The Privacy and Electronic Communications (EC Directive) Regulations 2003
Made
Laid before Parliament
Coming into force
18th September 2003
18th September 2003
11th December 2003
The Secretary of State, being a Minister designated[1] for the purposes of section 2(2) of the European Communities Act 1972[2] in respect of matters relating to electronic communications, in exercise of the powers conferred upon her by that section, hereby makes the following Regulations:
These Regulations may be cited as the Privacy and Electronic Communications (EC Directive) Regulations 2003 and shall come into force on 11th December 2003.
"bill" includes an invoice, account, statement or other document of similar character and "billing" shall be construed accordingly;
"call" means a connection established by means of a telephone service available to the public allowing two-way communication in real time;
"communication" means any information exchanged or conveyed between a finite number of parties by means of a public electronic communications service, but does not include information conveyed as part of a programme service, except to the extent that such information can be related to the identifiable subscriber or user receiving the information;
"communications provider" has the meaning given by section 405 of the Communications Act 2003[3];
"corporate subscriber" means a subscriber who is -
(a)
a company within the meaning of section 735(1) of the Companies Act 1985[4];
(b)
a company incorporated in pursuance of a royal charter or letters patent;
(c)
a partnership in Scotland;
(d)
a corporation sole; or
(e)
any other body corporate or entity which is a legal person distinct from its members;
"the Directive" means Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)[5];
"electronic communications network" has the meaning given by section 32 of the Communications Act 2003[6];
"electronic communications service" has the meaning given by section 32 of the Communications Act 2003;
"electronic mail" means any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient and includes messages sent using a short message service;
"enactment" includes an enactment comprised in, or in an instrument made under, an Act of the Scottish Parliament;
"individual" means a living individual and includes an unincorporated body of such individuals;
"the Information Commissioner" and "the Commissioner" both mean the Commissioner appointed under section 6 of the Data Protection Act 1998[7];
"information society service" has the meaning given in regulation 2(1) of the Electronic Commerce (EC Directive) Regulations 2002[8];
"location data" means any data processed in an electronic communications network indicating the geographical position of the terminal equipment of a user of a public electronic communications service, including data relating to -
(f)
the latitude, longitude or altitude of the terminal equipment;
(g)
the direction of travel of the user; or
(h)
the time the location information was recorded;
"OFCOM" means the Office of Communications as established by section 1 of the Office of Communications Act 2002[9];
"programme service" has the meaning given in section 201 of the Broadcasting Act 1990[10];
"public communications provider" means a provider of a public electronic communications network or a public electronic communications service;
"public electronic communications network" has the meaning given in section 151 of the Communications Act 2003[11];
"public electronic communications service" has the meaning given in section 151 of the Communications Act 2003;
"subscriber" means a person who is a party to a contract with a provider of public electronic communications services for the supply of such services;
"traffic data" means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication;
"user" means any individual using a public electronic communications service; and
"value added service" means any service which requires the processing of traffic data or location data beyond that which is necessary for the transmission of a communication or the billing in respect of that communication.
(2)
Expressions used in these Regulations that are not defined in paragraph (1) and are defined in the Data Protection Act 1998 shall have the same meaning as in that Act.
(3)
Expressions used in these Regulations that are not defined in paragraph (1) or the Data Protection Act 1998 and are defined in the Directive shall have the same meaning as in the Directive.
(4)
Any reference in these Regulations to a line shall, without prejudice to paragraph (3), be construed as including a reference to anything that performs the function of a line, and "connected", in relation to a line, is to be construed accordingly.
3-
Revocation of the Telecommunications (Data Protection and Privacy) Regulations 1999
The Telecommunications (Data Protection and Privacy) Regulations 1999[12] and the Telecommunications (Data Protection and Privacy) (Amendment) Regulations 2000[13] are hereby revoked.
Nothing in these Regulations shall relieve a person of his obligations under the Data Protection Act 1998 in relation to the processing of personal data.
Subject to paragraph (2), a provider of a public electronic communications service ("the service provider") shall take appropriate technical and organisational measures to safeguard the security of that service.
(2)
If necessary, the measures required by paragraph (1) may be taken by the service provider in conjunction with the provider of the electronic communications network by means of which the service is provided, and that network provider shall comply with any reasonable requests made by the service provider for these purposes.
(3)
Where, notwithstanding the taking of measures as required by paragraph (1), there remains a significant risk to the security of the public electronic communications service, the service provider shall inform the subscribers concerned of -
(a)
the nature of that risk;
(b)
any appropriate measures that the subscriber may take to safeguard against that risk; and
(c)
the likely costs to the subscriber involved in the taking of such measures.
(4)
For the purposes of paragraph (1), a measure shall only be taken to be appropriate if, having regard to -
(a)
the state of technological developments, and
(b)
the cost of implementing it,
it is proportionate to the risks against which it would safeguard.
(5)
Information provided for the purposes of paragraph (3) shall be provided to the subscriber free of any charge other than the cost to the subscriber of receiving or collecting the information.
Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2)
The requirements are that the subscriber or user of that terminal equipment -
(a)
is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b)
is given the opportunity to refuse the storage of or access to that information.
(3)
Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
(4)
Paragraph (1) shall not apply to the technical storage of, or access to, information -
(a)
for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
(b)
where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Subject to paragraphs (2) and (3), traffic data relating to subscribers or users which are processed and stored by a public communications provider shall, when no longer required for the purpose of the transmission of a communication, be -
(a)
erased;
(b)
in the case of an individual, modified so that they cease to constitute personal data of that subscriber or user; or
(c)
in the case of a corporate subscriber, modified so that they cease to be data that would be personal data if that subscriber was an individual.
(2)
Traffic data held by a public communications provider for purposes connected with the payment of charges by a subscriber or in respect of interconnection payments may be processed and stored by that provider until the time specified in paragraph (5).
(3)
Traffic data relating to a subscriber or user may be processed and stored by a provider of a public electronic communications service if -
(a)
such processing and storage are for the purpose of marketing electronic communications services, or for the provision of value added services to that subscriber or user; and
(b)
the subscriber or user to whom the traffic data relate has given his consent to such processing or storage; and
(c)
such processing and storage are undertaken only for the duration necessary for the purposes specified in subparagraph (a).
(4)
Where a user or subscriber has given his consent in accordance with paragraph (3), he shall be able to withdraw it at any time.
(5)
The time referred to in paragraph (2) is the end of the period during which legal proceedings may be brought in respect of payments due or alleged to be due or, where such proceedings are brought within that period, the time when those proceedings are finally determined.
(6)
Legal proceedings shall not be taken to be finally determined -
(a)
until the conclusion of the ordinary period during which an appeal may be brought by either party (excluding any possibility of an extension of that period, whether by order of a court or otherwise), if no appeal is brought within that period; or
(b)
if an appeal is brought, until the conclusion of that appeal.
(7)
References in paragraph (6) to an appeal include references to an application for permission to appeal.
8-
Further provisions relating to the processing of traffic data under regulation 7
(1)
Processing of traffic data in accordance with regulation 7(2) or (3) shall not be undertaken by a public communications provider unless the subscriber or user to whom the data relate has been provided with information regarding the types of traffic data which are to be processed and the duration of such processing and, in the case of processing in accordance with regulation 7(3), he has been provided with that information before his consent has been obtained.
(2)
Processing of traffic data in accordance with regulation 7 shall be restricted to what is required for the purposes of one or more of the activities listed in paragraph (3) and shall be carried out only by the public communications provider or by a person acting under his authority.
(3)
The activities referred to in paragraph (2) are activities relating to -
(a)
the management of billing or traffic;
(b)
customer enquiries;
(c)
the prevention or detection of fraud;
(d)
the marketing of electronic communications services; or
(e)
the provision of a value added service.
(4)
Nothing in these Regulations shall prevent the furnishing of traffic data to a person who is a competent authority for the purposes of any provision relating to the settling of disputes (by way of legal proceedings or otherwise) which is contained in, or made by virtue of, any enactment.
At the request of a subscriber, a provider of a public electronic communications service shall provide that subscriber with bills that are not itemised.
(2)
OFCOM shall have a duty, when exercising their functions under Chapter 1 of Part 2 of the Communications Act 2003, to have regard to the need to reconcile the rights of subscribers receiving itemised bills with the rights to privacy of calling users and called subscribers, including the need for sufficient alternative privacy-enhancing methods of communications or payments to be available to such users and subscribers.
This regulation applies, subject to regulations 15 and 16, to outgoing calls where a facility enabling the presentation of calling line identification is available.
(2)
The provider of a public electronic communications service shall provide users originating a call by means of that service with a simple means to prevent presentation of the identity of the calling line on the connected line as respects that call.
(3)
The provider of a public electronic communications service shall provide subscribers to the service, as respects their line and all calls originating from that line, with a simple means of preventing presentation of the identity of that subscriber's line on any connected line.
(4)
The measures to be provided under paragraphs (2) and (3) shall be provided free of charge.
11-
Prevention of calling or connected line identification - incoming calls
(1)
This regulation applies to incoming calls.
(2)
Where a facility enabling the presentation of calling line identification is available, the provider of a public electronic communications service shall provide the called subscriber with a simple means to prevent, free of charge for reasonable use of the facility, presentation of the identity of the calling line on the connected line.
(3)
Where a facility enabling the presentation of calling line identification prior to the call being established is available, the provider of a public electronic communications service shall provide the called subscriber with a simple means of rejecting incoming calls where the presentation of the calling line identification has been prevented by the calling user or subscriber.
(4)
Where a facility enabling the presentation of connected line identification is available, the provider of a public electronic communications service shall provide the called subscriber with a simple means to prevent, without charge, presentation of the identity of the connected line on any calling line.
(5)
In this regulation "called subscriber" means the subscriber receiving a call by means of the service in question whose line is the called line (whether or not it is also the connected line).
Where a provider of a public electronic communications service provides facilities for calling or connected line identification, he shall provide information to the public regarding the availability of such facilities, including information regarding the options to be made available for the purposes of regulations 10 and 11.
For the purposes of regulations 10 and 11, a communications provider shall comply with any reasonable requests made by the provider of the public electronic communications service by means of which facilities for calling or connected line identification are provided.
This regulation shall not apply to the processing of traffic data.
(2)
Location data relating to a user or subscriber of a public electronic communications network or a public electronic communications service may only be processed -
(a)
where that user or subscriber cannot be identified from such data; or
(b)
where necessary for the provision of a value added service, with the consent of that user or subscriber.
(3)
Prior to obtaining the consent of the user or subscriber under paragraph (2)(b), the public communications provider in question must provide the following information to the user or subscriber to whom the data relate -
(a)
the types of location data that will be processed;
(b)
the purposes and duration of the processing of those data; and
(c)
whether the data will be transmitted to a third party for the purpose of providing the value added service.
(4)
A user or subscriber who has given his consent to the processing of data under paragraph (2)(b) shall -
(a)
be able to withdraw such consent at any time, and
(b)
in respect of each connection to the public electronic communications network in question or each transmission of a communication, be given the opportunity to withdraw such consent, using a simple means and free of charge.
(5)
Processing of location data in accordance with this regulation shall -
(a)
only be carried out by -
(i)
the public communications provider in question;
(ii)
the third party providing the value added service in question; or
(iii)
a person acting under the authority of a person falling within (i) or (ii); and
(b)
where the processing is carried out for the purposes of the provision of a value added service, be restricted to what is necessary for those purposes.
A communications provider may override anything done to prevent the presentation of the identity of a calling line where -
(a)
a subscriber has requested the tracing of malicious or nuisance calls received on his line; and
(b)
the provider is satisfied that such action is necessary and expedient for the purposes of tracing such calls.
(2)
Any term of a contract for the provision of public electronic communications services which relates to such prevention shall have effect subject to the provisions of paragraph (1).
(3)
Nothing in these Regulations shall prevent a communications provider, for the purposes of any action relating to the tracing of malicious or nuisance calls, from storing and making available to a person with a legitimate interest data containing the identity of a calling subscriber which were obtained while paragraph (1) applied.
For the purposes of this regulation, "emergency calls" means calls to either the national emergency call number 999 or the single European emergency call number 112.
(2)
In order to facilitate responses to emergency calls -
(a)
all such calls shall be excluded from the requirements of regulation 10;
(b)
no person shall be entitled to prevent the presentation on the connected line of the identity of the calling line; and
(c)
the restriction on the processing of location data under regulation 14(2) shall be disregarded.
calls originally directed to another line are being automatically forwarded to a subscriber's line as a result of action taken by a third party, and
(b)
the subscriber requests his provider of electronic communications services ("the subscriber's provider") to stop the forwarding of those calls,
the subscriber's provider shall ensure, free of charge, that the forwarding is stopped without any avoidable delay.
(2)
For the purposes of paragraph (1), every other communications provider shall comply with any reasonable requests made by the subscriber's provider to assist in the prevention of that forwarding.
This regulation applies in relation to a directory of subscribers, whether in printed or electronic form, which is made available to members of the public or a section of the public, including by means of a directory enquiry service.
(2)
The personal data of an individual subscriber shall not be included in a directory unless that subscriber has, free of charge, been -
(a)
informed by the collector of the personal data of the purposes of the directory in which his personal data are to be included, and
(b)
given the opportunity to determine whether such of his personal data as are considered relevant by the producer of the directory should be included in the directory.
(3)
Where personal data of an individual subscriber are to be included in a directory with facilities which enable users of that directory to obtain access to that data solely on the basis of a telephone number -
(a)
the information to be provided under paragraph (2)(a) shall include information about those facilities; and
(b)
for the purposes of paragraph (2)(b), the express consent of the subscriber to the inclusion of his data in a directory with such facilities must be obtained.
(4)
Data relating to a corporate subscriber shall not be included in a directory where that subscriber has advised the producer of the directory that it does not want its data to be included in that directory.
(5)
Where the data of an individual subscriber have been included in a directory, that subscriber shall, without charge, be able to verify, correct or withdraw those data at any time.
(6)
Where a request has been made under paragraph (5) for data to be withdrawn from or corrected in a directory, that request shall be treated as having no application in relation to an edition of a directory that was produced before the producer of the directory received the request.
(7)
For the purposes of paragraph (6), an edition of a directory which is revised after it was first produced shall be treated as a new edition.
(8)
In this regulation, "telephone number" has the same meaning as in section 56(5) of the Communications Act 2003[14] but does not include any number which is used as an internet domain name, an internet address or an address or identifier incorporating either an internet domain name or an internet address, including an electronic mail address.
A person shall neither transmit, nor instigate the transmission of, communications comprising recorded matter for direct marketing purposes by means of an automated calling system except in the circumstances referred to in paragraph (2).
(2)
Those circumstances are where the called line is that of a subscriber who has previously notified the caller that for the time being he consents to such communications being sent by, or at the instigation of, the caller on that line.
(3)
A subscriber shall not permit his line to be used in contravention of paragraph (1).
(4)
For the purposes of this regulation, an automated calling system is a system which is capable of -
(a)
automatically initiating a sequence of calls to more than one destination in accordance with instructions stored in that system; and
(b)
transmitting sounds which are not live speech for reception by persons at some or all of the destinations so called.
A person shall neither transmit, nor instigate the transmission of, unsolicited communications for direct marketing purposes by means of a facsimile machine where the called line is that of -
(a)
an individual subscriber, except in the circumstances referred to in paragraph (2);
(b)
a corporate subscriber who has previously notified the caller that such communications should not be sent on that line; or
(c)
a subscriber and the number allocated to that line is listed in the register kept under regulation 25.
(2)
The circumstances referred to in paragraph (1)(a) are that the individual subscriber has previously notified the caller that he consents for the time being to such communications being sent by, or at the instigation of, the caller.
(3)
A subscriber shall not permit his line to be used in contravention of paragraph (1).
(4)
A person shall not be held to have contravened paragraph (1)(c) where the number allocated to the called line has been listed on the register for less than 28 days preceding that on which the communication is made.
(5)
Where a subscriber who has caused a number allocated to a line of his to be listed in the register kept under regulation 25 has notified a caller that he does not, for the time being, object to such communications being sent on that line by that caller, such communications may be sent by that caller on that line, notwithstanding that the number allocated to that line is listed in the said register.
(6)
Where a subscriber has given a caller notification pursuant to paragraph (5) in relation to a line of his -
(a)
the subscriber shall be free to withdraw that notification at any time, and
(b)
where such notification is withdrawn, the caller shall not send such communications on that line.
(7)
The provisions of this regulation are without prejudice to the provisions of regulation 19.
