Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
The Directive on Privacy and Electronic Communications, known as the ePrivacy Directive, sets out rules on how providers of electronic communication services, such as telecoms companies and Internet Service Providers, should manage their subscribers' data. It also guarantees rights for subscribers when they use these services. These are the main requirements imposed by the Directive:
- Confidentiality of communications: EU Member States must ensure the confidentiality of communications over public networks, in particular by prohibiting the listening into, tapping and storage of communications without the consent of the users concerned.
- Security of networks and services: a provider of a public electronic communications service has to take appropriate measures to safeguard the security of its service.
- Data breach notifications: if a provider suffers a breach of security that leads to personal data being lost or stolen, it has to inform the national authority and, in certain cases, the subscriber or individual.
- Traffic and location data: this data must be erased or made anonymous when no longer required for communication or billing purposes, except if the subscriber has given consent for another use.
- Spam: subscribers must give their prior consent before unsolicited commercial communications ("spam") are addressed to them. This also covers SMS text messages and other electronic messages received on any fixed or mobile terminal.
- Public directories: subscribers' prior consent is required in order for their telephone numbers, e-mail addresses and postal addresses to appear in public directories.
- Calling-line identification: subscribers must be given the option not to have their telephone number disclosed when they make a call.
Find the text of the Directive here.
In June 2013, the Commission has put in place new specific rules to ensure that personal data breaches in the EU telecoms sector are notified in the same way in each Member State.