Member States have until October 2003 to implement the provisions of the new Directive in their domestic laws. Today marks the last regulatory hurdle in passing a law that caused much controversy during its drafting. It is expected that the final text will be published next month.
Data retention was the most contentious issue in the draft Directive. It provides that Member States can decide to lift the protection of data privacy in order to conduct criminal investigations or safeguard national or public security, when this is considered to be a “necessary, appropriate and proportionate measure within a democratic society”. There is no guidance on how this wording should be interpreted.
If Member States are legislating to allow the lifting of the protection of data privacy laws, the data can be retained for a “limited period” only. There is no guidance as to the length of period that is appropriate.
Spam will be opt-in. This means that a consumer must have indicated that he or she is willing to receive unsolicited commercial e-mail, text messages, faxes or telephone calls from automated calling systems before these communications can be legally sent. This will change the current position in the UK although it reflects the current position in some other Member States.
Where a business obtains from its existing customers their e-mail addresses in the context of sales or services, that business can use the address for direct marketing of its own similar products or services, provided the customer is given the opportunity to opt-out.
The use of mobile phone location data must be subject to the explicit consent of the individual phone user and users should have the possibility to temporarily block the processing of location data at any time.
These are small text files that can be sent to an internet user’s computer to store certain information about that user for later use by the web site. To the relief of the European internet industry, a hands-off approach has been taken. The final wording says that storing information on an internet user’s computer or accessing such information is only allowed:
"...on condition that the subscriber or user is provided with clear and comprehensive information in accordance with [the Data Protection Directive about] the purposes of the processing and is offered the right to refuse such processing".