The Privacy and Electronic Communications (EC Directive) Regulations 2003
2003 No. 2426
ELECTRONIC COMMUNICATIONS
The Privacy and Electronic Communications (EC Directive) Regulations 2003
Made 18th September 2003
Laid before Parliament 18th September 2003
Coming into force 11th December 2003
The Secretary of State, being a Minister designated1for the purposes of section 2(2) of the European Communities Act 19722in respect of matters relating to electronic communications, in exercise of the powers conferred upon her by that section, hereby makes the following Regulations:
Citation and commencement
1. These Regulations may be cited as the Privacy and Electronic Communications (EC Directive) Regulations 2003 and shall come into force on 11th December 2003.
Interpretation
2.—(1) In these Regulations—
“bill” includes an invoice, account, statement or other document of similar character and “billing” shall be construed accordingly;
“call” means a connection established by means of a telephone service available to the public allowing two-way communication in real time;
“communication” means any information exchanged or conveyed between a finite number of parties by means of a public electronic communications service, but does not include information conveyed as part of a programme service, except to the extent that such information can be related to the identifiable subscriber or user receiving the information;
“communications provider” has the meaning given by section 405 of the Communications Act 20033;
“corporate subscriber” means a subscriber who is—
(a) a company within the meaning of section 735(1) of the Companies Act 19854;
(b) a company incorporated in pursuance of a royal charter or letters patent;
(c) a partnership in Scotland;
(d) a corporation sole; or
(e) any other body corporate or entity which is a legal person distinct from its members;
“the Directive” means Directive 2002/58/ECof the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)5;
“electronic communications network” has the meaning given by section 32 of the Communications Act 20036;
“electronic communications service” has the meaning given by section 32 of the Communications Act 2003;
“electronic mail” means any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service;
“enactment” includes an enactment comprised in, or in an instrument made under, an Act of the Scottish Parliament;
“individual” means a living individual and includes an unincorporated body of such individuals;
“the Information Commissioner” and “the Commissioner” both mean the Commissioner appointed under section 6 of the Data Protection Act 19987;
“information society service” has the meaning given in regulation 2(1) of the Electronic Commerce (EC Directive) Regulations 20028;
“location data” means any data processed in an electronic communications network indicating the geographical position of the terminal equipment of a user of a public electronic communications service, including data relating to—
(a) the latitude, longitude or altitude of the terminal equipment;
(b) the direction of travel of the user; or
(c) the time the location information was recorded;
“OFCOM” means the Office of Communications as established by section 1 of the Office of Communications Act 20029;
“programme service” has the meaning given in section 201 of the Broadcasting Act 199010;
“public communications provider” means a provider of a public electronic communications network or a public electronic communications service;
“public electronic communications network” has the meaning given in section 151 of the Communications Act 200311;
“public electronic communications service” has the meaning given in section 151 of the Communications Act 2003;
“subscriber” means a person who is a party to a contract with a provider of public electronic communications services for the supply of such services;
“traffic data” means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication;
“user” means any individual using a public electronic communications service; and
“value added service” means any service which requires the processing of traffic data or location data beyond that which is necessary for the transmission of a communication or the billing in respect of that communication.
(2) Expressions used in these Regulations that are not defined in paragraph (1) and are defined in the Data Protection Act 1998 shall have the same meaning as in that Act.
(3) Expressions used in these Regulations that are not defined in paragraph (1) or the Data Protection Act 1998 and are defined in the Directive shall have the same meaning as in the Directive.
(4) Any reference in these Regulations to a line shall, without prejudice to paragraph (3), be construed as including a reference to anything that performs the function of a line, and “connected”, in relation to a line, is to be construed accordingly.
Revocation of the Telecommunications (Data Protection and Privacy) Regulations 1999
3. The Telecommunications (Data Protection and Privacy) Regulations 199912and the Telecommunications (Data Protection and Privacy) (Amendment) Regulations 200013are hereby revoked.
Relationship between these Regulations and the Data Protection Act 1998
4. Nothing in these Regulations shall relieve a person of his obligations under the Data Protection Act 1998 in relation to the processing of personal data.
Security of public electronic communications services
5.—(1) Subject to paragraph (2), a provider of a public electronic communications service (“the service provider”) shall take appropriate technical and organisational measures to safeguard the security of that service.
(2) If necessary, the measures required by paragraph (1) may be taken by the service provider in conjunction with the provider of the electronic communications network by means of which the service is provided, and that network provider shall comply with any reasonable requests made by the service provider for these purposes.
(3) Where, notwithstanding the taking of measures as required by paragraph (1), there remains a significant risk to the security of the public electronic communications service, the service provider shall inform the subscribers concerned of—
(a)
(a) the nature of that risk;
(b)
(b) any appropriate measures that the subscriber may take to safeguard against that risk; and
(c)
(c) the likely costs to the subscriber involved in the taking of such measures.
(4) For the purposes of paragraph (1), a measure shall only be taken to be appropriate if, having regard to—
(a)
(a) the state of technological developments, and
(b)
(b) the cost of implementing it,
it is proportionate to the risks against which it would safeguard.
(5) Information provided for the purposes of paragraph (3) shall be provided to the subscriber free of any charge other than the cost to the subscriber of receiving or collecting the information.
Confidentiality of communications
6.—(1) Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment—
(a)
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b)
(b) is given the opportunity to refuse the storage of or access to that information.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information—
(a)
(a) for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
(b)
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Restrictions on the processing of certain traffic data
7.—(1) Subject to paragraphs (2) and (3), traffic data relating to subscribers or users which are processed and stored by a public communications provider shall, when no longer required for the purpose of the transmission of a communication, be—
(a)
(a) erased;
(b)
(b) in the case of an individual, modified so that they cease to constitute personal data of that subscriber or user; or
(c)
(c) in the case of a corporate subscriber, modified so that they cease to be data that would be personal data if that subscriber was an individual.
(2) Traffic data held by a public communications provider for purposes connected with the payment of charges by a subscriber or in respect of interconnection payments may be processed and stored by that provider until the time specified in paragraph (5).
(3) Traffic data relating to a subscriber or user may be processed and stored by a provider of...
To continue reading
Request your trial