Morrison & Foerster : Legal Updates & News : Legal Updates : The Electronic Communications Directive

For more information on the EU's Electronic Communications Directive, you can contact:

Peter Edlind
Brussels

Karin Retzer
Brussels

Charlie Kennedy
Washington, D.C.

Chris Lyon
Palo Alto

Jay Ponazecki
Tokyo

Miriam Wugmeister
New York

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situituations.

Print page

Email page

			Related Practices: Communications & Media Law Privacy and Data Security

The Electronic Communications Directive

January 2004
by Karin Retzer, Peter J. Edlind

The European Union's Directive on privacy and electronic communications[1] ("Electronic Communications Directive"), which was adopted in July 2002, was to have been implemented by the EU Member States[2] by October 31, 2003. The Electronic Communications Directive is intended to cause a reduction in the ever-increasing amount of "spam", i.e., unsolicited electronic mail for direct marketing purposes.[3]

Under EU law, a directive must be implemented by the Member States within the time period specified. Failure to do so could result in an action before the European Court of Justice, brought by the European Commission (the EU's executive body). The slow rate of implementation of the Electronic Communications Directive therefore led the Commission to initiate proceedings on December 5, 2003, against nine Member States.[4]

Although the Electronic Communications Directive aims to introduce a single EU-wide regime in this area, it gives the EU Member States some room for maneuver and interpretation with respect to certain provisions. In particular, EU Member States have a certain degree of discretion in determining how and whether legal persons are protected from spam. As a result, this client alert will deal with the impact of the Electronic Communications Directive and its implementing legislation first on natural persons and second on legal persons.

Natural Persons

"Opt-in"

The Electronic Communications Directive requires the sender (whether a natural or legal person) of an electronic communication to a natural person to have received the consent of such person prior to sending direct marketing by electronic mail. Consent must be indicated by "opting in", which is an affirmative act on the part of the recipient that indicates that he or she agrees to accept direct marketing via electronic mail.

Exceptions to the "Opt-in" Regime

The Electronic Communications Directive allows for direct marketing via electronic communication to take place without explicit opt-in consent under limited circumstances. The circumstances are:

when contact details were obtained in the context of the sale of a product or a service in an appropriate manner (i.e., a manner that complies with the EU's Data Protection Directive[5]);
the same natural or legal person issues the communication; and
the marketing is for the sender's own similar products or services.

The EU Member States have adopted somewhat different methodologies to applying the three-pronged test set forth in the Electronic Communications Directive. With respect to the first prong of the test, by way of example, the German statute[6] requires, without further specification, that the relationship be "an on-going commercial relationship." UK law[7] provides that an actual sale of a product or service is not required; rather, a "relationship" can exist where negotiations for the sale of a product or service have occurred. Swedish legislators, in discussing legislation implementing the Electronic Communications Directive, focused initially on the duration of the relationship following the purchase or sale of a product or service, although the most current proposal left it up to the courts to determine the matter.[8]

The second and third parts of the test for an exception to opt-in consent have also been subject to varying interpretations by the EU Member States. These prongs require that:

the sender of the communication be the "same" natural or legal person as the person with whom the recipient has a relationship;
the marketing pertain to the sender's "own" products or services; and
such products or services be "similar" to those that initially served as the basis for the relationship.

Generally, the formulations of these parts of the test that have been adopted by the EU Member States vary both in terms of the degree of affiliation between the original commercial partner and the source of the subsequent communication and with respect to the relationship between the original product or service and the product or service that is the subject of the later communication. The Finnish Government's proposal[9], for example, allows some leeway with respect to the product relationship, stipulating that "the same provider or a seller of a product may use these contact details for direct marketing of its own products of the same product group and of other similar products or services." The UK legislation states that direct marketing may only be carried out "in respect of that person's similar products and services only." Under both French[10] and Belgian[11] legislation, marketing can only be carried out for "analogous" products or services under the exemption. Belgium, Denmark[12] and the Netherlands[13] also have restricted the ability of affiliated companies to avail themselves of the exception to the opt-in regime to make use of the right to send direct marketing. In sum, direct marketers in a number of the EU Member States, particularly large companies with numerous legal entities and/or multiple product lines or services, may find it difficult to determine if they will qualify for the exception to the opt-in regime.

Opportunity to "Opt-Out"

Even if a direct marketing communication qualifies under the Electronic Communications Directive for an exception to the opt-in requirement, the recipient must clearly and distinctly be given the opportunity to object, free of charge and in an easy manner, to the use of the electronic contact details. This opportunity must be provided when the contact details are collected and in every subsequent communication (if the recipient has not already objected to receiving additional communications). The recipient would thus have the right to opt out from receiving additional communications at any time before the sale, at the time of sale, or anytime thereafter. Under all circumstances, an opt-out election will be deemed to have been made if the recipient mentions to the sender that the marketing is not desired.

Legal Persons

The Electronic Communications Directive primarily looks to protect natural persons from unwanted communications. Thus the requirement of valid consent to receive electronic mail for direct marketing purposes only applies to mail sent to individuals. The Electronic Communications Directive does not expressly require opt-in consent with respect to direct marketing communications to legal entities. Rather, the Electronic Communications Directive provides that EU Member States must "ensure, within the framework of [EU] law and applicable national legislation, that the legitimate interests of subscribers other than natural persons are sufficiently protected." It is thus up to each EU Member State to decide whether to adopt an opt-in regime for subscribers that are legal persons. Provisions of the Electronic Communications Directive other than the opt-in requirement, however, apply to legal persons, most notably those that provide the ability to unsubscribe to further communications and that prohibit the disguising or concealing of the identity of the sender on whose behalf the communication has been made.

Opt-in / Opt-out

The right of legal persons to shield themselves from direct marketing by electronic mail depends on their geographic location. Several Member States[14] have not differentiated between natural and legal persons in implementing the legislation contemplated by the Electronic Communications Directive, meaning that opt-in consent must be received from legal persons. Austria, however, has adopted legislation that requires only that legal persons be offered opt-out consent.[15] In the UK, opt-out consent is all that need be offered to "corporate subscribers".[16] Belgian legislation requires opt-out consent only for legal persons, provided that the legal person's address is not personalized (i.e., other than where the address starts with e.g. "info@" or "the company's name'@"). Presumably, the underlying theory is that a personalized communication would mislead the recipient to believe that he or she had a relationship with the sender.

Note on Transition Periods and "Legacy" Provisions

Transition Issues

Businesses that are located in an EU Member State and engage in direct marketing face a number of uncertainties when bringing themselves into compliance with the edicts of the Electronic Communications Directive. One issue is the extent to which a direct marketer can continue to utilize mailing lists that may have been lawfully compiled under the current EU statutory regime.[17] If the new regime were strictly applied from the date of its entry into force, the investments made by businesses in compiling e-mail databases could become worthless.

In response to the concerns raised by direct marketers, several countries have adopted or are considering legislation allowing direct marketers to use e-mail databases that were lawfully compiled under the current regime, either during a specified transition period or indefinitely. In France, the Senate's version of the draft law incorporates a "transition period" of six months following the date of entry into force of the French implementing law during which period direct marketers will be able to use their lawfully compiled e-mail databases one last time, in order to ask the recipients to opt in. In Belgium, where the implementing law entered into force on March 27, 2003, the Belgian Data Protection Authority issued an "opinion" that also provides for "one last time" use of existing databases, on or before December 31, 2003, but the opinion interprets a recipient's failure to reply to that e-mail as not opting in.[18]

In the UK, a "guidance" that was recently published by the Information Commissioner with respect to the UK implementing regulations suggests that "legacy" e-mail addresses (i.e., e-mail addresses that were collected prior to December 11, 2003, the implementation date of the new regulations) would be usable by direct marketers following the implementation date, provided they were collected in accordance with the legislation in force at that time "and have been used recently". The regulations themselves, however, do not explicitly permit such usage, and the guidance does not bind the UK courts. Thus, under the current state of UK law, businesses that use "legacy" addresses would be safe from the viewpoint of public enforcement, but they are not shielded from actions for damages by individuals.[19]

The Electronic Communications Directive in Practice

The implementation of the Electronic Communications Directive will significantly affect the practices of direct marketing companies in the EU. While uncertainties and, in some cases, inconsistencies exist among EU Member States in their implementation of legislation in accordance with the Electronic Communications Directive, some golden rules for direct marketing can be established for senders of direct marketing:

Senders should examine legacy e-mail databases to determine if they are still valid in light of the legislation enabling the Electronic Communications Directive. Particular attention should be paid to where the recipient is located and whether the addressee is a natural or legal person.
Senders should indicate their identity clearly in the address line of an electronic communication.
Senders should provide a valid address[20] to which the recipient can send a request that no future communications be sent.
Senders should regularly check opt-out registries and update their contact databases accordingly.
Senders who buy their "calling lists" should request a warranty stating that contact addresses have been checked. The warranty could also regulate eventual liability for cases where an address which was registered with an opt-out registry was contacted.

Footnotes

[1] Directive 2002/29/EC of the European Parliament and of the Council of 12 May 2001 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Official Journal L. 201, 31/07/2002 p. 0037-0047 2002.

[2] Currently, Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, Netherlands, Portugal, Spain, Sweden and the UK.

[3] The term "electronic mail" in the Directive aims to be "technologically neutral", referring to "any text, voice, sound or image". This term thus collectively covers email, SMS and MMS.

[4] Belgium, Denmark, Finland, France, Greece, Luxembourg, Netherlands, Portugal and Sweden.

[5] Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This Directive provides that in order for a subscriber's consent to be considered valid, he or she would need to be provided with (i) certain information about the personal data being collected, (ii) information about the entity controlling the personal data and who may be receiving the data, (iii) information about how the personal data may be processed or used, (iv) an assurance that the organization collecting the personal data will use reasonable efforts to maintain the security and confidentiality of the personal data, and (v) information about how a subscriber can request access to, correction of or erasure of his or her personal data.

[6] The German Government's draft law on amendments to the Unfair Trade Practices Act (Gesetz gegen den unlauteren Wettbewerb - UWG) of May 7, 2003.

[7] The Privacy and Electronic Communications (EC Directive) Regulations 2003 No. 2426.

[8] Proposal on amendments to the Swedish Marketing Act 2003/04:43 (Marknadsföringslagen). At present before Parliament - due to be adopted during March 2004.

[9] The Finnish Government's proposal for The Finnish Act on Privacy in Electronic Communications - Section 26. (Förslag till lag om dataskydd vid elektronisk kommunikation). Presently before the Finnish Parliament - due to be adopted in April/May 2004. Finnish Government's English Translation.

[10] Law on the Digital Economy (Loi pour la confiance dans l'Economie Numérique) Section 12. Draft law.

[11] Law on certain legal aspects of the information society (Loi sur certains aspects juridiques des services de la société de l'information) of March 11, 2003.

[12] The Danish Marketing Practices Act (Markedsfoeringsloven) - Article 6a(2).

[13] Dutch proposal for certain amendments to the Dutch Telecommunications Act (Wijziging van de Telecommunicatiewet en enkele andere wetten in verband met de geharmoniseerd regelingskader voor elektronische communicatiewerken en diensten en de nieuwe dienstenrichtlijn van de Commissie van de Europese Gemeenschaapen).

[14] Denmark, France, Germany, Italy, Netherlands, Portugal, and Spain.

[15] Law on telecommunications (Telekommunikationsgesetz) 2003 - in force since August 20, 2003.

[16] Corporate subscribers are defined by the regulations to include a company within the meaning of the Companies Act 1985, a company incorporated in pursuance of a royal charter or letters patent, a partnership in Scotland, a corporation sole, or any other body corporate or entity which is a legal person distinct from its members.

[17] Currently, the compilation of such information is governed by the Privacy and Telecommunications Directive (No. 97/66 of December 15, 1997), the Distance Selling Directive (No. 97/7 of May 20, 1997) and the E-commerce Directive (No. 2000/31 of June 8, 2000).

[18] Note that this opinion does not bind the courts. In a ruling of November 26, 2003, the Nivelles Commercial Court did not refer to the DPA's opinion. Instead, it ruled that e-mail marketers must be able to use their lawfully compiled databases in order to send one e-mail asking the recipients whether they want to "opt-in", without addressing the issue of how to interpret the recipients' failure to reply to that e-mail.

[19] We have been able to obtain (unofficial) advice from the officials at the UK data protection authority that an e-mail address that was used within the last year can almost certainly benefit from the "legacy provision", whereas an e-mail address that was last used more than three years ago cannot benefit from the "legacy provision". There is a "gray area" as to the ability to use e-mail addresses that are between one and three years old.

[20] The Directive requires a valid address to be provided, although, for example, the Dutch draft law requires a telephone number or postal address as well as a valid e-mail address.