Directive on Privacy and Electronic Communications
article offers an overview and outline guide to
the European Directive on Privacy and Electronic
Communications which European Member States will
adopt by October 2002-2007. All web sites that are developed
in the European community need to ensure their sites
follow the general principles that are stipulated
in the Directive.
it has met with a flood of outrage from computer
users and service providers, this legislation is,
for once, technically better-informed than most
of the commentary that has been written about it.
The Directive (2002-2007/58/EC) was originally called
the `Telecommunications Data Protection Directive',
but has now been renamed the `Directive on Privacy
and Electronic Communications'. It is due for implementation
by October 2002-2007, and must therefore be incorporated
into national legislation by that date. The UK Government
will probably begin consultation on how best to
implement the Directive early in 2002-2007.
The legislation covers all public electronic communication
systems, not just computers and the Internet, although
service providers operating over the public Internet
are most significantly affected. Nothing in the
legislation affects the rights of agencies of the
state to monitor communications. Specifically excepted
are: ``public security, defence, State security
(including the economic well-being of the State
when the activities relate to State security matters)
and the activities of the State in areas of criminal
law''. There are, of course, existing safeguards
against abuse by the state of facilities for interception
of communications (e.g., Regulation of Investigatory
Powers Act, 2000).
Measures are to be put in place to protect the privacy
of confidential data in transit and in storage (article
3). In practice, computer-to-computer communication
can easily be protected against unauthorised access
by a technique such as SSL. Protection of data held
by the service is part of the overall access control
policy of the service provider. Presumably a provider
that takes reasonable precautions to prevent unauthorised
access, using the technology available at the time,
will comply with this part of the directive. Interestingly,
service providers will be obliged to inform end
users of potential security limitations that lie
outside the control of the provider. For example,
providers may be obliged to warn users about the
risks associated with sending and receiving information
using unencrypted protocols. States are require
to legislate for this privacy protection, which
means that it will be made an offence to eavesdrop
on Internet communications, among other things.
The most controversial aspect of the new legislation
is probably the `cookie clause' in the preamble.
To be sure, the legislation does not explicitly
is almost essential in all modern e-commerce systems.
For example, cookies are used to co-ordinate the
ongoing sequence of interactions between a Web browser
and a Web server for the duration of a session.
While this can be achieved in other ways, the use
of cookies simplifies things considerably. In this
practice, the cookie itself contains no personal
data, just a token that identifies the client on
clearly be found unacceptable by service providers
and knowledgeable users. In fact, however, the Directive
merely states that users should be ``offered the
opportunity to refuse'' a cookie. This could easily
be accomplished by warning users on entry to a service
that to proceed further will result in a cookie
being dispatched. The Directive does not require
service providers to find ways to operate that don't
rely on cookies; on the contrary it explicitly says
that use of a service may be made conditional on
acceptance of a cookie.
In my opinion, this section of the legislation would
have been improved if it had been explicitly limited
to cookies that are capable of allowing the elucidation
of personal data; in most e-commerce applications
cookies are used merely for session management,
and contain no such information.
Limitation on storage of
Service providers may store information about subscribers
for the purpose of billing and establishing communication
(article 12); it appears that they need not seek
explicit consent for this. Such data must only be
stored as long as it is necessary for the provision
of the service. All other uses of personal data
(this includes enabling the provision of other services
by the same supplier) require the informed consent
of the subscriber. This means that service providers
can't collect subscribers' e-mail addresses and
use them for subsequent distribution of promotional
material without explicitly getting consent. Subscribers
must be offered the opportunity to refuse consent
to further communications on each occasion a message
is dispatched. The sale of e-mail addresses for
marketing purposes will also be restricted.
Another much-commented passage is in article 13:
``The use of automated calling systems without human
intervention (automatic calling machines), facsimile
machines (fax) or electronic mail for the purposes
of direct marketing may only be allowed in respect
of subscribers who have given their prior consent.''
In other words, individuals must be protected from
spamming. The Directive does not specify what technical
measures are to be put in place to effect this measure
(but see the discussion of sender addresses below).
It appears also that spamming for purposes other
than `direct marketing' might not be caught by this
clause. So, for example, unsolicited invitations
to sign up for free services, which lead on to further
advertising, may not be `direct marketing' for these
A particular point of controversy in this measure
is that it allows member states to decide whether
consent should be on an `opt-in' or `opt-out' basis.
`Opt-in' means that a service provider may assume
consent to receiving unsolicited messages in certain
circumstances, but give an opportunity to withdraw
consent. `Opt-out' means that the service must seek
consent before any mailing. It appears that the
UK will probably adopt a `soft opt-in' scheme, where
it will be lawful for an on-line service to send
unsolicited mail to existing customers, but must
seek consent in advance to mail to anyone else.
As part of the anti-spam measures, the use of false
sender information in e-mail headers is to be prohibited.
If you are familiar with the SMTP protocol you will
know that the sender's e-mail address is arbitrary:
senders can include any information in this field,
and the e-mail service has little opportunity to
check its correctness. This is exploited by spammers
to avoid the flood of complaint that they would
otherwise receive after each bulk mailing. The problem
with this measure is that there is little or nothing
that service providers can do to enforce it. As
an individual Internet user I can, if I wish, set
up the e-mail client on my home computer to send
e-mails with a false sender address. If I do so,
then it would be extremely difficult for anyone
offended by one of my mailings to trace me. It would
be possible, for a person with sufficient technical
knowledge, to trace the message back to an ISP;
going beyond that point may require the ISP to divulge
information about its subscribers.
Despite the general concern, there is little for
legitimate service providers to fear in the new
legislation. It will be necessary to ensure that
users are told about the privacy implications of
using the service, and some care will have to be
taken to enable users to withdraw from direct marketing
systems without penalty. These are all things that
most service providers currently do anyway. The
measures relating to privacy of stored personal
data are mostly covered by legislation already.
Unscrupulous operators that don't want to comply
will probably be able to avoid the consequences
of their actions unless they are particularly careless.
In practice the real problems tend not to arise
within the EU anyway. The fact that the legislation
will be difficult to enforce does not, of course,
detract from its validity. The majority of computer
users will probably welcome the clear condemnation
of unreasonable spamming, even if it can't easily
be backed up by action.