Data protection in the electronic communications sector

Information is exchanged through public electronic communication services such as the internet and mobile and landline telephony and via their accompanying networks. These services and networks require specific rules and safeguards to ensure the users’ right to privacy and confidentiality.

ACT

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

SUMMARY

WHAT DOES THE DIRECTIVE DO?

It sets out rules to ensure security in the processing of personal data, the notification of personal data breaches, and confidentiality of communications. It also bans unsolicited communications where the user has not given their consent.

KEY POINTS

Providers of electronic communication services must secure their services by at least:

ensuring personal data are accessed by authorised persons only;
protecting personal data from being destroyed, lost or accidentally altered and from other unlawful or unauthorised forms of processing;
ensuring the implementation of a security policy on the processing of personal data.

The service provider must inform the national authority of any personal data breach within 24 hours. If the personal data or privacy of a user is likely to be harmed, they must also be informed unless specifically identified technological measures have been taken to protect the data.

EU countries must ensure the confidentiality of communications made over public networks, in particular they must:

prohibit the listening, tapping, storage or any type of surveillance or interception of communications and traffic data without the consent of users, except if the person is legally authorised and in compliance with specific requirements;
guarantee that the storing of information or the access to information stored on user’s personal equipment is only permitted if the user has been clearly and fully informed, among other things, of the purpose and been given the right of refusal.

When traffic data are no longer required for communication or billing, they must be erased or made anonymous. However, service providers may process these data for marketing purposes for as long as the users concerned give their consent. This consent may be withdrawn at any time.

User consent is also required in a number of other situations, including:

before unsolicited communications (spam) can be sent to them. This also applies to short message services (SMSs) and other electronic messaging systems;
before information (cookies) is stored on their computers or devices or before access to that information is obtained - the user must be given clear and full information, among other things, on the purpose of the storage or access;
before telephone numbers, e-mail addresses or postal addresses can appear in public directories.

EU countries are required to have a system of penalties including legal sanctions for infringements of the directive.

The scope of the rights and obligations can only be restricted by national legislative measures when such restrictions are necessary and proportionate to safeguard specific public interests, such as to allow criminal investigations or to safeguard national security, defence or public security.

WHEN DOES THIS DIRECTIVE APPLY?

From 31 July 2002.

BACKGROUND

This directive is one of five which together form the telecoms package, a legislative framework governing the electronic communications sector. The other directives cover the general framework, access and interconnection, authorisation and licensing and universal service.

The package was amended in 2009 by two directives on better law-making and citizens’ rights as well as by a regulation establishing the Body of European regulators for electronic communications.

For more information, see the European Commission’s ePrivacy directive website.

Following the COVID-19 outbreak and introducing measures to cope with the impact of the crisis, the European Commission adopted: Commission Recommendation (EU) 2020/518 of 8 April 2020 on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data

REFERENCES

Act	Entry into force	Deadline for transposition in the Member States	Official Journal
Directive 2002/58/EC	31.7.2002	30.10.2003	OJ L 201 of 31.7.2002, pp. 37-47

Amending act(s)	Entry into force	Deadline for transposition in the Member States	Official Journal
Directive 2009/136/EC	19.12.2009	25.5.2011	OJ L 337 of 18.12.2009, pp. 11-36

RELATED ACTS

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Official Journal L 281 of 23.11.95, pp. 31-50).

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (Official Journal L 8 of 12.1.2001, pp. 1-22)

Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (Official Journal L 105 of 13.4.2006, pp. 54-63) (declared invalid by Court of Justice ruling, see below).

Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (Official Journal L 173 of 26.6.2013, pp. 2-8).

Joined Cases C-293/12 and C-594/12: Judgment of the Court (Grand Chamber) of 8 April 2014 (requests for a preliminary ruling from the High Court of Ireland (Ireland) and the Verfassungsgerichtshof (Austria)) - Digital Rights Ireland Ltd (C-293/12) v Minister for Communications, Marine and Natural Resources, Minister for Justice, Equality and Law Reform, The Commissioner of the Garda Síochána, Ireland and the Attorney General, and Kärntner Landesregierung, Michael Seitlinger, Christof Tschohl and Others (C-594/12) (Electronic communications - Directive 2006/24/EC - Publicly available electronic communications services or public communications networks services - Retention of data generated or processed in connection with the provision of such services - Validity - Articles 7, 8 and 11 of the Charter of Fundamental Rights of the European Union) (Official Journal C 175 of 10.6.2014, pp. 6-7).

last update 25.05.2020