New e-Privacy directive comes into law in Ireland (covers electronic marketing)
Last Friday evening, 1 July 2011, the Irish Government Minister for Communications Energy & Natural Resources, Mr Pat Rabbitte TD, signed a Ministerial Order (known as a Statutory Instrument – an SI) to give effect to the EU e-Privacy Directive (which was originally scheduled to come into force on 26 May 2011). The Irish SI has therefore come into effect, effective from 1 July 2011. It is not subject to debate in the Oireachtas, but a copy of the Order will be formally placed in the Oireachtas library.
Responsibility for implementing the new Order will rest with the Irish Office of the Data Protection Commissioner, who has issued a press release and a Guidance note on it, both of which are attached for your information. The Guidance note is a 9-page document and it covers cookies, breaches of data security, phone marketing etc.
The new regulations apply to electronic communications companies (telecom providers and ISPs) “and to any entity using such communications and electronic networks to communicate with a customer via phone, web, e-mail” etc.
This is a very important development and carries implications for any organisation that engages in electronic marketing. Please bring this mail and the attachments to it to the notice of whoever is responsible for Digital/e-marketing in your company.
The notes make the following specific reference to how companies should manage “traffic data” (section 5a):
“The Regulations provide that “traffic data” – details of the calls, emails, text messages, fax messages, internet access via an IP address made by subscribers (excluding content) – may only be retained by the service provider for as long as necessary to enable bills and telecommunications providers interconnect payments to be settled and to meet specific legal requirements.
In applying this rule in practice, electronic communications service providers should be mindful of the strong privacy impact of logging such details. They should only store such privacy-sensitive data for a limited period to enable routine billing queries to be addressed, to satisfy the obligations in interconnect agreements and to meet legal requirements……. Details of traffic data relating to subscribers should not routinely be kept for longer periods. However, it is permissible to retain such data for longer periods if :
- the particular subscriber has queried his or her bill, and the data need to be retained to enable the query or dispute to be resolved
- there is some other legitimate reason to believe that a query or dispute is likely to arisein a particular case”.
Section 5b makes the following point about use of data for marketing purposes and the need to obtain prior consent from the user:
“Prior consent is required if a service provider wishes to use traffic data for the purpose of marketing its own electronic communication services or for the provision of value added services. The subscriber must be informed in advance of the types of traffic data to be used, how long it will be used for and be given the possibility to withdraw at any time the consent they may have given for the use of their traffic data. A user must be informed of the means by which they can withdraw their consent”.
The reference in the notes to cookies is as follows: “6. Storing and Accessing information on terminal equipment e.g. “Cookies” Information – not just personal data – may not be stored on or retrieved from a person’s terminal equipment (computer, smartphone, mobile phone or other equipment used by an individual to access electronic communications networks) unless the individual: (a) has been given clear and comprehensive information about why this is being done and (b) has given her/his consent. This Regulation covers the use of “cookies”2 by websites but can also cover other situations where information is placed on, or retrieved from, terminal equipment. An example of this may be via an “app.”
Information that is necessary to facilitate the transmission of a communication, or information that is strictly necessary to provide an information society service explicitly requested by the user, is not subject to this requirement (IAPI italics). If a cookie is strictly necessary to facilitate a transaction requested by the user – for example, storage of items in a shopping cart on an online website – advance consent will not be required. This will be the case where the cookie is stored only for as long as the “session” is live and will be deleted at the end of the session. Information on such use should be readily available to the user of a website.
In all other cases, the requirement for clear and comprehensive information that is prominently displayed and easily accessible will apply, as well as the requirement for user consent.
The Regulations do not prescribe how the information is to be provided or consent is to be obtained, other than this should be as user friendly as possible. They envisage that, where it is technically possible and effective, such consent could be given by the use of appropriate browser settings. In order to meet the legal requirements, such settings would require, as a minimum, clear communication to the user as to what s/he was being asked to consent to and a means of giving or refusing consent to any information being stored or retrieved. It is particularly important that the requirements are met where so called “third party” or “tracking” cookies are involved – such as when advertising networks collect information about websites visited by users in order to better target advertising (“behavioural advertising”). The Article 29 Working Party in its Opinion 2/2010 has provided advice on how the requirements might be met.
The obligation to meet the requirements for providing comprehensive information to users and obtaining their consent for the placement of cookies rests with the service providers who place cookies on users’ equipment. The settings currently available on the main browsers do not appear to be sufficient in themselves to meet the obligation (IAPI italics).
(Note: 2 A cookie is a small file that can be downloaded to a PC or other device when the user accesses certain websites. A cookie allows a website to “recognize” the user’s device.)