This article looks at some recent developments in the TMT sector in Ireland, following on from the implementation of the new e-privacy regulations and the introduction of new rules permitting paid product placement on Irish television programmes for the first time.
The E-Privacy Regulations
In Ireland, new rules which strengthen and clarify privacy rights in the area of electronic communications have come into effect following the Irish transposition of an EU directive.
These new reforms introduce mandatory notification of data breaches and changes to existing laws governing the use of internet cookies and direct marketing. Irish based telecommunication companies, internet service providers (ISPs) and any other Irish entities that communicate with their customers by means of electronic communication networks will need to carry out an assessment of their activities to ensure compliance with the new rules.
Changes to Cookies Law
A cookie is a small file automatically downloaded on to a user’s computer or mobile phone when the user accesses certain websites. This allows the website to recognise the user’s device and enables the website to provide a more customised and a smoother user interface. Although cookies are used for a number of legitimate purposes, concerns have arisen that they may be used in a way that conflicts with a user’s privacy rights.
Accordingly, the new rules require that website operators obtain a user’s “opt-in” consent before placing cookies on that user’s computer or mobile phone unless the cookie is strictly necessary for the provision of services requested by the user. Users must also be provided with clear and comprehensive information about the purpose for which the cookies will be used.
Guidance published by the Irish Office of the Data Protection Commissioner (the “ODPC”) indicates that such consent could be obtained by the use of appropriate browser settings where this is technically possible and effective. However, the ODPC has acknowledged that, in their present form, most browser settings are not sophisticated enough to allow website operators to assume that a user has given the required consent. This may present an opportunity for browser manufacturers to solve the problem. Further suggestions for compliance include the use of pop-up boxes and/or setting-led consents, whereby the user can have its preferences for the website adopted.
A key issue now facing businesses operating websites in Ireland is how they can obtain opt-in user consent while causing minimum impact to the user experience and without having to drastically reform their websites.
Data Breach Notification Requirements
Another important change is the introduction of new requirements for the mandatory notification of data breaches in the area of electronic communications. As a result of these new requirements Irish ISPs and telecommunications companies are now obliged to notify the ODPC of all data security breaches (the unauthorised disclosure, loss, destruction or alteration of personal data) without undue delay.
In addition, where a breach is likely to adversely affect the personal data or privacy of any individuals, the ISPs and telecommunication companies must also notify those individuals without undue delay. It will not be necessary to notify such individuals however where the ODPC is satisfied that the information which has been disclosed is unintelligible in the hands of a third party. An example of this might be where the information has been encrypted and has therefore been rendered unreadable by third parties.
New restrictions applying to all marketing activities carried out by means of electronic communications have come into force. These restrictions vary depending on whether the marketing is carried out by fax, text message, e-mail, telephone line to a mobile phone, or telephone line to a landline.
Prior consent is now required before any company or entity may call a person’s mobile phone for a marketing purpose unless that person has recorded their preference to receive such calls on the National Directory Database. Previously this type of marketing had been permitted so long as the customer or subscriber had been given the right to object to its use. In addition, marketing material may not be included in any text messages sent to customers or subscribers (even where the primary purpose of the message is to provide information) unless the recipient has provided their prior consent to the receipt of such messages.
Furthermore, an organisation may not contact an individual who is not a customer, for marketing purposes by e-mail unless the prior opt-in consent of that individual has been given. In addition, an organisation may only contact a prior customer by e-mail without their consent having been obtained, where certain conditions have been complied with.
New Rules Permitting Paid Product Placement
New rules permitting paid product placement on Irish television programmes have been introduced. Previously paid product placement was not permitted in this jurisdiction while the placement in television programmes of products or services without payment had been allowed subject to certain conditions having been complied with. Paid product placements will be subject to the regulations published by the Broadcasting Authority of Ireland and will not be permitted for certain types of programmes including children’s programmes.