Deadline for Member States to Implement EU Privacy and Electronic Communication Directive Passes

Date: Nov 04, 2003

On October 31st 2003, EU Member States were to have transposed into their national legislations Directive N° 2002/58/EC on Privacy and Electronic Communications. At this writing, a number of states still must adopt implementing legislation. Nevertheless, many of the provisions will apply to all companies using electronic media to communicate with customers and others.

The Electronic Directive, forming part of the so-called "telecoms package," seeks to tackle specific privacy related issues pertaining to public telecommunication networks and services, including data retention, sending unsolicited electronic messages, use of cookies, and inclusion of personal data in public directories. The bulk of the requirements are in fact a mere reiteration of the provisions of its predecessor — Directive 97/66/EC, which needed to be updated following the latest developments in this field. While many of the requirements apply only to telecommunications firms, some important provisions will apply more broadly, implicating website operations of and e-mail communications from all businesses. The following are the key additional requirements that will apply under the new Directive:

    • Cookies and similar tracking devices may be used only if the user is given "clear and precise" information about their purpose and role. Furthermore, users must have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment.

    • Location data generated by mobile phones can only be further used or passed on by network operators with explicit user consent, unless the data are transmitted to emergency services or law enforcement authorities subject to strict conditions.

    • All unsolicited marketing communications (automatic calling machines, fax machines SMS or e-mails) are allowed only if the subscriber has given his prior consent. The exact nature of this consent may still vary under implementing national law, but the EU Commission takes the view that an opt-in consent is required. Companies that have obtained personal details from an individual in the context of the sale of a product may use that information to continue to market the same or a similar products, provided they give offer an opt-out opportunity with each message. While these provisions apply to "natural persons," Member States are required to assure that the interests of subscribers who are not natural persons in being free of unsolicited electronic communications are sufficiently protected.

    • Disguised identities and invalid addresses used by spammers will be outlawed. (The ban applies in principle to natural persons, but Member States may extend it to businesses as well).

    • Non-inclusion in subscriber directories or omitting of some data will have to be free of charge.

In spite of the fact that the deadline for Member State actions has been known for some time, most Member States have failed to implement within the deadline - only Austria, Denmark, Italy, Sweden and the UK (implementing regulations come into force on December 11, 2003) are on the list of those that have brought their national laws into line with the new standards.

For more information, please contact Sheila A. Millar at (202) 434-4143 or by e-mail at millar@khlaw.com, or Marek Lysy at 32(2) 536-0040 or by e-mail at lysy@khlaw.be.