Privacy Law and Policy Reporter
On 1 December 1997 the President of the European Council signed the EU Directive on the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector (see Privacy Laws & Business Newsletter September 1996, 21-25; August 1997, .3-4). This means that it is now on course for implementation by 24 October 1998 the same date as the EU general Data Protection Directive.
This Telecommunications Directive regulates the type of information telecommunications operators may collect on their customers, and extends protection to subscribers who are natural and legal persons. The Directive affects telephone marketing carried out by everyone. This is the first EU sectoral data protection directive.
Adopting the telecommunications data protection directive has taken seven years. The proposal for a Directive on the protection of telecommunications privacy was submitted in 1990 at the same time as the EU general Data Protection Directive. The common position of 1996 was amended, and eventually the Directive became subject to a conciliation procedure as the Council could not accept all the amendments put forward by the European Parliament. The final sticking point was on the extent to which member states should have discretion to permit charges for a subscriber to go ex-directory.
The Conciliation Committee approved the joint text on 4 November 1997. Having been formally approved by the Telecommunications Council on 1 December, and the European Parliament, (according to the European Commission), the Directive is now duly adopted. Member states are left with less than ten months to implement the provisions before 24 October 1998. The deadline for implementation is, however, extended by two years for the provisions on confidentiality of communications (Art 5).
In the UK, the government is likely to issue a consultative paper by March 1998. The Directive will then probably be implemented by way of regulations, except for Art 5. The government may implement Art 5 by way of primary legislation. Such legislation should clarify the scope and precise meaning of the ban on ‘interception or surveillance’, except for the ‘recording of communications in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication’
The current Directive complements the general Data Protection Directive 95/46/EC. While all general data protection provisions, such as notification apply, the new provisions determine additional data protection provisions for the telecommunications sector in particular. The purpose of the Data Protection Telecommunications Directive is to harmonise the member states’ legislations in this field, and to prevent any obstacles to the functioning of the internal market in the field of telecommunications services.
The Directive’s scope covers the processing of personal data in publicly available tele- communications services in public networks. The title no longer refers to ISDN and digital mobile networks, as the Directive applies to all types of such services. Public telecommunication networks mean not only transmission systems, but also, where applicable, switching equipment which is used, in all or in part, for the provision of publicly available telecommunication services. The Directive does not apply to activities that fall outside the scope of Community law, such as public security, defence, state security and criminal law areas. Nor does it appear to apply to closed private company networks.
The disagreement between some member states over whether legal persons should be included is reflected in the text. The Directive intends to protect, not only natural persons’ right to privacy, but also the legitimate interests of legal persons. Even though this Directive supplements the Data Protection Directive, member states are not obliged to extend the application of these general data protection provisions to the protection of the legitimate interests of legal persons. The Directive does not define what is meant by legitimate interest but leaves interpretation to the member states. Security to apply to Internet providers? Providers of telecommunications services are made responsible for ensuring the security of their services against unauthorised access and use. In cases of particular risks to security, the provider must inform subscribers (natural or legal persons) of the situation. In order to guarantee the confidentiality of communications, member states must prohibit listening, intercepting or recording of communications without users’ consent unless legally authorised. It is believed at DG XIII of the European Commission that the Directive applies to Internet service providers in the sense that they are also providers of telecommunications services. Therefore, Internet providers may have to take into account several provisions, for example, those on security and directory information.
Traffic data collected by telecommunications service provider must be erased or made anonymous at the end of a call. Certain data may be processed for billing purposes, but only until payment has been received or until the bill may be challenged. The provider may use this data for the marketing of its own services but only if the subscriber has given his consent. Consent is not required for processing already under way. In addition, the subscriber has a right to demand non-itemised bills. In bills which list the numbers called, member states may decide to require deletion of a certain number of digits to protect privacy. Member states are also encouraged to introduce methods of anonymous access to telecommunications services.
There will be less personal data in printed and electronic telephone directories in the near future than there is at present. Information on natural persons may be limited to the minimum required to identify the subscriber. This can mean using just an initial to avoid revealing the sex of the subscriber, or including only part of the address. Also, the legitimate interests of legal persons need to be sufficiently protected. It is likely that the member states will interpret this provision differently for different types of legal persons. The Directive establishes a general right that natural persons wishing to be excluded from directories need not pay for this option. If a member state nonetheless decides to allow operators to make a charge, the payment must not be so high that it discourages the individual from taking action, but should cover only their costs.
With regard to calling line identification (CLI), it is the responsibility of the provider to inform subscribers of the privacy options available. Where CLI is available, the user must be able to make a call without revealing his number to the person receiving the call. The provider must not charge for this option. While users (any natural person using the service) may choose this option on a per-call basis, subscribers may dedicate a line for the purpose. The receiving party should also be able to prevent the presentation of the number of an incoming call free of charge.
The Directive includes a provision on how to protect natural persons from unsolicited direct marketing calls. Direct marketing with the help of automatic calling systems or fax machines is only permitted to subscribers who have given their prior consent. The method of protection with regard to other direct marketing calls has been left to be determined by national legislation.
Telemarketing may suffer from the provisions on confidentiality. With the listening and recording of communications prohibited without the users’ consent, call centres may have to abandon the practice of monitoring their staff for training purposes by listening to conversations between staff and customers, unless users consent. The same problem could have been faced by financial services firms which routinely record telephone conversations in order to have proof of commercial transactions conducted over the phone. Recording of conversations can, however, be legally authorised in the course of a lawful business practice in order to prove a commercial transaction or any other business communication. This means that, for example, stockbrokers will be able to continue to record conversations with customers. Will this exemption to the confidentiality rule also apply to telemarketers?
The text of the Directive will be available from the Office of Official Publications, European Community, Luxembourg.Tel: + 352 499 281 Fax: + 352 407 915 or HMSO Books in the UK (Tel: 0171 873 9090).
Stewart Dresner is the publisher of Privacy Laws & Business Newsletter. Reprinted with permission from Privacy Laws & Business Newsletter, number 41, December 1997.