over whether the last three or four digits of the called number should be suppressed on the bill. While this issue seems to have gained some prominence in Europe, disclosure of the complete number called has been regarded as acceptable in North America and, it seems, in Australia.
''CND'/Caller ID (arts 8 & 9) Calling Number Display CND or Caller ID is the heartland of the privacy debate in this area. Essentially, it requires a decision as to whether it is acceptable to permit the number of the calling party to be sent to the called party and to be displayed on a screen provided with the phone. This enables the called party to determine in many circumstances, the identity of the called party and thus whether or not to take the call. Modern technology permits this service to be enhanced by connecting it to a reverse telephone directory on a CD-ROM. In this way, the incoming number is matched to the name and address of the subscriber and may also be displayed on the screen and recorded.
The alternative regulatory approaches available for CND are either providing an ''opt in' or an ''opt out' approach. The opt in approach would require calling the parties to agree specifically to their telephone numbers being transmitted in this way. It is argued that this may lead to suboptimal use of the system. On the other hand, an opt out approach would automatically send the number to the called party unless one of several options was taken to exclude the transmission of the number. The methods of preventing the number being sent are either on a call-by-call basis (per call blocking), or to require that the telephone line itself is blocked and not able to send it at all (per line blocking).
Most jurisdictions have adopted the opt out approach providing some form of per line/per call blocking.
The Telecommunications Directive takes an opt out approach to CND requiring the blocking of the service either on a per line or per call basis. Called parties may also apply for the per line elimination of CND. This may be appropriate for services such as religious services or some help lines.
The Directive also specifies that there must be the ability for the called party to ''block the blocker'. This means that where the calling party has eliminated the CND, then the called party must be able to limit the receipt of these calls as some organisations may only wish to receive calls where CND is disclosed.
All these services must be offered free of charge. Thus there will be the inevitable cross-subsidisation by general subscribers of the use of these services.
There are a number of exceptions to the CND framework set out above. The elimination of CND may be overridden where:
A permanent override function is available where an organisation is set up to answer and deal with emergency calls, for example, police or ambulance services. Official fire brigade services are specifically recognised as being able to have this override facility.
Call forwarding (art 10) The Directive states that calls may only be forwarded by the called party to a third party where the third party has agreed to this.
Telephone directories (art 11) It is recognised that telephone directories provide an enormous repository of generally accurate personal information which has been made publicly available. In order to limit the scope and use of directories for any secondary purpose (for example, direct marketing), the Directive provides that information should be restricted to data needed to identify a particular subscriber unless consent has been given to provide further information.
Specifically, subscribers must have the right, free of charge, to have any reference to their sex deleted and to be omitted from the directory entirely.
Surveillance (art 12) In the important area of interceptions or surveillance of telecommunications, third parties shall only be permitted to do this subject to authorisation by the relevant judicial or administrative body.
In addition, the content of phone calls shall not be made available to third parties through the use of technical devices, including loudspeakers and tape recorders, without the consent of the user concerned.
Unsolicited calls (art 13) Telemarketing or market research has become a major issue in telecommunications privacy. There are two major issues. First, when, if at all, should these calls be permitted and if so, on what basis? Second, should automatic calling equipment be permitted to assist these callers?
The Directive requires member countries to take appropriate measures to ensure parties which do not wish to receive these calls are not bothered by them. There are a number of ways to achieve this including the provision of ''opt out' lists of subscribers maintained by industry associations. It may also be achieved by requiring marketers to use a certain prefix on their telephone numbers. In this way, calls with that prefix may be screened before the number is received by the called party if a screening device is being used.
The use of random or sequential dialling equipment is limited or banned in a number of countries (for example, Canada and the US). The Directive requires the called party's consent where such devices are used in conjunction with pre- recorded messages.
Future developments (art 15 and 18) It is foreseen in the Directive that further advances in telecommunications technology will take place. It sets down a procedure to recommend amendment or addition to the Directive to take account of these changes.
The Directive provides an interesting framework for dealing with a multitude of telecommunications privacy issues. Subject to the terms of the general directive, the precise mechanism used to implement the policy contained in the Directive remains, largely, up to member countries.
Already a number of countries inside and outside the EU have gone ahead and already dealt with many of these issues (for example, Canada, France, the UK and the US). Given that this Directive will not come into effect, if at all, until 1997-1998 or after, it is clearly not leading the debate. In the meantime, related issues concerning privacy and interactive media have arisen and are in need of attention. The processes for the adoption of this Directive are not serving the member countries of the EU well. The Directive may yet have a significant impact on countries which have yet to implement these technologies.
Non-European countries need, nevertheless, to maintain an active interest in the standards set down in both directives as they may influence, even belatedly, the shape of international telecommunications technology and networks
 Belgium, Denmark, France, Germany, Greece, Italy, Ireland, Luxembourg, the Netherlands, Portugal, Spain and the UK.
 The Council Directive concerning the protection of individuals in relation to the processing of personal data, Com (92) 422 final, Luxembourg. This reference is to the second draft of the Directive.
 See Recital (9) of the Telecommunications Directive, p 13.
 For example, see Recital (1) of the Telecommunications Directive, p 13.
 See Recital (4) of the Telecommunications Directive, p 14.
 See Recital (8) of the Telecommunications Directive, p 13.
 It also applies to analogue systems where technically possible. See article 3/3.
 Article 3.
 Article 2/2.
 Article 7.