European Parliament, Directive on Privacy and Electronic Communications (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector), Off. J.L. 201, 31.7.2002, at 37 (July 12, 2002) (full-text) (also known as the "ePrivacy Directive").
The Directive was adopted in 2002 as a complement to the existing Framework Data Protection Directive (1997/66/EC). It formed part of the "Telecoms Package," a legislative framework designed to regulate the electronic communications sector and amend the existing regulations governing the telecommunications sector.
The Directive reinforces the EU principle that all Member States must ensure the confidentiality of communications made over public communications networks and the personal and private data inherent in those communications. It deals with communications over publicly available electronic communications networks and services and covers e-mail, fax, SMS, MMS, cellphones and the Internet. It contains specific rules on the processing of personal data and the protection of privacy in the electronic communications sectors, and regulates areas such as confidentiality, billing and traffic data, rules on spam/unsolicited commercial communications, cookies, etc.
- Opt-in approach: businesses must gain prior consent before sending unsolicited emails for direct marketing. This consent must be explicitly given, except where there is an existing customer relationship.
- Technology neutral definition of spam: it covers also SMS, MMS, etc.
The Directive mandates that websites provide information about their data collection practices and must enable users to opt out of having information stored in their browser, except as "strictly necessary" to provide service "explicitly requested" by the user. In practice the Directive has had little effect. Member States have not taken any measures to enforce compliance, and in many cases they have treated browser cookie settings as adequate implementation.
All EU countries were suppose to incorporate the Directive into their national law by October 31, 2003.
This Directive has been amended twice since it was enacted:
- Directive 2006/24/EC, OJ L 105, 13.4.2006, at 54 (Mar. 15, 2006) (full-text).
- Directive 2009/136/EC OJ L 337, 18.12.2009, at 11 (Nov. 15, 2009) (full-text).
A 2009 amendment replaced the opt-out rule with an opt-in consent rule. Member State implementations have varied. Some Member States have suggested existing browser settings would remain adequate, since they conveyed "implicit consent." The majority view, however, is to require explicit, affirmative consent for each website.
|“||The ePrivacy Directive . . . has shown to be a valuable asset in the protection of privacy in the online context, although its scope is fairly limited (mainly telecoms confidentiality and protection against unsolicited messages/spam). The ePrivacy Directive sufficiently covers the most prominent type of spam, although the rules are somewhat complex and do not cover all other types of unsolicited messages (e.g., instant messaging spam and spam through Bluetooth devices). However, because any further strengthening of the anti-spam rules risks to affect the wrong parties (bona fide companies) while leaving the real spam culprits untouched, the enforcement of the current anti-spam rules should be the priority in the short term.||”|