Guidance Note on Data Protection in the Electronic Communications Sector
This guidance is also available in pdf format.
Special data protection rules apply to the protection of personal data by data controllers in the electronic communications sector. These are in addition to the general obligations that apply to all data controllers under the Data Protection Acts. Obligations also arise for entities acting on behalf of data controllers in this sector.
The additional obligations are in the areas of data security (including data breaches), marketing, data retention and data disclosure. Failure to comply with these obligations can lead to severe criminal penalties.
The rules are contained in the European Communities (Electronic Communications Networks and Services)(Privacy and Electronic Communications) Regulations, 2011. These Regulations give effect to the European Union's ePrivacy Directives (1).
The Regulations apply directly to electronic communications companies (telecommunications companies & internet services providers) and to any entity using such communications and electronic communications networks to communicate with customers, e.g. by telephone, via a website or over email, etc.
The Regulations make more explicit the general requirement under the Data Protection Acts to keep personal data safe and secure. Data controllers in the electronic communications sector must give effect to a specific security policy which protects personal data against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure of personal data; ensure that personal data can only be accessed by authorised personnel for legally authorised purposes; and provide information to subscribers on any particular risk of a breach of the security of [a] public communications network.
The general effect of the Regulations is to make the provisions of the existing Code of Practice legally binding in the electronic communications sector. In addition, the Regulations provide that all breaches in this sector be reported to the Office of the Data Protection Commissioner.
The Regulations provide that "traffic data" – details of the calls, emails, text messages, fax messages, internet access via an IP address made by subscribers (excluding content) – may only be retained by the service provider for as long as necessary to enable bills and telecommunications providers interconnect payments to be settled and to meet specific legal requirements.
In applying this rule in practice, electronic communications service providers should be mindful of the strong privacy impact of logging such details. They should only store such privacy-sensitive data for a limited period to enable routine billing queries to be addressed, to satisfy the obligations in interconnect agreements and to meet legal requirements (notably the retention obligations set out in the Communications (Retention of Data) Act 2011.
Details of traffic data relating to subscribers should not routinely be kept for longer periods. However, it is permissible to retain such data for longer periods if –
- the particular subscriber has queried his or her bill, and the data need to be retained to enable the query or dispute to be resolved
- there is some other legitimate reason to believe that a query or dispute is likely to arise in a particular case
Subscribers also have the right not to receive detailed itemised bills, if they wish, as an extra step to safeguard their privacy.
Prior consent is required if a service provider wishes to use traffic data for the purpose of marketing its own electronic communication services or for the provision of value added services. The subscriber must be informed in advance of the types of traffic data to be used, how long it will be used for and be given the possibility to withdraw at any time the consent they may have given for the use of their traffic data. A user must be informed of the means by which they can withdraw their consent.
ConsentThe consent of the user must be captured.Consent may be obtained explicitly through the use of an opt-in check box which the user can tick if they agree to accept cookies.
Not all cookies require consent to be used. These are cookies essential to delivering the service requested by the user - session cookies, authentication cookies (for the duration of the session,) and user security cookies. For example, for storage of items in a shopping cart on an online website advance consent will not be required. This will generally be the case where the cookie is stored only for as long as the "session" is live and will be deleted at the end of the session.
NotificationAs best practice, a positive action may be deployed to dismiss the notification.
[Note: many websites have addressed this issue by providing a 'hide' button which dismisses the notification.]
- Consent should be sought as part of a "prominent notification" displayed on entry to a web site (this might be the home page of the site but may also be via a 'deep link' to an inner page, which a user has found from a search result, for example).
As best practice, the following information could also be provided in the Cookie Statement:
- The Cookie Statement should contain clear and comprehensive information on how cookies are used, including information on the types of cookies used and details on how to remove them
- Clear and comprehensive information
- Itemised cookie types, including their purpose e.g. preferences such as language or, font, browsing & search history, tracking, session security and any third party cookies
- Instructions on how to disable the cookies.
Third Party CookiesWhere third party cookies are being used, it is not sufficient to simply refer the user to third party websites. In such situations or where there are many cookies being created or read by the site (or its partners) we recommend the inclusion in the Cookies Statement of a tabulated explanation of all cookies with the following details:
- A description of their purpose
- Their expiry dates
- Links to advertising networks' opt-out mechanisms for third party cookies
Note: A mock web page based on this guidance can be viewed via this link (PDF - 400Kb)
Caller ID is the system that allows phone users to see the number of the person who is calling them. The Regulations set out rules to ensure that the system respects people's privacy rights.
The rules applying to Caller ID can be summarised as follows:
Rights for people making telephone calls
- Telephone subscribers have the right to hide or withhold their number on an 'across the board' basis to ensure that every time they make a call all called persons cannot see their number. This right must be easy to exercise and be free of charge. This is referred to as 'per-line' withholding.
- Where a telephone subscriber has not opted for 'per-line' withholding, they still have a right to withhold their number on an individual call basis so that the called person cannot see it. This right must be easy to exercise and be free of charge. This is referred to as 'per-call' withholding.
Rights for people receiving telephone calls
- People receiving telephone calls have the right to block Caller ID details of incoming calls from being displayed. This function must be available easily and free of charge for reasonable use.
- People receiving telephone calls can prevent their own number from being displayed to people who have called them – i.e. the right to block 'connected line identification.'
- People receiving telephone calls have the right to reject incoming calls by simple means, in cases where the caller has hidden or withheld the Caller ID.
The Regulations cover the making of unsolicited phone calls and the sending of unsolicited fax messages, e-mail and SMS ("text messages") for direct marketing purposes. The requirements extend to all forms of marketing carried out by means of a publicly available electronic communications service – including, for example, the soliciting of support for charitable organisations or political parties.
Varying rules apply to phone, fax, text message and e-mail marketing. The rules are more restrictive in the case of marketing by electronic mail of individuals (natural persons) who are not customers. Unlike in the case of postal marketing, certain restrictions also apply to electronic marketing to businesses and other corporate entities.
If the call is made by automated calling machine or fax the information provided must include the name, address and telephone number of the person making the communication and, if applicable, the name, address and telephone number of the person on whose behalf the communication is made.
The sender of an e-mail or SMS must include in the message their name and a valid address at which they can be contacted including to opt-out of such messages.
A marketing phone call may not be made to the telephone line of an individual subscriber or a business subscriber if (a) the subscriber's telephone line is a mobile phone line and prior consent for such a call was not received, or (b) the subscriber's telephone line is a landline and his/her/its preference not to receive such calls is noted in the National Directory Database.
A marketing phone call may not be made to an individual or business telephone line if s/he/it has previously told the caller that s/he/it does not consent to the receipt of such calls.
The person making a marketing call must include in the call their name and, if applicable, the name of the person on whose behalf the call is made.
An automated calling machine may not be used for the purpose of direct marketing to the line of an individual subscriber unless that individual has previously consented to the receipt of such a communication by this means.
An automated calling machine may not be used for the purpose of direct marketing to the line of a business subscriber if that subscriber has its preference not to receive marketing calls noted in the National Directory Database.
An automated calling machine may not be used for the purpose of direct marketing to the line of a business subscriber if that subscriber has previously indicated to the caller that it does not consent to the receipt of such calls.
Where an automated marketing call is permitted, the name, address and telephone number of the person making the call must be given and, if applicable, the name, address and telephone number of the person on whose behalf the communication is made.
In practical terms, therefore, once a marketing call made by an automated calling machine is answered by the subscriber or the subscriber's voicemail answering service, the automated calling machine must identify who is making the call and provide their contact details.
A fax for the purpose of direct marketing may not be sent to the line of an individual subscriber unless that individual has previously consented to the receipt of such a communication.
A fax for direct marketing purposes may not be sent to a business fax number if that subscriber has its preference not to receive marketing calls to that number noted in the National Directory Database.
A fax for direct marketing purposes may not be sent to a business fax number if that subscriber has previously indicated to the caller that it does not consent to the receipt of such faxes.
Where a marketing fax communication is permitted, the information provided must include the name, address and telephone number of the person making the communication and, if applicable, the name, address and telephone number of the person on whose behalf the communication is made.
Electronic mail includes text messages (SMS), voice messages, sound messages, image messages, multimedia message (MMS) and email messages.
Where a data controller has obtained contact details in the context of the sale of a product or service, it may only use these details for direct marketing by electronic mail if the following conditions are met:
1. The product or service is of a kind similar to that which was sold to the customer at the time their contact details were obtained
2. When these details were collected, the customer was given the opportunity to object at that time, in an easy manner and without charge, to their use for marketing purposes
3. Each time a marketing message is sent, the customer must be given the right to object to the receipt of further messages
4. The details were collected within the previous 12 months or the subscriber has received a marketing electronic mail within the previous 12 months to which they did not unsubscribe using the cost free means provided to them by the direct marketer
A data controller can also obtain prior opt-in consent from its customers or other individuals to send electronic marketing relating specifically to its own business or services. Each marketing message sent on foot of that consent must contain a means to opt-out and it must identify the sender. Such opt-in consent expires after twelve months unless it is renewed in the interim.
If an individual is not a customer, electronic mail may not be used to send a marketing message to their contact address unless the prior opt-in consent of that individual has been obtained to the receipt of such messages – a consent that can be withdrawn at any time.
Electronic mail may not be used to send a marketing message to a business contact address/number if the subscriber has notified the data controller that they do not consent to the receipt of such communications.
A non-marketing SMS message may not have marketing material "tagged on" unless the recipient has given prior consent to the receipt of such messages. This would apply, for example, to such messages "tagged on" to communications from clubs or societies and information messages from service providers.
The Data Protection Commissioner enforces the data protection aspects of the Regulations, and the Commission for Communications Regulation (ComReg) is responsible for ensuring compliance with some technical and practical elements of implementing the Regulations.
In carrying out his functions, the Commissioner has broadly the same powers of inspection, information gathering and enforcement that he has under the Data Protection Acts.
Failure to comply with certain provisions of the Regulations are criminal offences:
· Data Security and Data Breaches
· Unsolicited Marketing Communications
· Requirements specified in Information and Enforcement Notices issued by the Commissioner
· Requirements imposed by the Commissioner's authorised officers.
The offences attract a fine of up to €5,000 – per message in the case of unsolicited marketing – when prosecuted by the Commissioner in the District Court.
Unsolicited marketing offences may be prosecuted on indictment and attract fines of up to €250,000 in the case of a company and €50,000 in the case of an individual. A data security offence may similarly be prosecuted on indictment and attract the same level of penalty.