The Data Protection Commissioner (the DPC) has published guidance to assist organisations to comply with the new data protection requirements contained in the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, S.I. 336 of 2011 (the Regulations).  The Regulations, which transpose E-Privacy Directive 2009/136/EC, came into operation on 1 July 2011.

The Regulations apply to telecommunications companies and Internet Service Providers (ISPs), and to any entity using such communications and electronic communications networks to communicate with customers.

The Regulations contain new requirements concerning compulsory notification of data breaches, user consent for the placing of cookies on electronic devices, the making of direct marketing phone calls and the sending of electronic marketing messages.

Data Breach Notification

Telecommunications companies and ISPs are now obliged, without undue delay, to notify all personal data security breaches to the DPC.   Individuals must also be notified in circumstances where the breach is likely to adversely affect the personal data or privacy of such individuals.  The Regulations effectively make the provisions of the existing Data Security Breach Code of Practice legally binding in the electronic communications sector.  The DPC can prosecute telecommunications companies and ISPs for failing to take appropriate security measures or failing to report data security breaches, with fines on indictment of up to €250,000. 

The providers are also required to notify customers in all cases where there is a risk that their data may be accessed.  Failure to do so can lead to prosecution by the DPC, with a fine of up to €5,000 per instance.

Cookies

'Cookies' are small text files downloaded on to a user's computer or mobile device when the user accesses certain websites.  Cookies allow websites to record a user's online activities.  The new rules strengthen the privacy of internet users by requiring users to be given the choice as to whether they consent to websites tracking their online behaviour. 

Previously, internet users had to be informed of the use of cookies and offered the right to refuse such use.  In practice, many websites complied with this requirement by using their privacy policy to notify people on how they use cookies and giving users the opportunity to 'opt out', by changing their browser preferences. 

The Regulations now require the prior consent of users to the use of cookies and for users to be provided with information on the use of cookies in a manner which is "both prominently displayed and easily accessible."  Thus the mere right to object to the use of cookies is no longer sufficient.  In future, it would be advisable to get consent on an 'opt in' basis, to ensure valid user consent is obtained.  An exception exists where the cookie is strictly necessary for the provision of a service explicitly requested by the user.

Direct Marketing

The Regulations strengthen the current laws in the area of electronic marketing and phone-calls.  It is now an offence for a company to phone an individual or business mobile subscriber, for a marketing purpose, without having obtained their prior consent for such contact. 

ISPs and telecommunications companies may be prosecuted for unsolicited marketing offences, with fines on indictment of up to €250,000.

Click here for access to the Guidance Note.