Important changes to privacy and data protection law in Ireland were introduced by revised E-Privacy Regulations which came into force on 1 July 2011 (the “Regulations”). The Regulations generally apply to any entity using electronic communications networks to communicate with customers online which includes using a website or by means of email. Certain provisions specifically apply to electronic communications providers such as telecommunications companies and internet service providers (“ISPs”).
The Regulations replace and consolidate the previous regulations in this area. However, they do not replace or alter the obligations that apply to data controllers and data processors under the Data Protection Acts 1988 and 2003. These obligations will continue to apply alongside the updated Regulations.
'I DO’ – CONSENT TO COOKIES
The law is not prescriptive in terms of what methods are to be employed to ensure compliance, which means that website operators are allowed a degree of flexibility to create solutions to ensure compliance. Although the Commissioner has issued a guidance note to assist with compliance with the Regulations, it does not detail any preferred method of compliance with this “opt-in” requirement. One suggestion set out in the guidance note is to capture users’ consent using the browser settings, but this would require the co-operation of browser manufacturers to change the default settings. Other options being discussed include the use of “opt-in” pop-up windows and the adoption of tracking icons – although there is the risk that these will have a negative impact on the user's online experience, as well as making it more difficult for business to employ web analytics technology. The Commissioner is open to consultation with organisations as to alternative technical methods that could be employed in this regard but in the meantime, website operators will need to determine what type of mechanism to use on their websites in order to ensure compliance with the law.
The only exception to the requirement for “opt-in” consent is where the information is strictly necessary to provide a service specifically requested by the user, for example, storage of items in an online shopping cart. The Commissioner warns that such cookies should only be stored for as long as the “session” is live. Website owners should consider conducting an audit of the cookies used on their websites to analyse what types of cookies are strictly necessary so that they are in a position to avail of this exemption. Otherwise, users must be afforded the right to “opt-in” to the use of technologies which do not fall into this “strictly necessary” category.
MANDATORY BREACH NOTIFICATION REQUIREMENTS & SECURITY OBLIGATIONS
Prior to the Regulations coming into force, a Data Security Breach Code of Practice (the “Code”) was introduced by the Commissioner in July 2010. While the Code did not have the force of law, it nevertheless reflected the best practice in the area.
In addition to the general obligation under the Data Protection Acts to keep personal data secure, undertakings providing electronic communications networks or services (e.g. telecommunications companies and ISPs) are obliged under the Regulations to ensure that appropriate technical and organisational security measures are in place to keep data secure. Specifically service providers must not only develop and ensure implementation of a data security policy, they must also ensure that only authorised personnel access personal data for authorised purposes. Service providers are also required to inform subscribers, without delay, of any particular risk to security of the network. Where the risk lies outside the scope of the measures to be taken by the service provider, subscribers must also be advised of any remedies available to them and the likely costs involved in the application of such remedies.
The Regulations also require every security breach (i.e. where there has been an unauthorised disclosure, loss, destruction or alteration of personal data) to be notified to the Commissioner without undue delay even if the breach may be considered not to have an adverse effect on the privacy of a subscriber. This brings with it the risk of ‘breach fatigue’ from a subscriber’s perspective and a possible significant increase in the volume of data breaches that will have to be notified to the Commissioner’s office. Furthermore, the phrase “without undue delay” is not defined in the Regulations, but it is noteworthy that the Code requires notification to be made to the Commissioner within two working days of becoming aware of the incident.
Subscribers must also be notified of the security breach where the breach is likely to adversely affect the personal data or privacy of that subscriber. While the Commissioner must be notified of every breach, notification to the subscriber is not necessary where the Commissioner is satisfied that the information, which is the subject of the breach, is unintelligible in the hands of a third party – in other words, if the information constituting the personal data is adequately encrypted.
Service providers must also maintain an inventory of personal data breaches which can be reviewed by the Commissioner detailing the facts surrounding the breach, the effects of the breach and any remedial actions taken by the service provider.
Failure to comply with the breach notification requirements may result in a criminal prosecution with fines between €5,000 and €250,000 per offence. It is important therefore that telecommunications companies and ISPs review current policies and procedures regarding security breaches to ensure that if a breach should occur, processes are in place to record the details of the breach and to ensure timely notification to the Commissioner and, where relevant, to the individuals affected.
The existing law in relation to direct marketing and in relation to postal marketing (under the Data Protection Acts) remains unchanged, but the Regulations introduce certain new provisions relating to marketing carried out by means of an electronic communications service – for example, by phone, fax, email or SMS.
One of the new requirements is that advance consent must be obtained prior to contacting a person (either in their individual or business capacity) by mobile phone for marketing purposes unless that person has recorded their preference to receive direct marketing calls on the National Directory Database (the “NDD”). The Regulations also clarify that if an entity is sending an informational message (such as information relating to a change in the service) by SMS, marketing material cannot be included unless the recipient of the message has given their prior consent to receiving the marketing material.
Helpfully, the Regulations clarify the difference between marketing to a “natural person” and marketing to an individual in a business context. Advance “opt-in” consent is not required for the use of an individual’s business email address for direct marketing where the email address reasonably appears to the sender to be an email address used mainly by the subscriber/user in their official or business context, and where the marketing email relates solely to those business activities. The Regulations also confirm that “opt-in” consent is not required for email marketing where the organisation obtained the customer’s contact details in the context of a sale of a product or service which occurred not more than 12 months prior to sending the marketing emails, or where the customer’s contact details were used for marketing emails within that 12 month period (otherwise known as “soft opt-in”). Users should be given an opportunity each time they receive a marketing communication to opt-out of the receipt of further marketing communications by that means, in a cost-free and easy manner. Breach of the rules relating to direct marketing is a criminal offence that can attract fines ranging from €5,000 up to €250,000 for each offence, (i.e. each SMS message could be deemed to be a separate offence).