Datenschutz in der Europäischen Union
Homepage

Wir über Uns
Berlin
National
Europäische Union
International
Recht
T.O Maßnahmen
Aktuelles
Kontrolle
Materialien
Service
Themen


5007/00/EN/final
WP 28

Article 29 Data Protection Working Party

Opinion 1/2000
on certain data protection aspects of electronic commerce

Presented by the Internet Task Force

Adopted on 3rd February 2000


1. Introduction

The EU is currently in the process of adopting a proposal for a directive on certain legal aspects of e-commerce[1]. As it has done to date, the Article 29 Data Protection Working Party[2] intends to make a constructive input into this reinforcement of the legal framework for e-commerce. With this Opinion, the Working Party intends to highlight a data protection issue raised by e-commerce, and to explain how it is dealt with in the European legislation. The legal framework for the protection of the fundamental right to privacy and the protection of personal data is already in place in form of Directive 95/46/EC laying down the general data protection principles and in form of Directive 97/66/EC supplementing them for the telecommunications sector.

The Working Party would like to express its satisfaction that the text currently in the process of adoption now contains express clarification, in a new recital and a new article 1(4)(b), as to the full and proper application of the data protection legislation[3] to internet services. This means that the implementation of the e-commerce directive must be completely in line with data protection principles.

The Working Party has already given considerable attention to internet-related data protection issues, most notably in 1999 by issuing general guidance on three important questions related to the specific characteristics of new information technologies. It has issued an opinion on public sector information[4], and recommendations on invisible and automatic processing of personal data on the internet[5], and the preservation of traffic data by internet service providers for law enforcement purposes[6]. In the context of e-commerce, a fourth question arises. The Working Party would now like to give an interpretation on the application of European data protection rules to data processing for electronic mailing purposes.

2. The issue of electronic mailing

In order to launch an advertising campaign or commercial mailing, a company must acquire an extensive and appropriate list of e-mail addresses of potential customers. There are three possible ways in which companies can acquire e-mail addresses from the internet : direct collection from customers or visitors of web sites; lists prepared by third parties[7]; and collection from internet public spaces such as public directories, newsgroups or chat-rooms.

A particular feature of electronic commercial mailings is that while the cost to the sender is extremely low compared to traditional methods of direct marketing, there is a cost to the recipient in terms of connection time. This cost situation creates a clear incentive to use this marketing tool on a large scale, and to disregard data protection concerns and the problems caused by electronic mailing.

The problem from the citizen's point of view is threefold : firstly, the collection of one's email address without one's consent or knowledge; secondly, the receipt of large amounts of unwanted advertising; and thirdly, the cost of connection time. A leading issue in this field is spam[8]. Spamming is the practice of sending unsolicited emails, usually of a commercial nature, in large numbers and repeatedly to individuals with whom the sender has no previous contact. It typically occurs when an e-mail address has been collected in a public space on the internet. The problem from an internal market point of view is the possibility of divergent national regulation of electronic commercial communication creating barriers to trade. Both types of problem have been influential in the development of relevant Community legislation.



3. Community legislation and its application to electronic mailing

The general point has already been made that data protection legislation applies to e-commerce[9]. Electronic mailing is a specific example of how the data protection problems raised by e-commerce can be resolved using the legal principles contained in the two directives. The general directive states that personal data must be collected fairly, for specified, explicit and legitimate purposes, and processed in a fair and lawful manner in line with those stated purposes[10]. Processing must take place on legitimate grounds such as consent, contract, law or a balance of interests[11]. Furthermore the individual has to be informed about intended processing[12], and given the right to object to processing of their personal data for direct marketing purposes[13]. The telecommunications privacy directive gives Member States the choice between applying "opt-in" and "opt-out" rules for unsolicited commercial communications[14]. To the data protection rules are added certain requirements inspired by consumer protection. The distance selling directive requires for example that consumers as a minimum be given the right to object to distance communication[15] operated by means of e-mail.

The e-commerce directive may, once adopted, make explicit provision in article 7 on two technical aspects : the obligation to identify commercial e-mail as such, and the obligation to consult and respect opt-out registers where they are provided for by national rules. But a recital and article 1(4)(b) make it clear that this directive is in no way intended to change the legal principles and requirements contained in the existing legislative framework outlined above. Since the data protection legislation fully applies to e-commerce, the implementation of the e-commerce directive must be completely in line with data protection principles. This means firstly that as far as data protection is concerned, the national law applicable to a company responsible for the processing of personal data will continue to be that of its country of establishment in EU[16]. It also means that the e-commerce directive could neither prevent Member States from requiring companies to seek prior consent for commercial communications[17], nor the anonymous use of the internet[18].

In the view of the Working Party, these rules provide a clear answer to the privacy issues raised in part 2 above, and give a clear picture of the rights and obligations of those involved. Two situations should be distinguished :

  • If an e-mail address is collected by a company directly from a person with a view to electronic mailing by that company or a third party to which the data are disclosed, the original company must inform the person of those purposes at the time of collecting the address[19]. The data subject must also, as a bare minimum, be given at the time of collection and at all times thereafter the right to object to this use of his data by easy electronic means, such as clicking a box provided for that purpose, by the original company and further on by the companies which have received data from the original company[20]. Certain national laws implementing the relevant directives even require the company to obtain the data subject consent. The requirements of the draft e-commerce directive's article on unsolicited commercial communications would complement these rules at a technical level by imposing the obligation to consult a register on the service provider, but would not take anything away from the general obligations applicable to data controllers.

  • If an e-mail address is collected in a public space on the internet¸ its use for electronic mailing would be contrary to the relevant Community legislation, and this for three reasons. Firstly, it could be seen as "unfair" processing of personal data in terms of article 6(1)(a) of the general directive. Secondly, it would be contrary to the purpose principle of article 6(1)(b) of that directive, in that the data subject made his e-mail address public for quite a different reason, for example participation in a newsgroup. Thirdly, given the cost imbalance and the disruption to the recipient, such mailing could not be regarded as satisfying the balance of interest test of article 7(f)[21].


4. Conclusions

This Opinion is not intended as the final position of the Working Party on the interaction between e-commerce and data protection. Its objective is to raise awareness of the issues raised by a particular type of data processing which is currently the subject of debate in many circles, and to contribute to understanding of the legal framework applicable to e-commerce. There may well be other e-commerce issues beyond those already dealt with by the Working Party that may require interpretative guidance or a common approach. Therefore the Working Party considers it necessary to develop a common policy on aspects ranging from cyber-marketing to electronic payments, to Privacy Enhancing Technologies. It has mandated its Internet Task Force to continue this work. Various outcomes are expected, including recommendations on technical measures related to spam, or the validation of web sites according to a common European checklist based on the data protection directives.
Done at Brussels, 3rd February 2000

For the Working Party

The Chairman

Peter J. HUSTINX



[1] Amended proposal for a European Parliament and Council Directive on certain legal aspects of electronic commerce in the internal market, COM (1999) 427 final. Political agreement on a text was reached in the Council of Ministers on the 7th December 1999; a Common Position will soon be formally adopted before a second reading at the European Parliament. See Press Release IP/99/952. p.1 and 4
[2] Established by article 29 of directive 95/46/EC, cited in footnote 3 below
[3] Directive 95/46/EC of the European Parliament and the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, JO L 281/31 of 23rd November 1995, and directive 97/66 of the European Parliament and of the Council of 15th December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector, JO L 24/1 of 30th January 1998, both available at http://europa.eu.int/comm/dg15/en/media/dataprot/law/index.htm
[4] Opinion 3/99 on Public Sector Information and the Protection of Personal Data, adopted on 3rd May 1999: WP 20 (5055/99). All documents adopted by the Working Party are available at: http://europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/index.htm
[5] Recommendation 1/99 on Invisible and Automatic Processing of Personal Data on the Internet performed by Software and Hardware, adopted on 23rd February 1999: WP 17 (5093/98)
[6] Recommendation 3/99 on the preservation of traffic data by internet service providers for law enforcement purposes, adopted on 7th September 1999 : WP 25 (5085/99)
[7] The lists prepared by a third party may be established on the basis of data collected directly from customers or on the basis of data collected in internet public spaces.
[8] This subject has been dealt with by the Report on Electronic Mailing and Protection of Personal Data adopted by the CNIL on October 14th 1999, available at www.cnil.fr. Parts 2 and 3 of this Opinion are based to some degree on that Report.
[9] Working document: Processing of Personal Data on the Internet. Adopted on 3.2.1999: WP 16 (5013/99)
[10] Directive 95/46/EC, article 6
[11] Directive 95/46/EC, article 7
[12] Directive 95/46/EC, article 10
[13] Directive 95/46/EC, article 14
[14] Directive 97/66, article 12. It could even be argued that the use of e-mail for direct marketing is to be considered equivalent to the use of automated calling devices which does require consent of the data subject.
[15] Directive 97/7/EC of the European Parliament and of the Council of 20th May 1997 on the protection of consumers in respect of distance contracts, OJ L 144/19 of 4th June 1997, article 10 (e-mail is expressly included in this by means of article 2(4) and annex 1); available at http://www.europa.eu.int/eur-lex/en/lef/dat/1997/en_397L0007.html
[16] Directive 95/46/EC, article 4.
[17] See article 12 of directive 97/66/EC
[18] See recital 6a of the amended proposal, footnote 1 above
[19] Directive 95/46/EC, article 10
[20] Directive 95/46/EC, article 14..
[21] That provision (one out of several possible legitimate grounds for processing) requires data processing to be "necessary for the purposes of legitimate interests pursued by the controller . . . except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject".
Seitenanfang

Zuletzt geändert:
am 03.03.2000

mail to webmaster