Privacy and Electronic Communications Directive''
2002/58/EC
on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an

EU directive A directive is a legal act of the European Union that requires Member state of the European Union, member states to achieve particular goals without dictating how the member states achieve those goals. A directive's goals have to be made the go ...

on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the

Data Protection Directive The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data ...

. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data,

spam Spam most often refers to: * Spam (food), a consumer brand product of canned processed pork of the Hormel Foods Corporation * Spamming, unsolicited or undesired electronic messages ** Email spam, unsolicited, undesired, or illegal email messages ...

and

cookies A cookie is a sweet biscuit with high sugar and fat content. Cookie dough is softer than that used for other types of biscuit, and they are cooked longer at lower temperatures. The dough typically contains flour, sugar, egg, and some type of ...

. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent. There are some interplays between the ePrivacy Regulation (ePR) and the

General Data Protection Regulation The General Data Protection Regulation (Regulation (EU) 2016/679), abbreviated GDPR, is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of ...

(GDPR). Some EU lawmakers had hoped the ePrivacy Regulation (ePR) could come into force at the same time as the

(GDPR) in May 2018. In this way, it would repeal the ePrivacy Directive 2002/58/EC and accompany the GDPR in regulating the requirements for consent to the use of cookies and opt-out options.ePrivacy Regulation on Europa.eu
/ref>

Subject-matter and Scope

The Electronic Privacy Directive has been drafted specifically to address the requirements of new digital technologies and ease the advance of electronic communications services. The Directive complements the

and applies to all matters which are not specifically covered by that Directive. In particular, the subject of the Directive is the "right to privacy in the electronic communication sector" and free movement of data, communication equipment and services. The Directive does not apply to Titles V and VI (

Second The second (symbol: s) is a unit of time derived from the division of the day first into 24 hours, then to 60 minutes, and finally to 60 seconds each (24 × 60 × 60 = 86400). The current and formal definition in the International System of U ...

and

Third Third or 3rd may refer to: Numbers * 3rd, the ordinal form of the cardinal number 3 * , a fraction of one third * 1⁄60 of a ''second'', i.e., the third in a series of fractional parts in a sexagesimal number system Places * 3rd Street (di ...

Pillars constituting the European Union). Likewise, it does not apply to issues concerning public security and defence, state security and criminal law. The interception of data was however covered by the EU Data Retention Directive, prior to its annulment by the

Court of Justice of the European Union The Court of Justice of the European Union (CJEU) ( or "''CJUE''"; Latin: Curia) is the Judiciary, judicial branch of the European Union (EU). Seated in the Kirchberg, Luxembourg, Kirchberg quarter of Luxembourg City, Luxembourg, this EU ins ...

. Contrary to the Data Protection Directive, which specifically addresses only individuals, Article 1(2) makes it clear that ePrivacy Directive also applies to legal persons.

Main provisions

The first general obligation in the Directive is to provide security of services. The addressees are providers of electronic communications services. This obligation also includes the duty to inform the subscribers whenever there is a particular risk, such as a virus or other malware attack. The second general obligation is for the confidentiality of information to be maintained. The addressees are

Member States A member state is a state that is a member of an international organization or of a federation or confederation. Since the World Trade Organization (WTO) and the International Monetary Fund (IMF) include some members that are not sovereign states ...

, who should prohibit listening, tapping, storage or other kinds of interception or surveillance of communication and "related traffic", unless the users have given their consent or conditions of Article 15(1) have been fulfilled.

Data retention and other issues

The directive obliges the providers of services to erase or anonymise the traffic data processed when no longer needed, unless the conditions from Article 15 have been fulfilled. Retention is allowed for billing purposes but only as long as the

statute of limitations A statute of limitations, known in civil law systems as a prescriptive period, is a law passed by a legislative body to set the maximum time after an event within which legal proceedings may be initiated. ("Time for commencing proceedings") In ...

allows the payment to be lawfully pursued. Data may be retained upon a user's consent for marketing and value-added services. For both previous uses, the data subject must be informed why and for how long the data is being processed. Subscribers have the right to non-itemised billing. Likewise, the users must be able to opt out of calling-line identification. Where data relating to location of users or other traffic can be processed, Article 9 provides that this will only be permitted if such data is anonymised, where users have given consent, or for provision of value-added services. Like in the previous case, users must be informed beforehand of the character of information collected and have the option to opt out.

Unsolicited e-mail and other messages

Article 13 prohibits the use of email addresses for marketing purposes. The Directive establishes the

opt-in Opt-in email is a term used when someone is not initially added to an emailing list and is instead given the option to join the emailing list. Typically, this is some sort of mailing list, newsletter, or advertising. Opt-out emails do not ask ...

regime, according to which unsolicited emails may be sent only with prior agreement of the recipient. A natural or legal person who initially collects address data in the context of the sale of a product or service, has the right to use it for commercial purposes provided the customers have a prior opportunity to reject such communication where it was initially collected and subsequently. Member States have the obligation to ensure that unsolicited communication will be prohibited, except in circumstances given in Article 13. Two categories of emails (or communication in general) will also be excluded from the scope of the prohibition. The first is the exception for existing customer relationships and the second for marketing of similar products and services. The sending of unsolicited text messages, either in the form of SMS messages, push mail messages or any similar format designed for consumer portable devices (mobile phones, PDAs) also falls under the prohibition of Article 13.

Cookies

The Directive provision applicable to

is Article 5(3). Recital 25 of the Preamble recognises the importance and usefulness of cookies for the functioning of modern Internet and directly relates Article 5(3) to them but Recital 24 also warns of the danger that such instruments may present to privacy. The change in the law does not affect all types of cookies; those that are deemed to be "strictly necessary for the delivery of a service requested by the user", such as for example, cookies that track the contents of a user's shopping cart on an

online shopping Online shopping is a form of electronic commerce which allows consumers to directly buy goods or services from a seller over the Internet using a web browser or a mobile app. Consumers find a product of interest by visiting the website of th ...

service, are exempted. The article is technology neutral, not naming any specific technological means which may be used to store data, but applies to any information that a website causes to be stored in a user's browser. This reflects the EU legislator's desire to leave the regime of the directive open to future technological developments. The addressees of the obligation are Member States, who must ensure that the use of electronic communications networks to store information in a visitor's browser is only allowed if the user is provided with "clear and comprehensive information", in accordance with the

, about the purposes of the storage of, or access to, that information; and has given their consent. The regime so set-up can be described as

, effectively meaning that the consumer must give their consent before cookies or any other form of data is stored in their browser. The UK Regulations allow for consent to be signified by future browser settings, which have yet to be introduced but which must be capable of presenting enough information so that a user can give their informed consent and indicating to a target website that consent has been obtained. Initial consent can be carried over into repeated content requests to a website. The Directive does not give any guidelines as to what may constitute an opt-out, but requires that cookies, other than those "strictly necessary for the delivery of a service requested by the user" are not to be placed without user consent.

Criticism of the EU cookie consent law

EU cookie consent banners are pop-ups or notifications on websites asking whether users will accept browser cookies. The ePrivacy Directive requires websites to get explicit consent from users before storing cookies on their devices. Despite their intended privacy benefits, cookie consent banners are widely regarded as a nuisance. Users are constantly bombarded with these banners on almost every website they visit, disrupting their browsing experience. Europeans collectively lose approximately 575 million hours each year clicking through cookie consent banners mandated by EU law.

Literature

Full text of Directive

Guidance from the UK's ICO
# Guidance from the French DPA CNIL (Translated into English)
Article 29 Data Protection Working Party Opinion 2/2010

Article 29 Data Protection Working Party Opinion 16/2011

History of the decision making
# On spam: Asscher, L, Hoogcarspel, S.A, ''Regulating Spam: A European Perspective after the Adoption of the ePrivacy Directive'' (T.M.C. Asser Press 2006) # Edwards, L, "Articles 6 – 7, ECD; Privacy and Electronics Communications Directive 2002" in Edwards, L. (ed.) ''The New Legal Framework for E-Commerce in Europe'' (Hart 2005)

References

{{reflist Information privacy Privacy legislation European Union data protection law European Union directives Spamming Email 2002 in law 2002 in the European Union