Guidance Note on Data Protection in the Electronic Communications Sector
This guidance is also available in pdf format here.
- Sectoral Areas Affected
- Data Security
- Data Breach Requirements
- Traffic Data
5b. Itemised Bills
5c. Use of Traffic Data
- Storing and Accessing information on terminal equipment e.g. "Cookies"
- Calling Line Identification ("Caller ID")
- Processing Location Data
8a. Overriding Caller ID & location processing rules – exceptional circumstances
8b. Information about Caller ID and location data
- Public telephone directories
- Direct marketing
- Phone (All Subscribers)
- Automated Calling Machines
12a. Individual Subscriber
12b. Business Subscriber
13a. Individual Subscriber
13b. Business Subscriber
- Electronic Mail
14a. Individual Customers
14b. Individuals ("Natural Persons") who are not Customers
14c. Business Contacts (Customers and non Customers)
14d. SMS Messages with "tagged on" marketing
- Enforcement and Compliance
- Offences and Penalties
Special data protection rules apply to the protection of personal data by data controllers in the electronic communications sector. These are in addition to the general obligations that apply to all data controllers under the Data Protection Acts. Obligations also arise for entities acting on behalf of data controllers in this sector.
The additional obligations are in the areas of data security (including data breaches), marketing, data retention and data disclosure. Failure to comply with these obligations can lead to severe criminal penalties.
The rules are contained in the European Communities (Electronic Communications Networks and Services)(Privacy and Electronic Communications) Regulations, 2011. These Regulations give effect to the European Union's ePrivacy Directives (1).
The Regulations apply directly to electronic communications companies (telecommunications companies & internet services providers) and to any entity using such communications and electronic communications networks to communicate with customers, e.g. by telephone, via a website or over email, etc.
The Regulations make more explicit the general requirement under the Data Protection Acts to keep personal data safe and secure. Data controllers in the electronic communications sector must give effect to a specific security policy which protects personal data against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure of personal data; ensure that personal data can only be accessed by authorised personnel for legally authorised purposes; and provide information to subscribers on any particular risk of a breach of the security of [a] public communications network.
The general effect of the Regulations is to make the provisions of the existing Code of Practice legally binding in the electronic communications sector. In addition, the Regulations provide that all breaches in this sector be reported to the Office of the Data Protection Commissioner.
The Regulations provide that "traffic data" – details of the calls, emails, text messages, fax messages, internet access via an IP address made by subscribers (excluding content) – may only be retained by the service provider for as long as necessary to enable bills and telecommunications providers interconnect payments to be settled and to meet specific legal requirements.
In applying this rule in practice, electronic communications service providers should be mindful of the strong privacy impact of logging such details. They should only store such privacy-sensitive data for a limited period to enable routine billing queries to be addressed, to satisfy the obligations in interconnect agreements and to meet legal requirements (notably the retention obligations set out in the Communications (Retention of Data) Act 2011.
Details of traffic data relating to subscribers should not routinely be kept for longer periods. However, it is permissible to retain such data for longer periods if –
- the particular subscriber has queried his or her bill, and the data need to be retained to enable the query or dispute to be resolved
- there is some other legitimate reason to believe that a query or dispute is likely to arise in a particular case
Subscribers also have the right not to receive detailed itemised bills, if they wish, as an extra step to safeguard their privacy.
Prior consent is required if a service provider wishes to use traffic data for the purpose of marketing its own electronic communication services or for the provision of value added services. The subscriber must be informed in advance of the types of traffic data to be used, how long it will be used for and be given the possibility to withdraw at any time the consent they may have given for the use of their traffic data. A user must be informed of the means by which they can withdraw their consent.
Information – not just personal data - may not be stored on or retrieved from a person's terminal equipment (computer, smartphone, mobile phone or other equipment used by an individual to access electronic communications networks) unless the individual: (a) has been given clear and comprehensive information about why this is being done and (b) has given her/his consent. This Regulation covers the use of "cookies"(2) by websites but can also cover other situations where information is placed on, or retrieved from, terminal equipment. An example of this may be via an "app."
Information that is necessary to facilitate the transmission of a communication, or information that is strictly necessary to provide an information society service explicitly requested by the user, is not subject to this requirement. If a cookie is strictly necessary to facilitate a transaction requested by the user - for example, storage of items in a shopping cart on an online website - advance consent will not be required. This will be the case where the cookie is stored only for as long as the "session" is live and will be deleted at the end of the session. Information on such use should be readily available to the user of a website.
In all other cases, the requirement for clear and comprehensive information that is prominently displayed and easily accessible will apply, as well as the requirement for user consent.
The Regulations do not prescribe how the information is to be provided or consent is to be obtained, other than this should be as user friendly as possible. They envisage that, where it is technically possible and effective, such consent could be given by the use of appropriate browser settings. In order to meet the legal requirements, such settings would require, as a minimum, clear communication to the user as to what s/he was being asked to consent to and a means of giving or refusing consent to any information being stored or retrieved. It is particularly important that the requirements are met where so called "third party" or "tracking" cookies are involved – such as when advertising networks collect information about websites visited by users in order to better target advertising ("behavioural advertising"). The Article 29 Working Party in its Opinion 2/2010 has provided advice on how the requirements might be met.
The obligation to meet the requirements for providing comprehensive information to users and obtaining their consent for the placement of cookies rests with the service providers who place cookies on users' equipment. The settings currently available on the main browsers do not appear to be sufficient in themselves to meet the obligation.
Caller ID is the system that allows phone users to see the number of the person who is calling them. The Regulations set out rules to ensure that the system respects people's privacy rights.
The rules applying to Caller ID can be summarised as follows:
Rights for people making telephone calls
- Telephone subscribers have the right to hide or withhold their number on an 'across the board' basis to ensure that every time they make a call all called persons cannot see their number. This right must be easy to exercise and be free of charge. This is referred to as 'per-line' withholding.
- Where a telephone subscriber has not opted for 'per-line' withholding, they still have a right to withhold their number on an individual call basis so that the called person cannot see it. This right must be easy to exercise and be free of charge. This is referred to as 'per-call' withholding.
Rights for people receiving telephone calls
- People receiving telephone calls have the right to block Caller ID details of incoming calls from being displayed. This function must be available easily and free of charge for reasonable use.
- People receiving telephone calls can prevent their own number from being displayed to people who have called them – i.e. the right to block 'connected line identification.'
- People receiving telephone calls have the right to reject incoming calls by simple means, in cases where the caller has hidden or withheld the Caller ID.
Information giving a user's location - other than traffic data - may only be processed if made anonymous or with the prior consent of the individual to the extent and for the duration necessary for the provision of a value added service
Full information must be given to users and subscribers, prior to obtaining their consent, of the type of location data that will be processed, the purposes and duration of processing and whether the data will be passed to any third party for the purpose of providing the value added service. The user can withdraw the consent given to process location data and must also be given the option - using a simple means and free of charge - of temporarily refusing processing for each connection to the public communications network or for each transmission of a communication. A user must be informed of the means by which they can withdraw their consent.
In certain exceptional circumstances, people's preferences regarding Caller ID and location data may need to be overridden, so that the number and/or location of the person making the call is available to the person receiving the call. These circumstances, provided for in the Regulations, are as follows –
For overriding Caller-ID rules
- Where An Garda Síochána are investigating malicious or nuisance phone calls
For overriding Caller-ID and location data rules
- Where an emergency call is made (by dialling 999 or 112), to enable the emergency services, including law enforcement agencies, to respond to the call.
The Regulations provide that telecommunications companies must inform their subscribers about Caller ID services. The companies are obliged to publish a notice giving these details, and to display the details on their websites. The companies must also provide information, on request, about the circumstances in which the normal Caller ID settings and the withholding of location data can be overridden.
The Regulations contain rules for the publication of telephone directories, to ensure that the privacy of individual subscribers, whether natural persons or otherwise, is safeguarded. The rules are as follows:
Before being included in a directory subscribers are to:
- be informed of the purpose including any embedded search functionality in electronic versions of the directory,
- be given the option of being included or not and
- be able to choose which of their personal details, for example, gender are included.
The Regulations cover the making of unsolicited phone calls and the sending of unsolicited fax messages, e-mail and SMS ("text messages") for direct marketing purposes. The requirements extend to all forms of marketing carried out by means of a publicly available electronic communications service – including, for example, the soliciting of support for charitable organisations or political parties.
Varying rules apply to phone, fax, text message and e-mail marketing. The rules are more restrictive in the case of marketing by electronic mail of individuals (natural persons) who are not customers. Unlike in the case of postal marketing, certain restrictions also apply to electronic marketing to businesses and other corporate entities.
If the call is made by automated calling machine or fax the information provided must include the name, address and telephone number of the person making the communication and, if applicable, the name, address and telephone number of the person on whose behalf the communication is made.
The sender of an e-mail or SMS must include in the message their name and a valid address at which they can be contacted including to opt-out of such messages.
A marketing phone call may not be made to the telephone line of an individual subscriber or a business subscriber if (a) the subscriber's telephone line is a mobile phone line and prior consent for such a call was not received, or (b) the subscriber's telephone line is a landline and his/her/its preference not to receive such calls is noted in the National Directory Database.
A marketing phone call may not be made to an individual or business telephone line if s/he/it has previously told the caller that s/he/it does not consent to the receipt of such calls.
The person making a marketing call must include in the call their name and, if applicable, the name of the person on whose behalf the call is made.
An automated calling machine may not be used for the purpose of direct marketing to the line of an individual subscriber unless that individual has previously consented to the receipt of such a communication by this means.
An automated calling machine may not be used for the purpose of direct marketing to the line of a business subscriber if that subscriber has its preference not to receive marketing calls noted in the National Directory Database.
An automated calling machine may not be used for the purpose of direct marketing to the line of a business subscriber if that subscriber has previously indicated to the caller that it does not consent to the receipt of such calls.
Where an automated marketing call is permitted, the name, address and telephone number of the person making the call must be given and, if applicable, the name, address and telephone number of the person on whose behalf the communication is made.
In practical terms, therefore, once a marketing call made by an automated calling machine is answered by the subscriber or the subscriber's voicemail answering service, the automated calling machine must identify who is making the call and provide their contact details.
A fax for the purpose of direct marketing may not be sent to the line of an individual subscriber unless that individual has previously consented to the receipt of such a communication.
A fax for direct marketing purposes may not be sent to a business fax number if that subscriber has its preference not to receive marketing calls to that number noted in the National Directory Database.
A fax for direct marketing purposes may not be sent to a business fax number if that subscriber has previously indicated to the caller that it does not consent to the receipt of such faxes.
Where a marketing fax communication is permitted, the information provided must include the name, address and telephone number of the person making the communication and, if applicable, the name, address and telephone number of the person on whose behalf the communication is made.
Electronic mail includes text messages (SMS), voice messages, sound messages, image messages, multimedia message (MMS) and email messages.
Where a data controller has obtained contact details in the context of the sale of a product or service, it may only use these details for direct marketing by electronic mail if the following conditions are met:
1. The product or service is of a kind similar to that which was sold to the customer at the time their contact details were obtained
2. When these details were collected, the customer was given the opportunity to object at that time, in an easy manner and without charge, to their use for marketing purposes
3. Each time a marketing message is sent, the customer must be given the right to object to the receipt of further messages
4. The details were collected within the previous 12 months or the subscriber has received a marketing electronic mail within the previous 12 months to which they did not unsubscribe using the cost free means provided to them by the direct marketer
A data controller can also obtain prior opt-in consent from its customers or other individuals to send electronic marketing relating specifically to its own business or services. Each marketing message sent on foot of that consent must contain a means to opt-out and it must identify the sender. Such opt-in consent expires after twelve months unless it is renewed in the interim.
If an individual is not a customer, electronic mail may not be used to send a marketing message to their contact address unless the prior opt-in consent of that individual has been obtained to the receipt of such messages – a consent that can be withdrawn at any time.
Electronic mail may not be used to send a marketing message to a business contact address/number if the subscriber has notified the data controller that they do not consent to the receipt of such communications.
A non-marketing SMS message may not have marketing material "tagged on" unless the recipient has given prior consent to the receipt of such messages. This would apply, for example, to such messages "tagged on" to communications from clubs or societies and information messages from service providers.
The Data Protection Commissioner enforces the data protection aspects of the Regulations, and the Commission for Communications Regulation (ComReg) is responsible for ensuring compliance with some technical and practical elements of implementing the Regulations.
In carrying out his functions, the Commissioner has broadly the same powers of inspection, information gathering and enforcement that he has under the Data Protection Acts.
Failure to comply with certain provisions of the Regulations are criminal offences:
· Data Security and Data Breaches
· Unsolicited Marketing Communications
· Requirements specified in Information and Enforcement Notices issued by the Commissioner
· Requirements imposed by the Commissioner's authorised officers.
The offences attract a fine of up to €5,000 – per message in the case of unsolicited marketing – when prosecuted by the Commissioner in the District Court.
Unsolicited marketing offences may be prosecuted on indictment and attract fines of up to €250,000 in the case of a company and €50,000 in the case of an individual. A data security offence may similarly be prosecuted on indictment and attract the same level of penalty.
» Permanent Link