EU Adopts Directive on Privacy and Electronic Communications

Date: Jul 12, 2002

On July 12, 2002, the European Parliament and Council of the European Union adopted Directive 2002/58/EC, the Directive on Privacy and Electronic Communications (originally called the Telecommunications Data Protection Directive). While service providers are most affected by the Directive, all public electronic communications systems (such as company web sites and e-mails to consumers) are subject to its provisions. Those include provisions to protect the privacy of confidential data in transit and in storage, provisions on cookies, and anti-spam measures. As a practical matter, this means that e-mails must be sent on an opt-in basis within the EU. The Directive must be transposed into national law by October 31, 2003.

While the EU already has an existing, broad data protection law, Directive 95/46/EC, the EU Data Protection Directive, this new directive focuses on specific issues in the electronic communications environment. The dual aim is to harmonize Member State laws regarding privacy in processing personal data in the electronic communication sector, and to ensure the free movement of both data and electronic communication equipment and services within the EU.

Privacy, Security and Confidentiality

The Directive requires all providers of a "publicly available electronic communications service" to take "appropriate technical and organizational measures" to safeguard the security of its services. Service providers may consider state of the art and cost to ensure a level of security appropriate to the risk presented. This clearly allows for differentiated treatment of data (like credit card, health, or financial data) versus less sensitive data. An important element of the Directive is an obligation to inform end users of potential security limitations that lie outside their control. This is an issue to consider in posted privacy policies at web sites; many companies may use Secure Sockets Layer (SSL) technology to transmit credit card or order information, but even those sits cannot guarantee absolute security during transmission.

Traffic data related to subscribers and users must be erased or made anonymous when no longer needed for the purpose of the transmission, subject to certain exceptions. Data necessary for subscriber billing and interconnection payments may be processed for a limited period, and may be used for marketing electronic communications services subject to consent of the subscriber. Special notice provisions apply.


One of the more controversial amendments to the legislation is the so-called "cookie amendment," found in paragraph 25 of the Preamble. This provision was the subject of intense lobbying to emphasize that cookies are essential for navigation and other purposes in web sites. The Directive does recognize that cookies "can be a legitimate and useful tool," and states that use should be allowed "on condition that users are provided with clear and precise information" about the use of cookies as similar devices. Moreover, the preamble language explicitly states that access to specific website content may be made conditional on the well-informed acceptance of a cookie of similar device.

At one point, "prior" consent was required, an obviously unworkable requirement since cookies are set at most web sites as the visitor enters the site. In practice, then, the general view is that clearly describing how the site uses cookies and other devices (like web beacons) in a privacy policy, with a link prominently posted on the home page, should satisfy this obligation. Nevertheless, national Data Protection Administrators may address this issue in more detail in implementing legislation.

Unsolicited Communications

The other hotly-debated provision that has broad general application relates to Article 13 on unsolicited commercial communications. Prior consent is required to use automated calling systems, including e-mail, facsimile, and automatic telephone dialing systems, for the purpose of "direct marketing." There is an important exception. An organization that has obtained electronic contact information (e-mail address) in connection with the sale of a product or service may itself use that contact information for direct marketing of its own "similar products or services" on an opt-out basis. This exception still limits direct marketing efforts for companies offering diversified products or services, and could engender disagreement about the extent particular products or services are "similar." Similarly to laws adopted in a number of states in the U.S., the Directive prohibits the use of false sender information or e-mail headers.

While Member States may adopt variations on the type of prior consent that may be authorized (opt-in versus opt-out), as a practical matter, opt-in will likely be the standard for pan-European direct marketing via e-mail.


While the final Directive is less onerous than earlier versions, it still imposes new requirements not just on electronic communications service providers, but on all websites and on any company engaged in direct marketing using electronic communications media. As a practical matter, given the global nature of the Internet, global companies should begin considering now how to integrate these requirements into their global privacy and electronic communications policies.

For more information, please contact Sheila A. Millar at millar@khlaw.com, or via telephone at 202-434-4143.