Out-Law News 4 min. read
30 May 2002, 12:00 am
The new law gives Member States potentially wide discretion to order the retention of data by telcos and ISPs. It also introduces a strict opt-in approach to spam and takes a hands-off approach to the regulation of cookies. OUT-LAW.COM today spoke to a source at the European Parliament who did not want to be named but called the wording of the new position “frustratingly vague.”
Now that agreement has been reached on the terms of the Directive, it will be formally adopted within a few months and will be applied by the end of 2003. The final text will be published in a few weeks. OUT-LAW.COM today obtained the text of some of Parliament’s last minute amendments.
Data retention was the most contentious issue in the draft Directive. The final wording will provide that Member States can decide to lift the protection of data privacy in order to conduct criminal investigations or safeguard national or public security, when this is considered to be a “necessary, appropriate and proportionate measure within a democratic society”. There is no guidance on how this wording should be interpreted.
If Member States are legislating to allow the lifting of the protection of data privacy laws, the data can be retained for a “limited period” only. There is no guidance as to the length of period that is appropriate.
The legislative measures must be “in accordance with the general principles of Community law.” The compromise also says that lawful interceptions of electronic communications should also be in accordance with the European Convention of Human Rights and Fundamental Freedoms and with the rulings of the European Court of Human Rights.
Marco Cappato, a member of the Italian Radical Party, was the Parliament’s draftsman for the legislation. His original draft did not propose data retention for such potentially wide purposes. The Parliament’s press office said today that Cappato has rejected any responsibility for the outcome which he describes as entailing “massive restrictions on civil liberties” and running “counter to the postion of the Freedoms and Rights Committee.”
Ilka Schroeder MEP, shadow rapporteur of the United European Left Group and draftsperson of the Industry Committee’s opinion added:
“With today’s vote the European Parliament supports the project of a surveillance union. From today on, the fundamental right to privacy is fundamentally questioned for everyone using electronic means of communication - no matter whether they are telephone, internet or fax.”
Spam will be opt-in. This means that a consumer must have indicated that he or she is willing to receive unsolicited commercial e-mail, faxes or telephone calls from automated calling systems before these communications can be legally sent. This will change the current position in the UK although it reflects the current position in some other Member States.
Contrary to the wording of today’s Commission and Parliament press releases, the wording adopted does not include text messages in this harmonised opt-in approach. Instead, the actual wording of the Parliament’s amendments, some of which have been provided to OUT-LAW.COM, states that unsolicited communications for purposes of direct marketing, other than e-mail, fax or automated calling systems, shall be opt-in or opt-out at the discretion of each Member State. Accordingly, each of the EU’s 15 Governments must decide whether or not to limit SMS spam to an opt-in system.
Finally, where a business obtains from its existing customers their e-mail addresses in the context of sales or services, that business can use the address for direct marketing of its own similar products or services, provided the customer is given the opportunity to opt-out.
According to the European Commission, the compromise states that the use of mobile phone location data must be subject to the explicit consent of the individual phone user and users should have the possibility to temporarily block the processing of location data at any time.
OUT-LAW’s source at the Parliament criticised the ambiguity of the adopted position on cookies. These are small text files that can be sent to an internet user’s computer to store certain information about that user for later use by the web site.
To the relief of the European internet industry, a hands-off approach has been taken. The adopted wording says that storing information on an internet user’s computer or accessing such information is only allowed:
"...on condition that the subscriber or user is provided with clear and comprehensive information in accordance with [the Data Protection Directive about] the purposes of the processing and is offered the right to refuse such processing".
This dilutes the European Council’s common position, which required that the user received such information “in advance” of the cookie being sent to the user’s computer. The concern for e-commerce businesses was that, if they had to send information to a potential customer in advance, they would lose the customer through a mixture of confusion and impatience.
However, the new wording is far from clear. The words “in advance” were removed; but to give the user the “right to refuse” arguably implies the same thing. OUT-LAW’s source at the Parliament agreed that the wording is very poor; but added that:
"in my opinion, it will be sufficient to make the information readily available on a page of a web site and, as long as that information includes instructions on how to delete a cookie that has already been sent to the user, the business running the site will be complying with the new rules."
It will be up to Member States to implement the Directive in their own national laws which presents an opportunity to clear-up the ambiguities – or introduce new ones.