EU watch: New consultation paper on EU Privacy Directive

On 27 March 2003, the DTI released its consultation paper on the UK implementation of the EU Directive on Privacy and Electronic Communications. The Directive is of particular importance to service providers who are involved in processing personal data in the electronic communications sector.

This includes any organisation engaged in the provision of online products or services or engaged in website, email or SMS marketing. If your organisation is involved in any of these activities, then it will need to take heed of the controls being introduced by the Directive and will need to commence planning what practical steps it ought to be taking to ensure that it is complying with the Directive's requirements.

The Directive requires implementation by Member States by the end of October this year. Public consultation on how to implement the Directive in the United Kingdom is currently open and is due to close on 19 June 2003. A copy of the consultation paper can be accessed by clicking here.

Use of Cookies

Cookies and similar tracking devices are often used by service providers to gather and store information for marketing, design and advertising purposes. They often take the form of small information files which are sent to and stored in a user's terminal and which can be recognised by the service provider whenever the user accesses its website.

The Directive only allows the use of such tracking devices if the user or subscriber:

• is given clear and comprehensive information about the purposes for which such device is being used, in accordance with the EU Data Protection Directive; and
• is offered the right to refuse such storage and processing of information.

This general requirement does not apply to the technical storage of, or access to, information:

• for the sole purpose of enabling or facilitating the transmission of a communication; or >li>where such storage or access is “strictly necessary in order to provide the online service.

In its consultation paper, the DTI considers that a service provider is likely to have met the general requirement if:

• there is a clearly signposted privacy or cookie statement on its website;
• such statement sets out clearly and comprehensively the purposes for which any tracking device is being used;
• where personal data is involved, such data is being processed in accordance with the requirements of the Data Protection Act 1998; and
• the service provider either makes its own switch-off facilities available or explains to users how to use the switch-off and alert facilities provided independently in browser programmes.

Unsolicited communications

The Directive also introduces new controls on unsolicited email and SMS marketing.

Broadly speaking, the prior consent of the user or subscriber is required for a service provider to use email or SMS for direct marketing purposes. However, this general requirement does not apply in the following limited circumstances:

• the email or SMS is sent in the context of an existing customer relationship;
• the service provider obtains the addressee’s contact details in the context of the sale of a product or service and in accordance with the Data Protection Directive;
• the service provider is marketing its own similar products and services; and
• the addressee is always able to opt out of future marketing, in an easy way and free of charge.

In its consultation paper, the DTI considers that in order to fall within the exemption outlined above:

• there does not necessarily have to be an actual purchase of a product or service to qualify for the exemption; provided, however, that the addressee’s contact details are obtained in contemplation of a future purchase; and
• in determining what falls within the ambit of “similar products, regard must be had to the kind of products the addressee would have reasonably expected the service provider to market at the time that the addressee gave or agreed to use of its contact details.

For further information, please contact John Armstrong on +44 (0)20 7367 2701, [email protected] or Matthew McMillan on +44 (0)20 7367 3073, [email protected].