Intermediaries
Electronic Communications Networks and Services
The E-Privacy Regulations apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the State and where relevant the European Union, including public communications networks supporting data collection and identification devices.
In the context of the rules,
- a “data controller” means a person who either alone or with others controls the contents and use of personal data;
- “personal data” means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller;
- “user” means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service;
Security of processing
With respect to network security and, in particular, the below requirements an undertaking providing a publicly available electronic communications network or service shall take appropriate technical and organisational measures to safeguard the security of its services, if necessary, in conjunction with undertakings upon whose networks such services are transmitted. These measures shall ensure the level of security appropriate to the risk presented having regard to the state of the art and the cost of their implementation.
Without prejudice to the Data Protection Acts, the measures) shall at least—
- ensure that personal data can be accessed only by authorised personnel for legally authorised purposes,
- protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure, and
- ensure the implementation of a security policy with respect to the processing of personal data.
Security of Processing II
The Commissioner may audit the measures taken by an undertaking providing publicly available electronic communications services and issue recommendations about best practices concerning the level of security which those measures should achieve.
In the case of a particular risk of a breach of the security of the public communications network, the undertaking providing the publicly available electronic communications service shall inform its subscribers concerning such risk without delay and, where the risk lies outside the scope of the measures to be taken by the relevant service provider, any possible remedies including an indication of the likely costs involved.
An undertaking whose public communications network is used by another undertaking for the supply of a publicly available electronic communications service shall comply with any reasonable request made by the undertaking using the public communications network for the purpose of complying with this Regulation.
Notification of Breach
Where there has been a personal data breach, the undertaking shall, without undue delay—
- notify the Commissioner of the said breach, and
- where the said breach is likely to adversely affect the personal data or privacy of a subscriber or individual, notify the subscriber or individual of the breach.
A notification shall not be required if the undertaking has demonstrated to the satisfaction of the Commissioner that it has implemented appropriate technological protection measures which render the data unintelligible to any person who is not authorised to access it and that those measures were applied to the data affected by the security breach.
Where the undertaking has not notified the subscriber or individual of the personal data breach, the Commissioner may, having considered the likely adverse effects of the breach, require the undertaking to do so by serving an enforcement notice on the undertaking.
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the European Union.
Breach Matters
Undertakings shall maintain an inventory of personal data breaches which shall comprise the following information—
- the facts surrounding the breach,
- the effects of the breach, and
- any remedial action taken,
and shall be sufficient to enable the Commissioner to verify compliance with the below obligations.
Subject to any technical implementing measures adopted by the European Commission under the Directive on privacy and electronic communications, the Data Protection Commissioner may adopt guidelines concerning the circumstances in which undertakings are required to notify personal data breaches, the format of such notification and the manner in which such notification is to be made.
Where necessary the Commissioner may, for this purpose, issue such instructions as he or she considers necessary. The Commissioner may conduct an audit to determine compliance with guidelines and instructions issued.
Confidentiality of Communications
Except where legally authorised under a legislation provision adopted in accordance with the Directive on privacy and electronic communications, the listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, is prohibited.
This does not—
- prevent the technical storage of communications and the related traffic data which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality, and
- affect any legally authorised recording of communications and the related traffic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication.
Consent of Subscriber Required to Access and Use of Data
A person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user, unless the subscriber or user has given his or her consent to that use, and the subscriber or user has been provided with clear and comprehensive information in accordance with the Data Protection Acts which is both prominently displayed and easily accessible, and includes, without limitation, the purposes of the processing of the information.
The methods of providing information and giving consent should be as user-friendly as possible. Where it is technically possible and effective, having regard to the relevant provisions of the Data Protection Acts, the user’s consent to the storing of information or to gaining access to information already stored may be given by the use of appropriate browser settings or other technological application by means of which the user can be considered to have given his or her consent.
The above prohibition does not prevent any technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic communications network or which is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
“Consent” by a user or subscriber means a data subject’s consent in accordance with the Data Protection Acts and the Regulations.
Tracking and Location I
Mobile phones are capable oftracking a person’s location by techniques of triangulation, relative to different base stations. Modern 3G phones have sophisticated have effective global positioning system technology. Accordingly, mobile phone providers may track a person’s location.
Location data has been admissible in criminal trials for some time. It is generally permissible by way of a Criminal Evidence Act exception to hearsay rule as automatic data produced in the normal course of operation of reproduction system.
EU Directive requires that locational and other traffic data, relating to subscribers to public communication and electronic communications services may be processed only when they are anonymous or with the consent of the users / subscribers for the duration necessary for the purpose of provision of a value-added service.
The service provider must inform the users prior to obtaining consent, of the type of location data other than traffic data which will be processed, the purpose and duration of the processing and whether it is to be transmitted to a third party in the course of providing the service.
Tracking and Location II
The consent of the subscriber is required, but not necessarily the consent of the user, such as an employee. Users have the opportunity to withdraw their consent to the processing of location data, other than traffic data at any time. Location data held in other mediums are also subject to the above provisions. Subscribers and users must have the ability to turn off the location function on the device, free of charge or may temporarily refuse the processing of such data. The employer itself will have obligations in respect of processing of the employees’ data.
The processing of location data must be restricted to persons acting under the authority of the provider of a public communications network or of a third party providing value added service. It must be restricted to what is necessary for providing the services. If, for example, it is permissible to allow advertisers have access, they must be limited in their access to the extent necessary for advertising. Third-party marketing agents / advertisers must have the clear and informed consent of the subscriber or user, under the Privacy and Electronic Communications Directive.
EU Directive requires that there be transparent procedures in relation to the circumstances in which the operators of a public or electronic communication system may override a temporary denial or absence of consent for the purpose of processing of location data for bodies dealings with emergency calls, such as the police, ambulance, fire and coastal rescue. The Commission has recommended that States draw up rules for network operators on location enhanced emergency call services.
Traffic Data I
Subject to the legislation on the Retention of Data by providers, an undertaking shall ensure that traffic data relating to subscribers and users processed and stored for the purpose of the transmission of a communication shall be erased or made anonymous when it is no longer needed for that purpose.
An undertaking may process traffic data necessary for the purpose of subscriber billing and interconnection payments only up to the end of the period in which the bill may be lawfully challenged and payment pursued or where such proceedings are brought during that period until those proceedings are finally determined. An undertaking shall inform its subscribers of the types of traffic data that are processed and of the duration of such processing.
Legal proceedings shall be deemed, for the purpose of this paragraph, to be finally determined—
- if no appeal is brought within the ordinary time for an appeal by either party to the proceedings, upon the expiry of that time,
- if an appeal is brought within that time or such extended time as the court to which the appeal is brought may allow, upon the date of the determination of the appeal or any further appeal from it or the ordinary time for instituting any further appeal has expired or such other date as may be determined by the court hearing any such appeal, whichever is the latest, or
- if an appeal has been brought and is withdrawn, upon the date of the withdrawal of the appeal.
“Traffic data” means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof;
“Value added service” means any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof.
Traffic Data II
An undertaking may process traffic data referred to above for the purpose of marketing electronic communications services or for the provision of value added services to the extent and for the duration necessary for such services or marketing, provided the subscriber or user to whom the data relates has given his or her prior consent in accordance with the GDPR.
Prior to obtaining consent, the undertaking shall inform the subscriber or user of the types of traffic data which are processed and of the duration of such processing.An undertaking shall ensure that users or subscribers are informed of and given the possibility to withdraw their consent for processing of traffic data for the purpose of this paragraph at any time.
An undertaking shall ensure that the processing of traffic data is restricted to persons acting under its authority in accordance with the GDPR, handling billing or traffic management, customer enquiries, fraud detection, the marketing of electronic communication services or providing a value-added service and such processing is restricted to what is necessary for the purpose of such activities.
This does not preclude a court or any other body involved in the settlement of disputes (whether by way of legal proceedings or otherwise) under any enactment from being informed of traffic data for the purpose of settling such disputes, in particular, disputes relating to billing or interconnection.
Itemised billing
An undertaking shall comply with a request of a subscriber to that undertaking to give him or her bills that are not itemised in respect of the electronic communications service supplied by the undertaking to the subscriber.
The Regulator and the Commissioner shall, in the performance of their functions, have regard to the need to reconcile the rights of subscribers to receive itemised bills with the right to privacy of calling users and called subscribers.
Presentation and Restriction of Calling and Connected Line Identification
Where presentation of calling line, identification is offered by an undertaking, the undertaking shall—
- offer the calling user the possibility, using a simple means and free of charge, of preventing the presentation of the calling line identification on a per call basis. The undertaking shall offer the calling subscriber this option on a per-line basis,
- offer the called subscriber the possibility, using a simple means and free of charge for reasonable use of this function, of preventing the presentation of the calling line identification of incoming calls, and
- where the calling line identification is presented prior to the call being established, offer the called subscriber the possibility, using simple means, of rejecting incoming calls where the presentation of the calling line identification has been prevented by the calling user or subscriber.
Where presentation of connected line identification is offered, the undertaking shall offer the called subscriber the possibility, using a simple means and free of charge, of preventing the presentation of the connected line identification to the calling user.
Location data other than traffic data
No person shall process location data other than traffic data relating to users or subscribers of undertakings unless—
- such data are made anonymous, or
- they have obtained the consent of the users or subscribers in accordance with the GDPR to the extent and for the duration necessary for the provision of a value-added service.
An undertaking, that has not already done so, shall inform its users or subscribers, prior to obtaining their consent under the GDPR, of—
- the type of location data other than traffic data which will be processed,
- the purposes and duration of the processing, and
- whether the data will be transmitted to a third party for the purpose of providing the value-added service.
“Location data” means any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.
Consent Re Location Data
An undertaking shall give users or subscribers the possibility to withdraw their consent for the processing of location data other than traffic data at any time by making a request that such processing be stopped.
Where the consent of users or subscribers has been obtained for the processing of location data other than traffic data, an undertaking shall give the user or subscriber the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the public communications network or for each transmission of a communication.
An undertaking shall ensure that the processing of location data other than traffic data in accordance with the above provisions is restricted to persons acting under the authority of the undertaking or of the third party providing the value-added service based on data provided by that undertaking and shall be restricted to what is necessary for the purpose of providing the value-added service.
“Consent” by a user or subscriber means a data subject’s consent in accordance with the Data Protection Acts and the Regulations.
Exceptions
An undertaking that has not already done so shall ensure that a general description is prepared, and available for any person who requests it, of the circumstances in which the undertaking may override—
- the elimination of the presentation of calling line identification in respect of a line, on a temporary basis, following a complaint by a subscriber and investigation by a member of the Garda Síochána of a suspected offence under the Post Office (Amendment) Act 1951, requesting the tracing of malicious or nuisance calls. In such a case, the data containing the identification of the calling subscriber will be stored and will be made available in accordance with the Data Protections Acts and Telecommunications Act 1983 by the undertaking to the Garda Síochána, and
- the elimination of the presentation of calling line identification in respect of a line and the temporary denial or absence of consent of a subscriber or user for the processing of location data on a per-line basis, for calls to the emergency services including law enforcement agencies, ambulance services, fire brigades using the National emergency call number 999 or the single European emergency call number 112 or for the purpose of responding to such calls and bodies dealing with such calls for the purposes of answering them.
Directories of Subscribers I
“National Directory Database” means the record of all subscribers of publicly available telephone services in the State, including those with fixed, personal or mobile numbers, who have not refused to be included in that record, kept in accordance with the Universal Service Regulations and the Regulations;
An undertaking referred to in the Universal Service Regulations (Eircom (now Eir)) shall ensure that all its subscribers are, without charge—
- informed, before they are included in any directory for which the undertaking provides relevant information in accordance with that Regulation and in which their personal data can be included, about the purpose of such a directory and any further usage possibilities based on search functions embedded in electronic versions of that directory,
- given the opportunity to determine whether their personal data are included in that directory, and
- given the opportunity to determine which of their personal data are included in that directory to the extent that such data are relevant for the purpose of the directory as d
- determined by the provider of the directory and to verify, correct or withdraw such data.
Directories of Subscribers II
Any other person responsible for the collection and making available of a subscriber’s data for inclusion in any other directory of subscribers shall ensure that the subscribers are, without charge—
- informed, before they are included in any such directory in which their personal data can be included, about the purpose of such a directory and any further usage possibilities based on search functions embedded in electronic versions of the directory,
- given the opportunity to determine whether their personal data are included in that directory, and
- given the opportunity to determine which of their personal data are included in that directory to the extent that such data are relevant for the purpose of the directory as determined by the provider of the directory and to verify, correct or withdraw such data.
The undertaking shall ensure that its subscribers other than natural persons are, without charge, provided with the above information) and the opportunities referred to notwithstanding the fact that the data may not be personal data.
Any other person responsible for the collection and making available of data for inclusion in any other directory of subscribers shall ensure that subscribers other than natural persons are, without charge, provided with the above information and the opportunities notwithstanding the fact that the data may not be personal data.
A subscriber may request the undertaking or person to disregard or reverse the effect of a determination previously made by the subscriber to the undertaking.
National Directory Database Operations I
An undertaking referred to in the Universal Service Regulations shall (now Eir), record or cause to be recorded in the National Directory Database the relevant information in respect of a line of any one of its subscribers who
- is, upon the making of the Regulations, an ex-directory subscriber in respect of that line who, in the absence of any express instructions to the contrary, shall be taken not to consent to unsolicited calls for the purpose of direct marketing or to such calls by means of an automated calling machine or a facsimile machine, or
- had, at any time after the establishment of that Database, made a request to the operator or notified the relevant undertaking that the subscriber does not consent to unsolicited calls for the purpose of direct marketing or to such calls by means of an automated calling machine or a facsimile machine to a line of that subscriber.
National Directory Database Operations II
The undertaking / provider when requested by any one of its subscribers shall make available to the operator (now Eir) the following relevant information in respect of a line of that subscriber to be recorded in the entry in the National Directory Database in relation to that subscriber—the fact that the subscriber does not consent to unsolicited telephone calls for the purpose of direct marketing or to such calls by means of automated calling machines or facsimile machines, and if appropriate, the date on which a notification was received by the operator.
An undertaking, shall, as soon as practicable after having been notified that a subscriber does not consent to unsolicited telephone calls for the purpose of direct marketing or to such calls by means of automated calling machines or facsimile machines, transmit particulars of such notification to the operator or other person who publishes a directory to whom the undertaking supplies relevant information relating to its subscribers for inclusion in that directory.
When the operator (now Eir) or other person who publishes a directory receives particulars of a notification, the notification shall be deemed, to have been made to the operator or that other person at the time the operator or that other person receives particulars of the notification.
The operator shall record the relevant information in respect of a line of a subscriber in the entry in the National Directory Database in relation to that subscriber when it is made available to the operator.
National Directory Database Operations III
For the purpose of complying with obligations in relation to the persons and entities which have opted out, a person may, on such terms and conditions as may be approved under the Universal Service Regulations and on payment to the operator (now Eir) of such fee as may be required by the operator—
- be allowed access to the National Directory Database at all reasonable times and take copies of, or of extracts from, entries in that Database, or
- obtain from the operator a copy (certified by the operator or by a member of the operator’s staff to be a true copy) of, or of an extract from, any entry in the National Directory Database,
or both.
The operator shall refuse such inspection or copying of, or of extracts from, entries in the National Directory Database if the operator has reasonable grounds to believe that the person will not comply with the Data Protection Acts and the Regulations in respect of the information in that Database.
Access to Database
A subscriber, or other person with the written consent of the subscriber, may—
- be allowed access to the entry in the National Directory Database in relation to that subscriber in respect of a particular line of the subscriber at all reasonable times and, on payment to the operator of such fee as may be required by the operator, take a copy of that entry, or
- on payment to the operator of such fee as may be required by the operator, obtain from the operator a copy (certified by the operator or by a member of the operator’s staff to be a true copy) of that entry, or both.
Technical features and standardisation
In implementing the Regulations, the Regulator shall ensure, that no mandatory requirements for specific technical features are imposed on terminal or other electronic communication equipment which could impede the placing of equipment on the market and the free circulation of such equipment in the European Union.
Where the Regulations can be implemented only by requiring specific technical features in electronic communications networks, the Regulator shall inform the EU Commission in accordance with the procedure provided for by Directive 98/34/EC of the European Parliament and of the Council of 22 June 19986.
The Regulator shall issue such instructions as may be necessary for the purpose of requiring any specific technical features on terminal or other electronic communication equipment necessary
Internal procedures where the scope of rights and obligations are restricted and damages for contravention of Regulations
Requirement made of Providers
Where a legislative measure has been adopted in accordance with the Directive on privacy and electronic communications which restricts the scope of the rights and obligations provided for above, providers shall establish internal procedures for responding to requests for access to users’ personal data having regard to the legislative measures adopted.
In the context of the rules,
- a “data controller” means a person who either alone or with others controls the contents and use of personal data;
- “personal data” means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller;
- “user” means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service;
The provider shall, when requested to do so by the Commissioner, provide the Commissioner with information about the internal procedures, the number of requests received, the legal justification invoked and the provider’s response to the requests.
A person who, without reasonable excuse, fails or refuses to comply with a requirement specified in a request for information or in purported compliance with such a requirement gives information to the Commissioner that the person knows to be false or misleading in a material respect commits an offence.
Right of Damages for Breach
A person who suffers loss and damage as a result of a contravention of any of the requirements of the Regulations by any other person shall be entitled to damages from that other person for that loss and damage.
In legal proceedings seeking damages against a person under the Regulations, it is a defence for a person to provide that he or she had taken all reasonable care in the circumstances to comply with the requirement concerned.
References and Sources
Legislation
Data Protection Act 1988
Data Protection (Amendment) Act 2003
Data Protection Act 2018
Communications (Retention of Data) Act 2011
Criminal Justice (Surveillance) Act 2009
Criminal Justice (Surveillance) Act 2009 (Written Record of Approval) (An Garda Síochána) Regulations 2009, S.I. No. 275 of 2009
Criminal Justice (Surveillance) Act 2009 (Written Record of Approval) (Revenue Commissioners) Regulations 2009, S.I. No. 290 of 2009
Criminal Justice (Surveillance) Act 2009 (Written Record of Approval) (Defence Forces) Regulations 2010, S.I. No. 80 of 2010
EU Legislation
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (Official Journal L 8 of 12.1.2001, pp. 1-22)
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending (declared invalid by Court of Justice ruling, see below).
Directive 2002/58/EC (Official Journal L 105 of 13.4.2006, pp. 54-63)
Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009
Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (Official Journal L 173 of 26.6.2013, pp. 2-8).
European Communities (Directive 2000/31/Ec) Regulations 2003
European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, S.I. No. 336 of 2011
Irish Books
EU Data Protection Law Kelleher & Murray 2018
Information & Technology Communications Law Kennedy & Murphy 2017
Social Networking Lambert 2014
Law Society PPG Hyland Technology & Intellectual Property Law 2008
Information Technology Law in Ireland 2 Kelleher & Murray 2007
Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016
Privacy & Data Protection Law in Ireland Kelleher 2015
Data Protection: A Practical Guide to Irish & EU Law Carey 2010
Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003
Privacy and Data Protection Law in Ireland 2nd ed Denis Kelleher 2015
EU and UK Texts
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015
Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014
Cloud Computing Law Christopher Millard 2013
Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013
Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013
A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013
Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012
Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012
Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011
Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011
Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011
Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010
Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008
The Law of Personal Privacy David Sherborne, Mark Thomson, Hugh Tomlinson Due August 2019
Tort Law and the Protection of Privacy John Hartshorne April 2019
The Privacy, Data Protection and Cybersecurity Law Review The Privacy, Data Protection and Cybersecurity Law Review 5th ed Edited by: Alan Charles Raul 2017
International Cybersecurity and Privacy Law in Practice International Cybersecurity and Privacy Law in Practice Charlotte A. Tschider 2017
Determann’s Field Guide to International Data Privacy Law 3rd ed Lothar Determann
The Law of Privacy and The Media 3rd ed Edited by: Nicole Moreham, Mark Warby 2016