Information Technology Reference
In-Depth Information
2
Regulatory Responses to Privacy Risks:
The Case of Directive 2002/58
The Directive 97/66/EC concerning the processing of personal data and the protection
of privacy in the telecommunications sector applied the general principles established
by the general data protection Directive (D 95/46/EC) to the telecommunications
sector, but the protection provided by this sectoral framework was deemed to be in-
sufficient. Discrepancies of interpretation in relation to the scope of application (ex.
application to the Internet) constituted one major problem. Moreover: The terminol-
ogy used was appropriate for traditional fixed telephony services but less for the new
online environment and the new services that have become available and affordable
for a wide public. The new “Electronic Communications Privacy Directive” (2002/58
EC) broadens the special protection afforded to all mobile, satellite and cable net-
works. New definitions ensure that all different types of transmission services for
electronic communications are covered. The purpose of the new framework was to
ensure that data protection rules in the communications sector are technologically
neutral and robust. The Directive 2002/58/EC imposes heavier duties on all service. It
seeks to respect the fundamental rights recognised by the Charter of Fundamental
Rights of the European Union (Art. 7 and 8).
Another aspect of great importance for the new Directive is the inclusion of defini-
tion and regulation of “traffic data”, defined as “any data processed for the purpose of
the conveyance of a communication on an electronic communications network or for
the billing thereof” (Art. 2b), i.e. those of traditional circuit switched telephony as
well as packet switched Internet transmission. Data referring to the routing, duration,
time or volume of a communication, to the protocol used, to the location of the termi-
nal equipment of the sender or recipient, to the network on which the communication
originates or terminates, to the beginning, end or duration of a connection or to the
format used are also enclosed. (Recital 15). While the content of communications is
already recognized as deserving protection under constitutional law, traffic data were
(and in many countries mostly still are) considered as “external elements of commu-
nication”, even if they reflect a level of interaction between the individual and the
environment that rests on similar grounds like the “message” itself. Traffic data are
transactional and interactive with the intents, interests and lifestyle of the user. To this
effect the distinction between traffic data (which are potentially “personal data”) and
content is not however easy to apply in the context of the Internet and certainly not
when referring to surfing. [2][11] Surfing through different sites should be seen as a
form of communication and as such should be covered by the scope of application of
rules guaranteeing confidentiality [3]. The provision of the recent directive has led to
a big improvement on the principle of confidentiality and anonymity be extending the
scope of Art. 5 to include not just the content of the communication but also the re-
lated traffic data. The processing of traffic data is admissible also for the provision of
electronic communication and networks, the detection of failure, errors as well as
unauthorized use of the communication system (Art. 15). However the European
directive adopts the principle of “data austerity”: systems for the provision of elec-
tronic communications networks and services should be designed in a way “to limit
the amount of personal data necessary to a strict minimum” (Recital 30). Furthermore
the routine retention of traffic data for purposes varying from national security to law
enforcement, allowed through Art. 15, could conflict with the proportionality, fair use
