The new law gives Member States potentially wide discretion to
order the retention of data by telcos and ISPs. It also introduces
a strict opt-in approach to spam and takes a hands-off approach to
the regulation of cookies. OUT-LAW.COM today spoke to a source at
the European Parliament who did not want to be named but called the
wording of the new position “frustratingly vague.”
Now that agreement has been reached on the terms of the
Directive, it will be formally adopted within a few months and will
be applied by the end of 2003. The final text will be published in
a few weeks. OUT-LAW.COM today obtained the text of some of
Parliament’s last minute amendments.
Data Retention
Data retention was the most contentious issue in the draft
Directive. The final wording will provide that Member States can
decide to lift the protection of data privacy in order to conduct
criminal investigations or safeguard national or public security,
when this is considered to be a “necessary, appropriate and
proportionate measure within a democratic society”. There is no
guidance on how this wording should be interpreted.
If Member States are legislating to allow the lifting of the
protection of data privacy laws, the data can be retained for a
“limited period” only. There is no guidance as to the length of
period that is appropriate.
The legislative measures must be “in accordance with the general
principles of Community law.” The compromise also says that lawful
interceptions of electronic communications should also be in
accordance with the European Convention of Human Rights and
Fundamental Freedoms and with the rulings of the European Court of
Human Rights.
Marco Cappato, a member of the Italian Radical Party, was the
Parliament’s draftsman for the legislation. His original draft did
not propose data retention for such potentially wide purposes. The
Parliament’s press office said today that Cappato has rejected any
responsibility for the outcome which he describes as entailing
“massive restrictions on civil liberties” and running “counter to
the postion of the Freedoms and Rights Committee.”
Ilka Schroeder MEP, shadow rapporteur of the United European
Left Group and draftsperson of the Industry Committee’s opinion
added:
“With today’s vote the European Parliament
supports the project of a surveillance union. From today on, the
fundamental right to privacy is fundamentally questioned for
everyone using electronic means of communication - no matter
whether they are telephone, internet or fax.”
Spam
Spam will be opt-in. This means that a consumer must have
indicated that he or she is willing to receive unsolicited
commercial e-mail, faxes or telephone calls from automated calling
systems before these communications can be legally sent. This will
change the current position in the UK although it reflects the
current position in some other Member States.
Contrary to the wording of today’s Commission and Parliament
press releases, the wording adopted does not include text messages
in this harmonised opt-in approach. Instead, the actual wording of
the Parliament’s amendments, some of which have been provided to
OUT-LAW.COM, states that unsolicited communications for purposes of
direct marketing, other than e-mail, fax or automated calling
systems, shall be opt-in or opt-out at the discretion of each
Member State. Accordingly, each of the EU’s 15 Governments must
decide whether or not to limit SMS spam to an opt-in system.
Finally, where a business obtains from its existing
customers their e-mail addresses in the context of sales or
services, that business can use the address for direct marketing of
its own similar products or services, provided the customer is
given the opportunity to opt-out.
Location data
According to the European Commission, the compromise states that
the use of mobile phone location data must be subject to the
explicit consent of the individual phone user and users should have
the possibility to temporarily block the processing of location
data at any time.
Cookies
OUT-LAW’s source at the Parliament criticised the ambiguity of
the adopted position on cookies. These are small text files that
can be sent to an internet user’s computer to store certain
information about that user for later use by the web site.
To the relief of the European internet industry, a hands-off
approach has been taken. The adopted wording says that storing
information on an internet user’s computer or accessing such
information is only allowed:
"...on condition that the subscriber or user is provided with
clear and comprehensive information in accordance with [the Data
Protection Directive about] the purposes of the processing and is
offered the right to refuse such processing".
This dilutes the European Council’s common position, which
required that the user received such information “in advance” of
the cookie being sent to the user’s computer. The concern for
e-commerce businesses was that, if they had to send information to
a potential customer in advance, they would lose the customer
through a mixture of confusion and impatience.
However, the new wording is far from clear. The words “in
advance” were removed; but to give the user the “right to refuse”
arguably implies the same thing. OUT-LAW’s source at the Parliament
agreed that the wording is very poor; but added that:
"in my opinion, it will be sufficient to make the information
readily available on a page of a web site and, as long as that
information includes instructions on how to delete a cookie that
has already been sent to the user, the business running the site
will be complying with the new rules."
It will be up to Member States to implement the Directive in
their own national laws which presents an opportunity to clear-up
the ambiguities – or introduce new ones.
