The Directive on Privacy and Electronic Communications (2002/58/EC)

Overview

Summary of Changes
 
Implementation in the UK

Government Response to Consultation

List of Respondees

The Privacy and Electronic Communications (EC Directive) Regulations 2003

Guidance on the Regulations

Contact Us

Background

Operation "Secure Your Server"

Memorandum of Understanding against Spam

( international action regarding enforcement against spammers)

Government Contact

Further Information and Links

Overview

As part of the European Commission's 1999 Review of the communications framework, a draft proposal to update the existing Telecoms Data Protection Directive (97/66/EC) was adopted on 12 July 2000, formerly known as the Communications Data Protection Directive (CDPD) but now known as the Directive on Privacy and Electronic Communications (DPEC). The overriding aim of the new Directive is to take account of technological changes and to make the provisions as technology-neutral as possible. Documents detailing the progress of the draft Directive are available on the European Commission's website on the new communications regulatory framework here.

The final Directive, the DPEC, was adopted on 12 July 2002 and required implementation in Member States by 31 October 2003.

A public consultation on how to implement the DPEC in the UK was launched on 27 March 2003, and ran for 12 weeks, closing on 19 June 2003. Final implementing Regulations were prepared, taking into account the responses received, and were laid before Parliament on 18 September 2003, coming into force on 11 December 2003.

Summary of Changes

The new Directive:

• replaces existing definitions for telecommunications services and networks with new definitions for electronic communications and services to ensure technological neutrality and clarify the position of e-mail and use of the internet;
• enables the provision of value added services based on location and traffic data, subject to the consent of subscribers (for example, location based advertising to mobile phone users);
• removes the possibility for a subscriber to be charged for exercising the right not to appear in public directories;
• introduces new information and consent requirements on entries in publicly available directories, including a requirement that subscribers are informed of all the usage possibilities of publicly available directories - e.g. reverse searching from a telephone number in order to obtain a name and address;
• extends controls on unsolicited direct marketing to all forms of electronic communications including unsolicited commercial e-mail (UCE or Spam) and SMS to mobile telephones; UCE and SMS will be subject to a prior consent requirement, so the receiver is required to agree to it in advance, except in the context of an existing customer relationship, where companies may continue to email or SMS to market their own similar products on an 'opt-out' basis;
• specifies that Member States may introduce provisions on the retention of traffic and location data for law enforcement purposes;
• introduces controls on the use of cookies on websites. Cookies and similar tracking devices will be subject to a new transparency requirement - anyone that employs these kinds of devices must provide information on them and allow subscribers or users to refuse to accept them if they wish.

Implementation in the UK

 

On 27 March 2003 the DTI launched a twelve-week public consultation on how best to implement the Directive in the UK.  The consultation closed on 19 June 2003.

The consultation document can still be accessed from the links below, in both  .doc and .pdf formats, either by the section(s) you are interested in, or as a complete document (126 pages).

Alternatively, hard copies of the complete consultation document are available from the DTI Publications Orderline, quoting reference URN 03/762:

Online: http://www.dti.gov.uk/publications/

E-mail: publications@dti.gsi.gov.uk

Telephone: 0870 1502 500
Fax: 0870 1502 333
Mail: DTI Publications Orderline
       ADMAIL 528
       London
       SW1W 8YT

Government Response to Consultation

The Government published its Response to Consultation on 18 September 2003.  This summarises the responses to consultation and the key changes that the Government has made in finalising the Privacy and Electronic Communications (EC Directive) Regulations 2003 as a result.  The Government Response is available in PDF (110 Kb) and MSWord (90 Kb) formats.

List of Respondees

A list of those who responded to the consultation is available in PDF (55 Kb) and MSWord (102 Kb) formats.  Details of respondees identified by us as private individuals have been omitted from the list to protect their privacy.

Given the volume of responses received during the consultation – more than 420 in all – we have decided not to publish these in full on this website.  However, if you would like to see a hard copy of a non-confidential response from an organisation on the published list of respondees, please email a request to cdpd@dti.gsi.gov.uk remembering to include both your name and address, and the name of the respondee.

The Privacy and Electronic Communications (EC Directive) Regulations 2003

The Regulations, Statutory Instrument 2003 No. 2426, were laid before Parliament on 18 September 2003.  The final text of the Regulations is available on the HMSO Website.

The Regulations came into force on 11 December 2003.

A final version of the Regulatory Impact Assessment on the Regulations is available in PDF (37 Kb) and MSWord (118 Kb) formats, or in hard copy on request from the Government Contact

A transposition note has been prepared to show how the Articles in the DPEC are being implemented, and is available in PDF (109 Kb) and MSWord (67 Kb) formats.

Guidance on the Regulations

Guidance notes on the new provisions have been prepared by the Information Commissioner – the enforcer of the new Regulations.  It is available on the ICO website on their electronic communications guidance pages, and also below in two parts in PDF format:

ICO guidance Part 1 (610 KB)

ICO guidance Part 2 (385 KB)

The Interactive Advertising Bureau (IAB) provides independent guidance for Internet users and online operators on the use of cookies and how to notify users of them under the new rules at: www.allaboutcookies.org

An explanatory note for subscribers on their rights over unsolicited phone, fax, e-mail and SMS marketing is available here.

Contact Us

If you would like to be included on our contact list on this Directive, to hear about future developments, please either email your details to cdpd@dti.gsi.gov.uk or send them in writing to the address given under Government Contact, clearly stating your interest in being kept informed of developments on the DPEC.

The cdpd@dti.gsi.gov.uk inbox can also be used for enquiries on the new provisions, but please note that the DTI cannot give legal advice on the new provisions, and many questions relating to interpretation of the new Regulations and compliance advice.

Background

On the 30 May 2002 the European Parliament voted to accept a compromise text, opening the way for formal adoption of the DPEC on 12 July 2002. Information about the key stages in negotiations is available on the European Commission's website here.

The text of the Directive can be accessed on the European Commission's website here.

The DPEC is one of the measures that arose from the European Commission's 1999 Review of the regulatory framework for electronic communications. Other key elements of the Review package include the Framework Directive (2002/21/EC), the Access Directive (2002/19/EC), the Authorisation Directive (2002/20/EC) and the Universal Service Directive (2002/22/EC), implemented in the UK via the Communications Act 2003.

The DPEC, which was adopted on 12 July 2002, makes a number of changes, in the light of technological developments, to the current Directive (97/66/EC) concerning the processing of personal data and the protection of privacy in the telecommunications sector.

The new Directive replaces existing definitions for telecommunications networks and services with new definitions for electronic communications networks and services. These changes are intended to ensure technological neutrality and interoperability among networks and systems in order to facilitate the provision of a wide range of electronic communications services and guarantee the maximum level of consumers' personal data and privacy protection.

In particular, the new Directive enables the provision of value added services based on location and traffic data, subject to the consent of subscribers. It removes the possibility of a subscriber being charged for exercising the right not to appear in public directories. It introduces also new information and consent requirements on entries in publicly available directories, including a requirement that subscribers are informed of all the usage possibilities of publicly available directories (e.g. reverse searching from a telephone number in order to obtain a name and address).

In addition, the new Directive clarifies the position of e-mail and use of the Internet and extends controls on unsolicited direct marketing to all forms of electronic communications including unsolicited commercial e-mail (UCE or Spam) and SMS to mobile telephones. Finally, it allows Member States to introduce provisions on the retention of traffic and location data for law enforcement purposes and it introduces controls on the use of cookies on websites.

Operation Secure your Server : the UK, USA and 26 other governments united to improve server security in the fight against Spam

Operation ‘Secure Your Server’ was launched on 29th January 2004, as one of the first large scale initiatives to fight spam (or Unsolicited Commercial Emails - UCE) worldwide. It aims to educate the Internet community about how to secure their servers to prevent them from forwarding spam unintentionally.  

The Department of Trade and Industry (DTI), the Information Commissioner’s Office (ICO) and the Office of Fair Trading (OFT) are amongst the main protagonists of this initiative led by the US Federal Trade Commission (FTC), in which 26 other nations will cooperate.

In total 32,955 emails were sent out to the operators of potententially unsecure servers, covering 19,819 domains and 119,211 IP numbers in 196 countries. 

As of mid-April 2004, more than 79,167 accesses were registered to the Secure Your Server homepage (http://www.ftc.gov/secureyourserver/ ) since the email letters were sent in January 2004.  The Secure Your Server homepage is dedicated to the project, and contains many links to information detailing how to fix unsecure servers.  The monthly breakdown of access to the webpage is as follows:

January 2004:                                  41,640

February 2004:                                23,618

March 2004:                                        9,272

April 2004:                                           3,961

This represents a very high and impressive access rate by FTC standards. While this certainly is not a scientific measure of success of this educational campaign, it certainly indicates that we were able to generate significant interest in the issue and, hopefully, induce action on the part of operators of unsecure servers. 

We are currently in the process of considering any possible next steps we could take in combating the problem of unsecure servers and their role in spamming operations.

Read the press release – click here

Go to the FTC’s dedicated page: www.ftc.gov/secureyourserver

(DTI is not responsible for the content of external sites)

Operation Secure Your Server: Full Background - click Here

Memorandum of Understanding (MoU)

The DTI, the Office of Fair Trading (OFT) and the Information Commissioner (ICO) announced on Friday 2 July 2004 that they had signed a Memorandum of Understanding (MoU) with the Federal Trade Commission (FTC) in the United States, the Australian communications Authority (ACA) and the Australian Competition and Consumer Commission (ACCC) for mutual assistance in the enforcement of spam laws.

The Memorandum of Understanding (MoU) aims to deal with the problem of spam as it increasingly threatens the growth of the internet and the information society as a whole. It will mean for the first time that:

* Enforcement authorities in the UK, United States and Australia will work together to investigate spammers in those countries;
* enforcement authorities across all three countries will take part in joint training initiatives to combat spam;
* international solutions and strengthening capabilities will be developed to trace and convict spammers; and
* cross border enforcement against spammers will take effect.

You can download the MoU as a PDF document by clicking here.

A full press release can be found at: http://www.gnn.gov.uk/environment/detail.asp?

ReleaseID=121897&NewsAreaID=2&NavigatedFrom

Department=True
 

Information is also available on the FTC website under http://www.ftc.gov/spam/ and http://www.ftc.gov/opa/2004/07/mou.htm

The website of the Australian Communications Authority at http://www.aca.gov.au/consumer_info/spam/index.htm

And on the website of the Australian Competition and Consumer Commission at http://www.accc.gov.au/content/index.phtml/itemId/8135

Click HERE to find out more on SPAM.

Government Contact

Mr Ihtsham Hussain

Telecoms Policy

BAY 207

151 Buckingham Palace Road

London

SW1W 9SS

Telephone: +44 (0)20 7215 2969

Fax: +44 (0) 20 7215 1721

E-mail:cdpd@dti.gsi.gov.uk

Further Information and Links

The Telecoms Data Protection Directive 97/66/EC (PDF format)

DTI pages on the Telecoms Data Protection Directive

The Directive on Privacy and Electronic Communications (2002/58/EC)  (PDF format)

The Privacy and Electronic Communications (EC Directive) Regulations 2003 are available on the HMSO Website.

The E-commerce Directive - implementing Regulations have provisions affecting UCE

See www.allaboutcookies.org for background on cookies from the Interactive Advertising Bureau

The URL for the Information Commissioner’s website is

www.informationcommissioner.gov.uk

The DTI/DCMS Communications Act 2003