UK: Electronic Privacy Directive Now in Force

Last Updated: 12 August 2002
Article by Kate Brimsted
  • 1. Introducing the Electronic Privacy Directive
  • 2. The Essentials
  • 3. Case Study
  • 4. Other Data Privacy News
1. Introducing the Electronic Privacy Directive

This Bulletin focuses on the new Electronic Privacy Directive (the Directive for the Protection of Personal Data and Privacy in the E-Communications Sector – 2002/58/EC ). This was adopted by the European Council on 25 June 2002 and has just come into force1; Member States must implement its provisions into their national laws before 31 October 2003. A copy of the Electronic Privacy Directive can be found here.

As part of the harmonising, European legislative tide, the Electronic Privacy Directive is aimed at bolstering data protection in the electronic communications sphere and replaces the Telecoms Directive2 in its entirety, while complementing and building upon the Data Protection Directive3. The new Directive also introduces protection for subscribers to electronic communications services where those subscribers are legal persons as well as natural persons. The UK Information Commissioner’s Office is reportedly already in discussions with the DTI and OFTEL regarding the implementation of the Directive.

The Electronic Privacy Directive goes further than the updating and adapting referred to in the European Commission’s original July 2000 proposal; it introduces a number of changes, for example, to the regulation of direct marketing via email, which will have important implications for businesses. Some of the key changes are set out below.

1The Directive came into force on being published in the Official Journal of the European Communities on 31 July 2002.
2The Directive Concerning the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector - 97/66/EC.
3The Directive on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data 95/46/EC.

2. The Essentials

The main features

  • Marketing via Electronic Communications
  • Cookies
  • Security
  • Directories
  • Retention of Traffic Data

When does the Directive apply?

The Electronic Privacy Directive builds upon the Data Protection Directive and therefore (broadly) applies to data controllers established in the EEA or using equipment there for processing personal data4. Its impact will be felt widely by businesses, ranging from those which process personal data in connection with providing publicly available electronic communications services5 in public communications networks6 in the Community to those which merely operate a web site.

4Article 4 of the Data Protection Directive.
5Electronic communications services consist of ‘the conveyance of signals on electronic communications networks’ usually for remuneration but they exclude services where editorial control is exercised over the content transmitted e.g. broadcasting.
6A public telecommunications network is an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services.

How long before businesses have to comply?

Businesses now have at least a 15 month breathing space in which to prepare themselves for compliance. However, based on previous experience of the tardiness of some Union countries, it may be after 31 October 2003 before all Member States have in fact implemented the Directive. After 31 October 2003 businesses should not rely upon their national government’s failure to implement as an absolute defence to non-compliance.

Direct Marketing using "Unsolicited Electronic Communications"

This Directive goes some way towards harmonising the divergent national attitudes currently prevailing across the European Union. For example, at present the UK Information Commissioner recommends opt-in as best practice for direct marketing by email, while recognising that opt-out is lawful for most, non-sensitive situations. 'Opt-in' is used to describe a situation where an individual is assumed not to consent unless s/he takes some positive step to indicate consent. Data protection authorities in Germany and Italy, by way of contrast with the UK, require opt-in for direct marketing.

Once the Directive is implemented, each Union country will require prior, positive consent (i.e. opt-in) for direct marketing via automated calling machines, fax, email and mobile text messaging (e.g. SMS), except in the case of email or mobile text message marketing to existing customers (see below).

In what was intended as a compromise but has turned into something of a legislative ‘fudge’, the new Directive treats direct marketing by email (and also by text message) differently according to whether the intended recipient is an existing customer or a new one. For existing customers, a modified opt-out system applies in relation to sending them direct marketing emails, provided that five conditions are met:

  1. the existing customer's email address has been obtained from that customer in the course of a sale of a product or service;
  2. the email address was obtained in compliance with the Data Protection Directive;
  3. the direct marketing relates to products or services of a similar category;
  4. the direct marketing is by the same entity as that which made the original sale/s; and
  5. the existing customer must be able to opt-out (free of charge) from receiving such emails at the time when the email address is collected and on the occasion of each message.

The same arrangement applies to the collection of mobile telephone numbers for mobile text messaging direct marketing.

If the recipient is not an existing customer, the use of email or mobile text messages for direct marketing will only be permitted if the recipient has given prior consent (i.e. an opt-in system).


The practice of spamming - the bulk sending of unsolicited marketing emails - is already regulated by a number of measures under European law. In addition to the direct marketing measures discussed above, the new Directive makes false identity/anonymous spamming unlawful, although enforcing this ban will, of course, be quite a different matter.

A large proportion of spam received in Europe originates from outside the EEA and is sent in such a way that it is untraceable. The Electronic Privacy Directive will have no effect on such practices originating from outside the EEA, since the new Directive, like the Data Protection Directive, broadly only applies to data controllers established in the EEA or using equipment in the EEA for processing personal data. In answer to the question “will this Directive reduce the quantity of spam cluttering up our in-boxes every day?” the answer is “probably not”.


A cookie is another marketing tool, comprising a small text file containing a unique identifier assigned by a web site and deposited on the hard drive of the web site visitor’s computer when the particular web site is accessed. Its purpose is to enable the web site to ‘recognise’ a repeat visitor by linking the cookie to information the web site has collected about the user’s previous visits. Most web sites use cookies to monitor web site use and tailor users’ experience of the site, for example, by making it unnecessary to re-enter information provided during a previous visit. (Click here for our April Bulletin, which discussed cookies in greater detail).

Under the new Directive, cookies are permitted on an opt-out basis provided that the recipient of the cookie is provided with clear and comprehensive information in line with the earlier Data Protection Directive. The information provided must include details of the purposes for which the information collected via the cookie will be processed. Recipients must also be given an opportunity to opt-out of receiving cookies.

Recital 25 of the new Directive provides the following points of guidance:

  • Information and the right to refuse may be offered once for the use of various devices (e.g. cookies) to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections;
  • The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible; and
  • Access to specific web site content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose (stated to include: analysing the effectiveness of web site design and advertising and verifying the identity of users engaged in online transactions).


The security provisions of the now replaced Telecoms Directive can now be found in the Electronic Privacy Directive. However, there is now an additional obligation on providers of publicly available electronic communications services to inform users if there is a security risk to the network where that security risk lies outside the scope of the provider’s security measures. Service providers must also inform users of any possible remedies, including an indication of any likely costs. This requirement to inform does not discharge a service provider’s obligation to take immediate, appropriate action to remedy any new, unforeseen risks at its own cost in order to restore the normal security level of the network.


At present, individuals are automatically included in public directories, but are provided with the opportunity to opt-out of such inclusion. Once the Directive is implemented, individuals will have to be informed, free of charge and before they are included in any public directory, of the
purpose(s) of the directory and any further, future usage possibilities based on search functions embedded in electronic versions of the directory. Reverse search functions may therefore still be permissible. Individuals must be given the opportunity to opt-out in respect of some, or all, of their data being included in the directory.

Traffic data

Under the new Directive, traffic and billing data should be erased or anonymised by electronic communications service providers upon termination of a communication except to the extent that such data are:

  • necessary for the purposes of billing (until the end of the period during which the bill can be lawfully challenged or payment pursued);
  • necessary for the purposes of marketing the service provider’s own services, provided that prior consent has been obtained from the subscriber; or
  • necessary for the purposes of complying with Member State legislation which restricts the privacy protections provided under the Electronic Privacy Directive in accordance with the provisions of Article 15.

What are the main implications for businesses?

Businesses offering electronic communications services (for example, real-time chat room facilities, email accounts, etc.) will have to comply with the more onerous security provisions and amend their general terms and conditions of use to include the appropriate information.

Another clear development is that the drafting of fair obtaining notices will become even more of an art in the future. The fair obtaining notice should:

  • Identify the data controller or his representative;
  • Describe the purposes of the processing (where applicable, it will be necessary to include marketing as one of the purposes);
  • Provide any other additional information which is necessary in the circumstances in order to make the processing fair in those particular circumstances. In particular, if the personal data are to be shared with third parties, data subjects should be informed of that fact.

Direct marketing via email (and mobile text messaging) to new customers will have to be on the basis of informed, prior, positive consent i.e. opt-in. As far as direct marketing via email or mobile text message to existing customers is concerned, where the customers’ information has been validly collected through the opt-out method, then, subject to the conditions set out above, it will be permissible to continue to market them in this way. Whether new or existing customers, the “fair and lawful” processing requirements set out in the Data Protection Directive must be complied with. Following the new Directive, in order to obtain clear consent to market via email, it is recommended that a fair obtaining notice is employed at the time the data are collected.

Web sites using cookies must ensure that the site’s privacy policy or terms and conditions contain sufficient information in order to comply with the new information requirements. In particular, the user should be provided with information as to which data are collected through the site, by whom, what will be done with the data, how long they will be kept, how they will be processed and how to disable cookies temporarily.

Marketers must balance their desire for maximum flexibility for future processing opportunities against the risk of invalidating the collection of the data by insufficiently clear and precise notices: in other words, the marketing/data protection tension continues.

3. Case Study: Bliss Records and Banner Advertising

In our April Bulletin we introduced the (fictitious) UK business, Bliss Records Ltd. We thought readers might once again find it helpful if we illustrated some of the likely effects of the Electronic Privacy Directive by reference to a hypothetical case study.

Bliss continues to operate a successful on-line book, CD and DVD store via its corporate web site. Its customers enjoy the personalised shopping experience they encounter, thanks to Bliss’s effective use of cookies. In addition to sales income, it receives a moderate advertising revenue from its sister company, Joy Hi-Fi Ltd, which places banner adverts on the Bliss web site.

Currently, the web site sends a Bliss cookie to the computer of each new visitor to the Bliss web site. Joy also sends a cookie to new visitors to Bliss’s site.

Visitors to the site are required to register with Bliss prior to making a purchase. As well as name, postal address and payment details (the last collected over an encrypted link), Bliss requests the user’s email address, telephone number, mobile telephone number and fax number. The online registration form states at the bottom:

“We would like to use the details you have provided to contact you to tell you about special book, CD or DVD offers we think may be of interest to you.

Please contact me by telephone [ ], by mobile text message [ ]. Please send me information by fax [ ] [please put a cross in the boxes if you agree].

We would like to send you information by post. If you would prefer us not to, please put a cross in this box [ ].

We would like to send you information by email. If you would prefer us not to, please put a cross in this box [ ].

We would like to share your details with our sister company, Joy Hi-Fi Ltd, to allow it to contact you with information about its products which may be of interest. If you would prefer us not to share your details with Joy Hi-Fi, please put a cross in this box [ ].”

Bliss follows the UK Information Commissioner’s current best practice recommendation on cookies by explaining on its home page, firstly, that it uses cookies to enhance the visitor’s experience and, secondly, that Joy Hi-Fi collects information about visitors using its own cookies.

Note that for the purposes of this case study we have assumed that the products sold by Bliss are such that no sensitive personal data (which require explicit consent to process under the Data Protection Act 1998) will be collected by Bliss at the registration stage7.

On the basis of the consents obtained, Bliss flags the customer records in its database and acts accordingly. So far, Bliss has been sending out direct marketing information by email to those customers who have not opted out. Joy has also been sending emails to Bliss customers who have not opted out of being contacted by Joy.

Generally, Bliss is in a good position to meet the demands of the new Directive. Provided the UK legislation implementing the Directive does not adopt a more restrictive approach than in the Directive, Bliss will need to act as follows. For the purposes of marketing by email and mobile text messaging, Bliss must distinguish between its (then) existing customers and new ones. ‘Customer’ in the new Directive means more than a mere visitor to Bliss’s web site: customers must have provided their data in the process of buying a product or service. Existing customers who have not opted out may continue to be sent direct marketing via email and/or mobile text messaging by Bliss, provided that (1) the offers Bliss promotes relate to similar goods/services and (2) Bliss allows customers an opportunity to opt-out each time it sends a marketing email or text.

Joy, on the other hand, will not be able to continue direct marketing even those existing customers of Bliss who had not opted out from being contacted by Joy (unless, of course, they are also customers of Joy); a positive opt-in must be obtained in order for Joy to be able to direct market Bliss customers, both existing and future.

Another way in which the web site must adapt is to allow visitors to opt-out of receiving cookies and also by providing a clear and user-friendly way of achieving this. Bliss should revisit the information currently on its home page and consider whether this goes far enough to inform visitors about cookies. Due to the importance of cookies to Bliss’s online business, Bliss may want to consider making use of its online ordering service conditional on the acceptance of a cookie by the user; it will be entitled to do so under the new Directive.

7In our April Bulletin we explained that customers' choice of books, CDs, etc., could include sensitive personal data.

4. Other Data Privacy News

Richard Thomas has been appointed as the next Information Commissioner. He is expected to take on the role in December 2002 when the current Information Commissioner, Elizabeth France, starts in her new post as Telecoms Ombudsman.

The Information Commissioner’s Annual Report for 2001-2 was published on 10 July and is available from the Office of the Information Commissioner’s web site – to view a copy, click here and go to ‘Annual Reports’. As well as statistics on prosecutions and enforcement of the Data Protection Act 1998 during the last 12 months, the report also outlines the Office’s policy aims for the next year. In particular, the Commissioner would like to see a change in the law to enable her office to prosecute those who knowingly or recklessly commit criminal offences under the Act, and cause significant detriment in doing so, without the need to go down the enforcement notice route.

© Herbert Smith 2002

The content of this article does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances.

For more information on this or other Herbert Smith publications, please email us.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.