Data Protection Commissioner

Data Protection in the Telecommunications Sector

A Guide to the European Communities (Electronic Communications Networks and Services)/(Data Protection and Privacy) Regulations, 2003, as amended by SI 526 of 2008.

In 1997, the EU introduced Directive 97/66/EC in order to strengthen and clarify data protection and privacy rules in the telecommunications sector.  The 1997 directive was replaced in 2002 by Directive 2002/58/EC which updated the data protection rules for this sector. Directive 2002/58/EC was implemented in Irish law by the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations, 2003(Statutory Instrument 535 of 2003) – which came into effect on 6th November 2003. These Regulations were amended by SI 526 of 2008  which  took effect on 13th December 2008. An informal consolidation of the Regulations is available here.

The Regulations lay down detailed rules which must be complied with by telecommunications companies and by companies using telecommunications and electronic communications networks for direct marketing.  Companies who fail to comply commit a criminal offence   that can be prosecuted by the Data Protection Commissioner. Each unlawful marketing message or call  constitutes a separate offence which can attract a fine of €5,000 on summary conviction. If convicted on indictment, the fines range from €50,000 for a natural person to €250,000 or 10% of turnover if the offender is a corporate body. 

The Regulations set out, in some detail, the data protection standards that apply in the case of public telecommunications networks – including issues of security, privacy and direct marketing.  The main features of the Regulations fall into seven categories, as follows.  Click on the headings to obtain further details in each case.

1. Retention of detailed telephone records

Detailed records of people’s telephone calls may be kept for as long as necessary to enable bills and telecommunications providers interconnect payments to be settled, but no longer.  Certain companies may be specifically required to retain such details for a longer period.

2. Storing and Accessing information on terminal equipment e.g. “Cookies”

Information cannot be stored on or retrieved from a person’s computer or other terminal equipment unless clear information is given to the individual and the individual has the right to refuse the placing or accessing of this information.

3. Calling Line Identification or “Caller ID”

Telephone users have the right to block their phone number, so that it is not displayed to other telephone users.  Person’s making direct marketing phone calls must however not conceal their phone number when making such calls.

4. Location Data

Location data, other than traffic data, can only be processed if made anonymous or with the consent of the individual for the provision of a value added service.

Overriding Caller ID & location processing rules – exceptional circumstances – see below

5. Public Telephone Directories

Individuals are to be informed about the purpose of directories. They have the right to be excluded from public phone directories, or to have their address and gender omitted to protect their privacy.

6.  Direct Marketing

Unsolicited direct marketing e-mail cannot be sent to individuals unless they have given their prior consent. Individuals can sign up to a central ‘opt out’ register, to indicate that they do not wish to receive unsolicited telephone calls. Offenders are subject to fines of €5,000 per call or message on summary conviction. If convicted on indictment, the fines range from €50,000 for a natural person to €250,000 or 10% of turnover if the offender is a body corporate.

7.  Enforcement and Compliance

The Data Protection Commissioner enforces the data protection aspects of the Regulations, and the Commission for Communications Regulation (ComReg) is responsible for ensuring compliance with some technical and practical elements of implementing the Regulations. 

Retention of detailed telephone records 

The Regulations provide that “traffic data” – details of the individual calls made by individuals – may be retained for as long as necessary to enable bills and telecommunications providers interconnect payments to be settled.

In applying this rule in practice, telecommunications companies should be mindful of the strong privacy impact of logging the details of particular calls made by individual subscribers.  The Data Protection Commissioner’s advice is that telecommunications companies should only store such privacy-sensitive data for a limited period to enable routine billing queries to be addressed and to satisfy the obligations in interconnect agreements.  Details of calls made by subscribers should not routinely be kept for longer periods.  However, it is permissible to retain such data for longer periods if –

- the particular subscriber has queried his or her bill, and the data need to be retained to enable the query or dispute to be resolved

- there is some other legitimate reason to believe that a query or dispute is likely to arise in a particular case

- there is some binding legal requirement to retain the data for a longer period (as is the case for retention for law enforcement purposes under EU and Irish legislation)

Subscribers also have the right not to receive detailed itemised bills, if they wish, as an extra step to safeguard their privacy.

Storing and Accessing information on terminal equipment e.g. “Cookies”

Information can only be stored on or retrieved from user or subscriber’s terminal equipment e.g. computer, phone if clear and prominent information is provided and the user or subscriber can refuse the placing or retrieving of this information. The information to be provided must include the purpose of storing or retrieving the information.  

This regulation covers the use of “cookies” on websites but can cover other situations where information is placed on or retrieved from terminal equipment.

Information that is necessary to facilitate the transmission of a communication or information that is strictly necessary to provide an information society service requested by the user is not subject to this requirement. 

Calling Line Identification (“Caller ID”) 

Caller ID is the system that allows phone users to see the number of the person who is calling them.  The Regulations set out rules to ensure that the system respects people’s privacy rights.

The rules applying to Caller ID can be summarised as follows:

Rights for people making telephone calls

- Telephone subscribers have the right to hide or withhold their number, every time they make a call, so that the person they are calling cannot see it.  This right must be easy to exercise, free of charge.  This is referred to as ‘per-line’ withholding.

Even if a telephone line is not routinely hidden, callers should be able to hide the number for particular calls.  This is ‘per-call’ withholding, and again must be available easily and freely. 

Rights for people receiving telephone calls

- People receiving telephone calls have the right to block Caller ID details of incoming calls from being displayed.  This function must be available easily and free of charge for reasonable use.

- People receiving telephone calls can prevent their own number from being displayed to people who have called them – i.e. the right to block ‘connected line identification.’

- People receiving telephone calls have the right to reject incoming calls by simple means, in cases where the caller has hidden or withheld the Caller ID.  

Processing Location Data

Location data, other than traffic data, can only be processed if made anonymous or with the consent of the individual for the provision of a value added service.

Full information must be given to users and subscribers, prior to obtaining their consent, of the type of location data that will be processed the purpose and duration of processing and if the data will be passed to any third party for the provision of the value added service. The user can withdraw the consent given to process location data and also shall be given the option using a simple means and free of charge of temporarily refusing processing for each connection to the public communications network or for each transmission of a communication.

Overriding Caller ID & location processing rules – exceptional circumstances

In certain exceptional circumstances, people’s preferences regarding Caller ID and location data may need to be overridden, so that the number and/or location of the person making the call is available to the person receiving the call. These circumstances, provided for in the Regulations, are as follows –

For overriding Caller-ID rules

- where An Garda Síochána are investigating obscene or menacing phone calls

For overriding Caller-ID and location data rules

- where an emergency call is made (by dialling 999 or 112), to enable the emergency services to answer the call.

Information about Caller ID and location data

The Regulations provide that telecommunications companies must inform their subscribers about Caller ID services.  The companies are obliged to publish a notice giving these details, and to display the details in their public offices and on their websites.  The companies must also provide information, on request, about the circumstances in which the normal Caller ID settings and the withholding of location data can be overridden (see previous paragraph). 
 
Public telephone directories 

The Regulations contain rules for the publication of telephone directories, to ensure that the privacy of individual subscribers, whether natural persons or otherwise, is safeguarded.  The rules are as follows.

Before being included in a directory subscribers are to:

- be informed of the purpose including any embedded search functionality in electronic versions of the directory,

- be given the option of being included or not and

- be able to choose which of their personal details, for example, gender are included.

If the compiler of a directory has not already done so it must provide information to subscribers currently listed, on the purpose including any embedded search functionality in electronic versions of the directory. If the subscriber does not object to being included in the directory within two months of receiving this information then he is deemed to have consented. 

Direct marketing

The Regulations cover the sending of unsolicited telephone calls, fax messages, e-mail and SMS for direct marketing purposes.

 The Regulations set out the rules for recording subscriber’s indications that they do not wish to receive unsolicited telephone calls.  This national ‘opt out’ register must be consulted by direct marketers, and the wishes of subscribers must be respected.  Individuals who wish to be included in the ‘opt-out’ register – i.e. individuals who do not wish to receive unsolicited telephone calls – should notify their telecommunications company, which will make the appropriate arrangements.  Subscribers with unlisted numbers will automatically be included on the ‘opt-out’ register.

Note:  The ‘opt-out’ register forms part of the National Directory Database (NDD) – the central phone directory which lists subscribers from all the telecommunications companies in Ireland – and its implementation is supervised by the Commission for Communications Regulation (ComReg)

- The use of automatic dialling machines, fax, e-mail or SMS text messaging for direct marketing to individuals, is prohibited, unless subscribers’ consent has been obtained in advance.

Where the subscriber is a customer, e-mail and SMS text messaging can be used for direct marketing purposes if an easy to use, free of charge opportunity is given to object to these marketing messages at the time of collection and on the occasion of each subsequent message.

- The use of automatic dialling machines, fax for direct marketing to non-natural persons or businesses, is prohibited, if the subscriber has recorded its objection in the National Directory Database or has informed the sender that it does not consent to such messages.

- The use of e-mail or SMS text messaging for direct marketing to non-natural persons or businesses, is prohibited, if the subscriber has informed the sender that it does not consent to such messages.

The person making a call must include in the call their name and on request their address and telephone number. The sender of an e-mail or SMS must include in the message their name and a valid address at which they can be contacted to opt-out of such messages.

Penalties

A person who fails to comply with the rules on direct marketing is guilty of an offence and liable to a fine of €5,000 in respect of each unsolicited telephone call, fax message, e-mail or SMS text. If convicted on indictment, the   fines range from €50,000 for a natural person to €250,000 or 10% of turnover if the offender is a corporate entity.  In addition the court may order that data connected with the offence to be destroyed.

Enforcement

Most of the rules set out in the Regulations are data protection rules, and the Data Protection Commissioner is responsible for their enforcement, in line with his functions under the Data Protection Acts, 1988 & 2003.

Some of the rules have a technical character – e.g. Caller ID rules, establishment of an ‘opt-out’ register for direct marketing, and the security responsibilities of telecommunications companies – and  the Commission for Communications Regulation (ComReg)  is responsible for monitoring compliance with these rules.

In exercising their respective functions, the Data Protection Commissioner and the Director of Telecommunications Regulation shall cooperate fully with one another.

Finally, the Regulations confirm that if a person suffers loss or damage as a result of a contravention of any of the rules laid down in the Regulations, then the person shall be entitled to make a claim for damages in the courts.

Customer

The Regulations say that where electronic contact details are obtained from a customer in the context of the sale of a product or service then e-mail and SMS marketing may take place if an easy to use, free of charge opportunity is given to object to these marketing messages.

In order to be regarded as a customer, the sender must have sold a product or service to that individual or the individual must, as a minimum have given their contact details directly to the sender in connection with the sale of a product or service. The sale of a product or service would not include a competition to win a free unit(s) of that product or service.

Consent

If the individual is not a customer then prior consent is required. This consent must be opt-in consent i.e. where there is a statement on a form or on a website it must say that if you wish to receive marketing material etc…. then tick the box. The message should also set out the forms in which the marketing message may be sent i.e. telephone, fax, e-mail or SMS text.






» Permanent Link

Office of the Data Protection Commissioner. Canal House, Station Road, Portarlington, Co. Laois, Ireland.
LoCall 1890 25 22 31 | Phone 00353 57 868 4800 | Fax 00353 57 868 4757 | email info@dataprotection.ie

Level Double-A Conformance to Web Content Accessibility Guidelines 1.0