European Union directive | |
Made by | European Parliament & Council |
---|---|
Made under | Art. 95 |
Journal reference | L201, 2002-07-31, pp. 37 – 47 |
History | |
Date made | 2002-07-12 |
Entry into force | 2002-07-31 |
Implementation date | 2003-10-31 |
Preparative texts | |
EESC opinion | C123, 2001-01-24, p. 53 |
EP opinion | C187, 2002-05-30, p. 103 |
Reports | |
Other legislation | |
Replaces | — |
Amends | — |
Amended by | Directive 2006/24/EC, Directive 2009/136/EC |
Replaced by | — |
Current legislation |
Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. [1] It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.
There are some interplays between the ePrivacy Regulation (ePR) and the General Data Protection Regulation (GDPR). [2] Some EU lawmakers had hoped the ePrivacy Regulation (ePR) could come into force at the same time as the General Data Protection Regulation (GDPR) in May 2018. [3] In this way, it would repeal the ePrivacy Directive 2002/58/EC and accompany the GDPR in regulating the requirements for consent to the use of cookies and opt-out options. [1] [4] [5]
The Electronic Privacy Directive has been drafted specifically to address the requirements of new digital technologies and ease the advance of electronic communications services. [6] The Directive complements the Data Protection Directive and applies to all matters which are not specifically covered by that Directive. [7] In particular, the subject of the Directive is the "right to privacy in the electronic communication sector" and free movement of data, communication equipment and services.
The Directive does not apply to Titles V and VI (Second and Third Pillars constituting the European Union). Likewise, it does not apply to issues concerning public security and defence, state security and criminal law. [8] The interception of data was however covered by the EU Data Retention Directive, prior to its annulment by the Court of Justice of the European Union.
Contrary to the Data Protection Directive, which specifically addresses only individuals, Article 1(2) makes it clear that ePrivacy Directive also applies to legal persons.
The first general obligation in the Directive is to provide security of services. [9] The addressees are providers of electronic communications services. This obligation also includes the duty to inform the subscribers whenever there is a particular risk, such as a virus or other malware attack. [10]
The second general obligation is for the confidentiality of information to be maintained. [11] The addressees are Member States, who should prohibit listening, tapping, storage or other kinds of interception or surveillance of communication and "related traffic", unless the users have given their consent or conditions of Article 15(1) have been fulfilled.
The directive obliges the providers of services to erase or anonymise the traffic data processed when no longer needed, unless the conditions from Article 15 have been fulfilled. [12] Retention is allowed for billing purposes but only as long as the statute of limitations allows the payment to be lawfully pursued. Data may be retained upon a user's consent for marketing and value-added services. For both previous uses, the data subject must be informed why and for how long the data is being processed.
Subscribers have the right to non-itemised billing. [13] Likewise, the users must be able to opt out of calling-line identification. [14]
Where data relating to location of users or other traffic can be processed, Article 9 provides that this will only be permitted if such data is anonymised, where users have given consent, or for provision of value-added services. Like in the previous case, users must be informed beforehand of the character of information collected and have the option to opt out. [15]
Article 13 prohibits the use of email addresses for marketing purposes. [16] The Directive establishes the opt-in regime, according to which unsolicited emails may be sent only with prior agreement of the recipient. A natural or legal person who initially collects address data in the context of the sale of a product or service, has the right to use it for commercial purposes provided the customers have a prior opportunity to reject such communication where it was initially collected and subsequently. Member States have the obligation to ensure that unsolicited communication will be prohibited, except in circumstances given in Article 13.
Two categories of emails (or communication in general) will also be excluded from the scope of the prohibition. The first is the exception for existing customer relationships and the second for marketing of similar products and services. [17] The sending of unsolicited text messages, either in the form of SMS messages, push mail messages or any similar format designed for consumer portable devices (mobile phones, PDAs) also falls under the prohibition of Article 13. [18]
The Directive provision applicable to cookies is Article 5(3). Recital 25 of the Preamble recognises the importance and usefulness of cookies for the functioning of modern Internet and directly relates Article 5(3) to them but Recital 24 also warns of the danger that such instruments may present to privacy. The change in the law does not affect all types of cookies; those that are deemed to be "strictly necessary for the delivery of a service requested by the user", such as for example, cookies that track the contents of a user's shopping cart on an online shopping service, are exempted.
The article is technology neutral, not naming any specific technological means which may be used to store data, but applies to any information that a website causes to be stored in a user's browser. This reflects the EU legislator's desire to leave the regime of the directive open to future technological developments.
The addressees of the obligation are Member States, who must ensure that the use of electronic communications networks to store information in a visitor's browser is only allowed if the user is provided with "clear and comprehensive information", in accordance with the Data Protection Directive, about the purposes of the storage of, or access to, that information; and has given their consent.
The regime so set-up can be described as opt-in, effectively meaning that the consumer must give their consent before cookies or any other form of data is stored in their browser. The UK Regulations allow for consent to be signified by future browser settings, which have yet to be introduced but which must be capable of presenting enough information so that a user can give their informed consent and indicating to a target website that consent has been obtained. Initial consent can be carried over into repeated content requests to a website. The Directive does not give any guidelines as to what may constitute an opt-out, but requires that cookies, other than those "strictly necessary for the delivery of a service requested by the user" are not to be placed without user consent.
The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.
Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.
The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.
The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.
Email marketing is the act of sending a commercial message, typically to a group of people, using email. In its broadest sense, every email sent to a potential or current customer could be considered email marketing. It involves using email to send advertisements, request business, or solicit sales or donations. Email marketing strategies commonly seek to achieve one or more of three primary objectives: build loyalty, trust, or brand awareness. The term usually refers to sending email messages with the purpose of enhancing a merchant's relationship with current or previous customers, encouraging customer loyalty and repeat business, acquiring new customers or convincing current customers to purchase something immediately, and sharing third-party ads.
Internet privacy involves the right or mandate of personal privacy concerning the storage, re-purposing, provision to third parties, and display of information pertaining to oneself via the Internet. Internet privacy is a subset of data privacy. Privacy concerns have been articulated from the beginnings of large-scale computer sharing and especially relate to mass surveillance.
A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.
The term opt-out refers to several methods by which individuals can avoid receiving unsolicited product or service information. This option is usually associated with direct marketing campaigns such as e-mail marketing or direct mail. A list of those who have opted out is called a Robinson list.
Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.
Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.
HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.
Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.
The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.
A cold email is an unsolicited e-mail that is sent to a receiver without prior contact. It could also be defined as the email equivalent of cold calling. Cold emailing is a subset of email marketing and differs from transactional and warm emailing.
The ePrivacy Regulation (ePR) is a proposal for the regulation of various privacy-related topics, mostly in relation to electronic communications within the European Union. Its full name is "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC ." It would repeal the Privacy and Electronic Communications Directive 2002 and would be lex specialis to the General Data Protection Regulation. It would particularise and complement the latter in respect of privacy-related topics. Key fields of the proposed regulation are the confidentiality of communications, privacy controls through electronic consent and browsers, and cookies.
NOYB – European Center for Digital Rights is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus. Co-founded by Austrian lawyer and privacy activist Max Schrems, NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general. The organisation was established after a funding period during which it has raised annual donations of €250,000 by supporting members. Currently, NOYB is financed by more than 4,400 supporting members.
The gathering of personally identifiable information (PII) is the practice of collecting public and private personal data that can be used to identify an individual for both legal and illegal applications. PII owners often view PII gathering as a threat and violation of their privacy. Meanwhile, entities such as information technology companies, governments, and organizations use PII for data analysis of consumer shopping behaviors, political preference, and personal interests.
Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH (2019) Case C‑673/17 is a decision of the Court of Justice of the European Union on the consent requirement for the placement of cookies under Article 2(f) and Article 5(3) of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (‘ePrivacy-Directive’), as amended by Directive 2009/136/EC.
Spy pixels or tracker pixels are hyperlinks to remote image files in HTML email messages that have the effect of spying on the person reading the email if the image is downloaded. They are commonly embedded in the HTML of an email as small, imperceptible, transparent graphic files. Spy pixels are commonly used in marketing, and there are several countermeasures in place that aim to block email tracking pixels. However, there are few regulations in place that effectively guard against email tracking approaches.
Federated Learning of Cohorts (FLoC) is a type of web tracking. It groups people into "cohorts" based on their browsing history for the purpose of interest-based advertising. FLoC was being developed as a part of Google's Privacy Sandbox initiative, which includes several other advertising-related technologies with bird-themed names. Despite "federated learning" in the name, FLoC does not utilize any federated learning.