|
STATUTORY INSTRUMENTS
2003 No. 2426
ELECTRONIC COMMUNICATIONS
The
Privacy and Electronic Communications (EC Directive) Regulations 2003
|
|
Made
|
18th September 2003
|
|
|
|
Laid before Parliament
|
18th September 2003
|
|
|
|
Coming into force
|
11th December 2003
|
|
The Secretary of State, being a Minister designated[1] for the
purposes of section 2(2) of the European Communities Act 1972[2]
in respect of matters relating to electronic communications, in exercise of
the powers conferred upon her by that section, hereby makes the following
Regulations:
Citation and commencement
1.
These Regulations may be cited as the Privacy and Electronic Communications
(EC Directive) Regulations 2003 and shall come into force on 11th December
2003.
Interpretation
2. - (1) In these Regulations -
"bill"
includes an invoice, account, statement or other document of similar
character and "billing" shall be construed accordingly;
"call"
means a connection established by means of a telephone service available to
the public allowing two-way communication in real time;
"communication"
means any information exchanged or conveyed between a finite number of
parties by means of a public electronic communications service, but does not
include information conveyed as part of a programme service, except to the
extent that such information can be related to the identifiable subscriber or
user receiving the information;
"communications
provider" has the meaning given by section 405 of the Communications Act
2003[3];
"corporate subscriber" means a subscriber
who is -
(a)
a company within the meaning of section 735(1) of the Companies Act 1985[4];
(b) a company incorporated in pursuance of a royal charter or letters patent;
(c) a partnership in Scotland;
(d) a corporation sole; or
(e) any other body corporate or entity which is a legal person distinct from
its members;
"the Directive" means Directive 2002/58/EC
of the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic
communications sector (Directive on privacy and electronic communications)[5];
"electronic communications network" has
the meaning given by section 32 of the Communications Act 2003[6];
"electronic communications service" has
the meaning given by section 32 of the Communications Act 2003;
"electronic mail" means any text, voice,
sound or image message sent over a public electronic communications network
which can be stored in the network or in the recipient's terminal equipment
until it is collected by the recipient and includes messages sent using a
short message service;
"enactment" includes an enactment
comprised in, or in an instrument made under, an Act of the Scottish
Parliament;
"individual" means a living individual and
includes an unincorporated body of such individuals;
"the Information Commissioner" and
"the Commissioner" both mean the Commissioner appointed under
section 6 of the Data Protection Act 1998[7];
"information society service" has the
meaning given in regulation 2(1) of the Electronic Commerce (EC Directive)
Regulations 2002[8];
"location data" means any data processed
in an electronic communications network indicating the geographical position
of the terminal equipment of a user of a public electronic communications
service, including data relating to -
(f)
the latitude, longitude or altitude of the terminal equipment;
(g) the direction of travel of the user; or
(h) the time the location information was recorded;
"OFCOM" means the Office of Communications
as established by section 1 of the Office of Communications Act 2002[9];
"programme service" has the meaning given
in section 201 of the Broadcasting Act 1990[10];
"public communications provider" means a
provider of a public electronic communications network or a public electronic
communications service;
"public electronic communications network"
has the meaning given in section 151 of the Communications Act 2003[11];
"public electronic communications service"
has the meaning given in section 151 of the Communications Act 2003;
"subscriber" means a person who is a party
to a contract with a provider of public electronic communications services
for the supply of such services;
"traffic data" means any data processed
for the purpose of the conveyance of a communication on an electronic
communications network or for the billing in respect of that communication
and includes data relating to the routing, duration or time of a
communication;
"user" means any individual using a public
electronic communications service; and
"value added
service" means any service which requires the processing of traffic data
or location data beyond that which is necessary for the transmission of a
communication or the billing in respect of that communication.
(2)
Expressions used in these Regulations that are not defined in paragraph (1)
and are defined in the Data Protection Act 1998 shall have the same meaning
as in that Act.
(3) Expressions used in these Regulations that are
not defined in paragraph (1) or the Data Protection Act 1998 and are defined
in the Directive shall have the same meaning as in the Directive.
(4) Any reference in these Regulations to a line
shall, without prejudice to paragraph (3), be construed as including a
reference to anything that performs the function of a line, and
"connected", in relation to a line, is to be construed accordingly.
Revocation of the Telecommunications
(Data Protection and Privacy) Regulations 1999
3.
The Telecommunications (Data Protection and Privacy) Regulations 1999[12] and the Telecommunications (Data Protection and Privacy)
(Amendment) Regulations 2000[13] are hereby revoked.
Relationship between these
Regulations and the Data Protection Act 1998
4.
Nothing in these Regulations shall relieve a person of his obligations under
the Data Protection Act 1998 in relation to the processing of personal data.
Security of public electronic
communications services
5. - (1) Subject to paragraph (2), a provider of a
public electronic communications service ("the service provider")
shall take appropriate technical and organisational measures to safeguard the security of that service.
(2) If necessary, the measures required by paragraph
(1) may be taken by the service provider in conjunction with the provider of
the electronic communications network by means of which the service is
provided, and that network provider shall comply with any reasonable requests
made by the service provider for these purposes.
(3) Where, notwithstanding the taking of measures as
required by paragraph (1), there remains a significant risk to the security
of the public electronic communications service, the service provider shall
inform the subscribers concerned of -
(a) the nature of that risk;
(b) any appropriate measures that the subscriber may take to safeguard
against that risk; and
(c) the likely costs to the subscriber involved in the taking of such
measures.
(4)
For the purposes of paragraph (1), a measure shall only be taken to be
appropriate if, having regard to -
(a) the state of technological developments, and
(b) the cost of implementing it,
it is proportionate
to the risks against which it would safeguard.
(5) Information provided for the purposes of
paragraph (3) shall be provided to the subscriber free of any charge other
than the cost to the subscriber of receiving or collecting the information.
Confidentiality of communications
6. - (1) Subject to paragraph (4), a person shall not use an
electronic communications network to store information, or to gain access to
information stored, in the terminal equipment of a subscriber or user unless
the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user
of that terminal equipment -
(a) is provided with clear
and comprehensive information about the purposes of the storage of, or access
to, that information; and
(b) is given the opportunity to refuse the storage of or access to that
information.
(3)
Where an electronic communications network is used by the same person to
store or access information in the terminal equipment of a subscriber or user
on more than one occasion, it is sufficient for the purposes of this
regulation that the requirements of paragraph (2) are met in respect of the
initial use.
(4) Paragraph (1) shall not apply to the technical
storage of, or access to, information -
(a) for the sole purpose of
carrying out or facilitating the transmission of a communication over an
electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of
an information society service requested by the subscriber or user.
Restrictions on the processing of
certain traffic data
7. - (1) Subject to paragraphs (2) and (3), traffic data
relating to subscribers or users which are processed and stored by a public
communications provider shall, when no longer required for the purpose of the
transmission of a communication, be -
(a) erased;
(b) in the case of an individual, modified so that they cease to constitute
personal data of that subscriber or user; or
(c) in the case of a corporate subscriber, modified so that they cease to be
data that would be personal data if that subscriber was an individual.
(2)
Traffic data held by a public communications provider for purposes connected
with the payment of charges by a subscriber or in respect of interconnection
payments may be processed and stored by that provider until the time
specified in paragraph (5).
(3) Traffic data relating to a subscriber or user may
be processed and stored by a provider of a public electronic communications
service if -
(a) such processing and storage are for the purpose
of marketing electronic communications services, or for the provision of
value added services to that subscriber or user; and
(b) the subscriber or user to whom the traffic data relate has given his
consent to such processing or storage; and
(c) such processing and storage are undertaken only for the duration
necessary for the purposes specified in subparagraph (a).
(4)
Where a user or subscriber has given his consent in accordance with paragraph
(3), he shall be able to withdraw it at any time.
(5) The time referred to in paragraph (2) is the end
of the period during which legal proceedings may be brought in respect of
payments due or alleged to be due or, where such proceedings are brought
within that period, the time when those proceedings are finally determined.
(6) Legal proceedings shall not be taken to be
finally determined -
(a) until the conclusion of
the ordinary period during which an appeal may be brought by either party
(excluding any possibility of an extension of that period, whether by order
of a court or otherwise), if no appeal is brought within that period; or
(b) if an appeal is brought, until the conclusion of that appeal.
(7)
References in paragraph (6) to an appeal include references to an application
for permission to appeal.
Further provisions relating to the
processing of traffic data under regulation 7
8. - (1) Processing of traffic data in accordance with
regulation 7(2) or (3) shall not be undertaken by a public communications
provider unless the subscriber or user to whom the data relate has been
provided with information regarding the types of traffic data which are to be
processed and the duration of such processing and, in the case of processing
in accordance with regulation 7(3), he has been provided with that
information before his consent has been obtained.
(2) Processing of traffic data in accordance with
regulation 7 shall be restricted to what is required for the purposes of one
or more of the activities listed in paragraph (3) and shall be carried out
only by the public communications provider or by a person acting under his
authority.
(3) The activities referred to in paragraph (2) are
activities relating to -
(a) the management of billing or traffic;
(b) customer enquiries;
(c) the prevention or detection of fraud;
(d) the marketing of electronic communications services; or
(e) the provision of a value added service.
(4)
Nothing in these Regulations shall prevent the furnishing of traffic data to
a person who is a competent authority for the purposes of any provision
relating to the settling of disputes (by way of legal proceedings or
otherwise) which is contained in, or made by virtue of, any enactment.
Itemised billing and privacy
9. - (1) At the request of a subscriber, a provider of a
public electronic communications service shall provide that subscriber with
bills that are not itemised.
(2) OFCOM shall have a duty, when exercising their
functions under Chapter 1 of Part 2 of the Communications Act 2003, to have
regard to the need to reconcile the rights of subscribers receiving itemised bills with the rights to privacy of calling
users and called subscribers, including the need for sufficient alternative
privacy-enhancing methods of communications or payments to be available to
such users and subscribers.
Prevention of calling line
identification - outgoing calls
10. - (1) This regulation applies, subject to regulations 15
and 16, to outgoing calls where a facility enabling the presentation of
calling line identification is available.
(2) The provider of a public electronic
communications service shall provide users originating a call by means of
that service with a simple means to prevent presentation of the identity of
the calling line on the connected line as respects that call.
(3) The provider of a public electronic
communications service shall provide subscribers to the service, as respects
their line and all calls originating from that line, with a simple means of
preventing presentation of the identity of that subscriber's line on any
connected line.
(4) The measures to be provided under paragraphs (2)
and (3) shall be provided free of charge.
Prevention of calling or connected
line identification - incoming calls
11. - (1) This regulation applies to incoming calls.
(2) Where a facility enabling the presentation of
calling line identification is available, the provider of a public electronic
communications service shall provide the called subscriber with a simple
means to prevent, free of charge for reasonable use of the facility,
presentation of the identity of the calling line on the connected line.
(3) Where a facility enabling the presentation of
calling line identification prior to the call being established is available,
the provider of a public electronic communications service shall provide the
called subscriber with a simple means of rejecting incoming calls where the
presentation of the calling line identification has been prevented by the
calling user or subscriber.
(4) Where a facility enabling the presentation of
connected line identification is available, the provider of a public
electronic communications service shall provide the called subscriber with a
simple means to prevent, without charge, presentation of the identity of the
connected line on any calling line.
(5) In this regulation "called subscriber"
means the subscriber receiving a call by means of the service in question
whose line is the called line (whether or not it is also the connected line).
Publication of information for the
purposes of regulations 10 and 11
12. Where a provider of a public electronic communications service
provides facilities for calling or connected line identification, he shall
provide information to the public regarding the availability of such
facilities, including information regarding the options to be made available
for the purposes of regulations 10 and 11.
Co-operation of communications
providers for the purposes of regulations 10 and 11
13. For the purposes of regulations 10 and 11, a communications provider
shall comply with any reasonable requests made by the provider of the public
electronic communications service by means of which facilities for calling or
connected line identification are provided.
Restrictions on the processing of
location data
14. - (1) This regulation shall not apply to the processing
of traffic data.
(2) Location data relating to a user or subscriber of
a public electronic communications network or a public electronic
communications service may only be processed -
(a) where that user or
subscriber cannot be identified from such data; or
(b) where necessary for the provision of a value added service, with the
consent of that user or subscriber.
(3)
Prior to obtaining the consent of the user or subscriber under paragraph
(2)(b), the public communications provider in question must provide the
following information to the user or subscriber to whom the data
relate -
(a) the types of location data that will be
processed;
(b) the purposes and duration of the processing of those data; and
(c) whether the data will be transmitted to a third party for the purpose of
providing the value added service.
(4)
A user or subscriber who has given his consent to the processing of data
under paragraph (2)(b) shall -
(a) be able to withdraw such consent at any time,
and
(b) in respect of each connection to the public electronic communications network
in question or each transmission of a communication, be given the opportunity
to withdraw such consent, using a simple means and free of charge.
(5)
Processing of location data in accordance with this regulation
shall -
(a) only be carried out by -
(i) the public
communications provider in question;
(ii) the third party providing the value added service in question; or
(iii) a person acting under the authority of a person falling within (i) or (ii); and
(b)
where the processing is carried out for the purposes
of the provision of a value added service, be restricted to what is necessary
for those purposes.
Tracing of malicious or nuisance
calls
15. - (1) A communications provider may override anything
done to prevent the presentation of the identity of a calling line
where -
(a) a subscriber has
requested the tracing of malicious or nuisance calls received on his line;
and
(b) the provider is satisfied that such action is necessary and expedient for
the purposes of tracing such calls.
(2)
Any term of a contract for the provision of public electronic communications
services which relates to such prevention shall have effect subject to the
provisions of paragraph (1).
(3) Nothing in these Regulations shall prevent a
communications provider, for the purposes of any action relating to the
tracing of malicious or nuisance calls, from storing and making available to
a person with a legitimate interest data containing the identity of a calling
subscriber which were obtained while paragraph (1) applied.
Emergency calls
16. - (1) For the purposes of this regulation,
"emergency calls" means calls to either the national emergency call
number 999 or the single European emergency call number 112.
(2) In order to facilitate responses to emergency
calls -
(a) all such calls shall be
excluded from the requirements of regulation 10;
(b) no person shall be entitled to prevent the presentation on the connected
line of the identity of the calling line; and
(c) the restriction on the processing of location data under regulation 14(2)
shall be disregarded.
Termination of automatic call
forwarding
17. - (1) Where -
(a) calls originally directed to another line are
being automatically forwarded to a subscriber's line as a result of action
taken by a third party, and
(b) the subscriber requests his provider of electronic communications
services ("the subscriber's provider") to stop the forwarding of
those calls,
the subscriber's
provider shall ensure, free of charge, that the forwarding is stopped without
any avoidable delay.
(2) For the purposes of paragraph (1), every other
communications provider shall comply with any reasonable requests made by the
subscriber's provider to assist in the prevention of that forwarding.
Directories of subscribers
18. - (1) This regulation applies in relation to a directory
of subscribers, whether in printed or electronic form, which is made
available to members of the public or a section of the public, including by
means of a directory enquiry service.
(2) The personal data of an individual subscriber
shall not be included in a directory unless that subscriber has, free of
charge, been -
(a) informed by the
collector of the personal data of the purposes of the directory in which his
personal data are to be included, and
(b) given the opportunity to determine whether such of his personal data as
are considered relevant by the producer of the directory should be included
in the directory.
(3)
Where personal data of an individual subscriber are to be included in a
directory with facilities which enable users of that directory to obtain
access to that data solely on the basis of a telephone number -
(a) the information to be
provided under paragraph (2)(a) shall include information about those
facilities; and
(b) for the purposes of paragraph (2)(b), the express consent of the
subscriber to the inclusion of his data in a directory with such facilities
must be obtained.
(4)
Data relating to a corporate subscriber shall not be included in a directory
where that subscriber has advised the producer of the directory that it does
not want its data to be included in that directory.
(5) Where the data of an individual subscriber have
been included in a directory, that subscriber shall, without charge, be able
to verify, correct or withdraw those data at any time.
(6) Where a request has been made under paragraph (5)
for data to be withdrawn from or corrected in a directory, that request shall
be treated as having no application in relation to an edition of a directory
that was produced before the producer of the directory received the request.
(7) For the purposes of paragraph (6), an edition of
a directory which is revised after it was first produced shall be treated as
a new edition.
(8) In this regulation, "telephone number"
has the same meaning as in section 56(5) of the Communications Act 2003[14] but does not include
any number which is used as an internet domain name, an internet address or
an address or identifier incorporating either an internet domain name or an
internet address, including an electronic mail address.
Use of automated calling systems
19.
- (1) A person shall neither transmit, nor instigate the
transmission of, communications comprising recorded matter for direct
marketing purposes by means of an automated calling system except in the
circumstances referred to in paragraph (2).
(2) Those circumstances are where the called line is
that of a subscriber who has previously notified the caller that for the time
being he consents to such communications being sent by, or at the instigation
of, the caller on that line.
(3) A subscriber shall not permit his line to be used
in contravention of paragraph (1).
(4) For the purposes of this regulation, an automated
calling system is a system which is capable of -
(a) automatically
initiating a sequence of calls to more than one destination in accordance
with instructions stored in that system; and
(b) transmitting sounds which are not live speech for reception by persons at
some or all of the destinations so called.
Use of
facsimile machines for direct marketing purposes
20. - (1) A person shall neither transmit, nor
instigate the transmission of, unsolicited communications for direct marketing
purposes by means of a facsimile machine where the called line is that
of -
(a) an individual subscriber,
except in the circumstances referred to in paragraph (2);
(b) a corporate subscriber who has previously notified the caller that such
communications should not be sent on that line; or
(c) a subscriber and the number allocated to that line is listed in the
register kept under regulation 25.
(2) The circumstances referred to
in paragraph (1)(a) are that the individual subscriber has previously
notified the caller that he consents for the time being to such
communications being sent by, or at the instigation of, the caller.
(3) A subscriber shall not permit his line to be used
in contravention of paragraph (1).
(4) A person shall not be held to have contravened
paragraph (1)(c) where the number allocated to the called line has been
listed on the register for less than 28 days preceding that on which the
communication is made.
(5) Where a subscriber who has caused a number
allocated to a line of his to be listed in the register kept under regulation
25 has notified a caller that he does not, for the time being, object to such
communications being sent on that line by that caller, such communications
may be sent by that caller on that line, notwithstanding that the number
allocated to that line is listed in the said register.
(6) Where a subscriber has given a caller
notification pursuant to paragraph (5) in relation to a line of
his -
(a) the
subscriber shall be free to withdraw that notification at any time, and
(b) where such notification is withdrawn, the caller shall not send such
communications on that line.
(7) The provisions of this
regulation are without prejudice to the provisions of regulation 19.
Unsolicited calls for
direct marketing purposes
21. - (1) A person shall neither use, nor
instigate the use of, a public electronic communications service for the
purposes of making unsolicited calls for direct marketing purposes
where -
(a) the called line is that of a
subscriber who has previously notified the caller that such calls should not
for the time being be made on that line; or
(b) the number allocated to a subscriber in respect of the called line is one
listed in the register kept under regulation 26.
(2) A subscriber shall not permit
his line to be used in contravention of paragraph (1).
(3) A person shall not be held to have contravened
paragraph (1)(b) where the number allocated to the
called line has been listed on the register for less than 28 days preceding
that on which the call is made.
(4) Where a subscriber who has caused a number
allocated to a line of his to be listed in the register kept under regulation
26 has notified a caller that he does not, for the time being, object to such
calls being made on that line by that caller, such calls may be made by that
caller on that line, notwithstanding that the number allocated to that line
is listed in the said register.
(5) Where a subscriber has given a caller
notification pursuant to paragraph (4) in relation to a line of
his -
(a) the
subscriber shall be free to withdraw that notification at any time, and
(b) where such notification is withdrawn, the caller shall not make such
calls on that line.
Use of
electronic mail for direct marketing purposes
22. - (1) This regulation applies to the
transmission of unsolicited communications by means of electronic mail to
individual subscribers.
(2) Except in the circumstances referred to in
paragraph (3), a person shall neither transmit, nor instigate the
transmission of, unsolicited communications for the purposes of direct
marketing by means of electronic mail unless the recipient of the electronic
mail has previously notified the sender that he consents for the time being
to such communications being sent by, or at the instigation of, the sender.
(3) A person may send or instigate the sending of
electronic mail for the purposes of direct marketing where -
(a) that person has obtained the
contact details of the recipient of that electronic mail in the course of the
sale or negotiations for the sale of a product or service to that recipient;
(b) the direct marketing is in respect of that person's similar products and
services only; and
(c) the recipient has been given a simple means of refusing (free of charge
except for the costs of the transmission of the refusal) the use of his
contact details for the purposes of such direct marketing, at the time that
the details were initially collected, and, where he did not initially refuse
the use of the details, at the time of each subsequent communication.
(4) A subscriber shall not permit
his line to be used in contravention of paragraph (2).
Use of electronic mail for direct
marketing purposes where the identity or address of the sender is concealed
23. A person shall neither transmit, nor instigate the
transmission of, a communication for the purposes of direct marketing by
means of electronic mail -
(a) where the identity of the
person on whose behalf the communication has been sent has been disguised or
concealed; or
(b) where a valid address to which the recipient of the communication may
send a request that such communications cease has not been provided.
Information
to be provided for the purposes of regulations 19, 20 and 21
24. - (1) Where a public electronic communications
service is used for the transmission of a communication for direct marketing
purposes the person using, or instigating the use of, the service shall
ensure that the following information is provided with that
communication -
(a) in relation to a
communication to which regulations 19 (automated calling systems) and 20
(facsimile machines) apply, the particulars mentioned in paragraph (2)(a) and (b);
(b) in relation to a communication to which regulation 21 (telephone calls)
applies, the particulars mentioned in paragraph (2)(a) and, if the recipient
of the call so requests, those mentioned in paragraph (2)(b).
(2) The particulars referred to in
paragraph (1) are -
(a) the name of the person;
(b) either the address of the person or a telephone number on which he can be
reached free of charge.
Register to
be kept for the purposes of regulation 20
25. - (1) For the purposes of regulation 20 OFCOM
shall maintain and keep up-to-date, in printed or electronic form, a register
of the numbers allocated to subscribers, in respect of particular lines, who
have notified them (notwithstanding, in the case of individual subscribers,
that they enjoy the benefit of regulation 20(1)(a) and (2)) that they do not
for the time being wish to receive unsolicited communications for direct
marketing purposes by means of facsimile machine on the lines in question.
(2) OFCOM shall remove a
number from the register maintained under paragraph (1) where they have
reason to believe that it has ceased to be allocated to the subscriber by
whom they were notified pursuant to paragraph (1).
(3) On the request of -
(a) a person wishing to send, or
instigate the sending of, such communications as are mentioned in paragraph
(1), or
(b) a subscriber wishing to permit the use of his line for the sending of
such communications,
for information derived from the register kept
under paragraph (1), OFCOM shall, unless it is not reasonably practicable so
to do, on the payment to them of such fee as is, subject to paragraph (4),
required by them, make the information requested available to that person or
that subscriber.
(4) For the purposes of paragraph (3) OFCOM may
require different fees -
(a) for making available
information derived from the register in different forms or manners, or
(b) for making available information derived from the whole or from different
parts of the register,
but the fees required by them shall be ones in relation to
which the Secretary of State has notified OFCOM that he is satisfied that
they are designed to secure, as nearly as may be and taking one year with
another, that the aggregate fees received, or reasonably expected to be
received, equal the costs incurred, or reasonably expected to be incurred, by
OFCOM in discharging their duties under paragraphs (1), (2) and (3).
(5) The functions of OFCOM under paragraphs (1), (2)
and (3), other than the function of determining the fees to be required for
the purposes of paragraph (3), may be discharged on their behalf by some
other person in pursuance of arrangements made by OFCOM with that other
person.
Register to be kept for
the purposes of regulation 21
26. - (1) For the purposes of regulation 21 OFCOM
shall maintain and keep up-to-date, in printed or electronic form, a register
of the numbers allocated to individual subscribers, in respect of particular
lines, who have notified them that they do not for the time being wish to
receive unsolicited calls for direct marketing purposes on the lines in
question.
(2) OFCOM shall remove a number from the register
maintained under paragraph (1) where they have reason to believe that it has
ceased to be allocated to the subscriber by whom they were notified pursuant
to paragraph (1).
(3) On the request of -
(a) a person wishing to make, or
instigate the making of, such calls as are mentioned in paragraph (1), or
(b) a subscriber wishing to permit the use of his line for the making of such
calls,
for information derived from the register kept
under paragraph (1), OFCOM shall, unless it is not reasonably practicable so
to do, on the payment to them of such fee as is, subject to paragraph (4),
required by them, make the information requested available to that person or
that subscriber.
(4) For the purposes of paragraph (3) OFCOM may
require different fees -
(a) for making available
information derived from the register in different forms or manners, or
(b) for making available information derived from the whole or from different
parts of the register,
but the fees required by them shall be ones in relation to
which the Secretary of State has notified OFCOM that he is satisfied that
they are designed to secure, as nearly as may be and taking one year with
another, that the aggregate fees received, or reasonably expected to be
received, equal the costs incurred, or reasonably expected to be incurred, by
OFCOM in discharging their duties under paragraphs (1), (2) and (3).
(5) The functions of OFCOM under paragraphs (1), (2)
and (3), other than the function of determining the fees to be required for
the purposes of paragraph (3), may be discharged on their behalf by some
other person in pursuance of arrangements made by OFCOM with that other
person.
Modification of contracts
27. To the extent that any term in a contract between a subscriber to
and the provider of a public electronic communications service or such a
provider and the provider of an electronic communications network would be
inconsistent with a requirement of these Regulations, that term shall be
void.
National security
28. - (1) Nothing in these Regulations shall require a
communications provider to do, or refrain from doing, anything (including the
processing of data) if exemption from the requirement in question is required
for the purpose of safeguarding national security.
(2) Subject to paragraph (4), a certificate signed by
a Minister of the Crown certifying that exemption from any requirement of
these Regulations is or at any time was required for the purpose of
safeguarding national security shall be conclusive evidence of that fact.
(3) A certificate under paragraph (2) may identify
the circumstances in which it applies by means of a general description and
may be expressed to have prospective effect.
(4) Any person directly affected by the issuing of a
certificate under paragraph (2) may appeal to the Tribunal against the
issuing of the certificate.
(5) If, on an appeal under paragraph (4), the
Tribunal finds that, applying the principles applied by a court on an
application for judicial review, the Minister did not have reasonable grounds
for issuing the certificate, the Tribunal
may allow the appeal and quash the certificate.
(6) Where, in any proceedings under or by virtue of
these Regulations, it is claimed by a communications provider that a
certificate under paragraph (2) which identifies the circumstances in which
it applies by means of a general description applies in the circumstances in
question, any other party to the proceedings may appeal to the Tribunal on
the ground that the certificate does not apply in those circumstances and,
subject to any determination under paragraph (7), the certificate shall be
conclusively presumed so to apply.
(7) On any appeal under paragraph (6), the Tribunal
may determine that the certificate does not so apply.
(8) In this regulation -
(a) "the Tribunal" means the Information
Tribunal referred to in section 6 of the Data Protection Act 1998[15];
(b) Subsections (8), (9), (10) and (12) of section 28 of and Schedule 6 to
that Act apply for the purposes of this regulation as they apply for the
purposes of section 28;
(c) section 58 of that Act shall apply for the purposes of this regulation as
if the reference in that section to the functions of the Tribunal under that
Act included a reference to the functions of the Tribunal under paragraphs
(4) to (7) of this regulation; and
(d) subsections (1), (2) and (5)(f) of section 67 of that Act shall apply in
respect of the making of rules relating to the functions of the Tribunal
under this regulation.
Legal requirements, law enforcement etc.
29.
- (1) Nothing in these Regulations shall require a communications
provider to do, or refrain from doing, anything (including the processing of
data) -
(a) if compliance with the requirement in
question -
(i) would be inconsistent
with any requirement imposed by or under an enactment or by a court order; or
(ii) would be likely to prejudice the prevention or detection of crime or the
apprehension or prosecution of offenders; or
(b)
if exemption from the requirement in question -
(i) is required for the
purposes of, or in connection with, any legal proceedings (including
prospective legal proceedings);
(ii) is necessary for the purposes of obtaining legal advice; or
(iii) is otherwise necessary for the purposes of establishing, exercising or
defending legal rights.
Proceedings for compensation for
failure to comply with requirements of the Regulations
30. - (1) A person who suffers damage by reason of any
contravention of any of the requirements of these Regulations by any other
person shall be entitled to bring proceedings for compensation from that
other person for that damage.
(2) In proceedings brought against a person by virtue
of this regulation it shall be a defence to prove that
he had taken such care as in all the circumstances was reasonably required to
comply with the relevant requirement.
(3) The provisions of this regulation are without
prejudice to those of regulation 31.
Enforcement - extension of Part V of
the Data Protection Act 1998
31. - (1) The provisions of Part V of the Data Protection Act
1998 and of Schedules 6 and 9 to that Act are extended for the purposes of
these Regulations and, for those purposes, shall have effect subject to the
modifications set out in Schedule 1.
(2) In regulations 32 and 33, "enforcement
functions" means the functions of the Information Commissioner under the
provisions referred to in paragraph (1) as extended by that paragraph.
(3) The provisions of this regulation are without
prejudice to those of regulation 30.
Request that the Commissioner
exercise his enforcement functions
32. Where it is alleged that there has been a contravention of any of
the requirements of these Regulations either OFCOM or a person aggrieved by
the alleged contravention may request the Commissioner to exercise his
enforcement functions in respect of that contravention, but those functions
shall be exercisable by the Commissioner whether or not he has been so
requested.
Technical advice to the Commissioner
33. OFCOM shall comply with any reasonable request made by the
Commissioner, in connection with his enforcement functions, for advice on
technical and similar matters relating to electronic communications.
Amendment to the Telecommunications
(Lawful Business Practice) (Interception of Communications) Regulations 2000
34. In regulation 3 of the Telecommunications (Lawful Business Practice)
(Interception of Communications) Regulations 2000[16], for paragraph (3), there shall be
substituted -
"
(3) Conduct falling within paragraph (1)(a)(i)
above is authorised only to the extent that Article 5 of Directive 2002/58/EC
of the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic
communications sector so permits.".
Amendment to the Electronic Communications (Universal Service)
Order 2003
35.
- (1) In paragraphs 2(2) and 3(2) of the Schedule to the
Electronic Communications (Universal Service) Order 2003[17],
for the words "Telecommunications (Data Protection and Privacy)
Regulations 1999" there shall be substituted "Privacy and
Electronic Communications (EC Directive) Regulations 2003".
(2) Paragraph (1) shall have effect notwithstanding
the provisions of section 65 of the Communications Act 2003[18]
(which provides for the modification of the Universal Service Order made
under that section).
Transitional provisions
36.
The provisions in Schedule 2 shall have effect.
Stephen Timms,
Minister of State for Energy, E-Commerce and Postal Services, Department of
Trade and Industry
18th September 2003
SCHEDULE 1
Regulation 31
Modifications for the purposes of these Regulations to Part V of
the Data Protection Act 1998 and Schedules 6 and 9 to that Act as extended by
Regulation 31
1. In
section 40 -
(a) in subsection (1), for the words "data
controller" there shall be substituted the word "person", for
the words "data protection principles" there shall be substituted
the words "requirements of the Privacy and Electronic Communications (EC
Directive) Regulations 2003 (in this Part referred to as "the relevant
requirements")" and for the words "principle or
principles" there shall be substituted the words "requirement or
requirements";
(b) in subsection (2), the words "or distress" shall be omitted;
(c) subsections (3), (4), (5), (9) and (10) shall be omitted; and
(d) in subsection (6)(a), for the words "data protection principle or
principles" there shall be substituted the words "relevant
requirement or requirements."
2. In section 41(1) and (2),
for the words "data protection principle or principles", in both
places where they occur, there shall be substituted the words "relevant
requirement or requirements".
3.
Section 42 shall be omitted.
4. In
section 43 -
(a) for subsections (1) and (2) there shall be
substituted the following provisions -
" (1)
If the Commissioner reasonably requires any information for the purpose of
determining whether a person has complied or is complying with the relevant
requirements, he may serve that person with a notice (in this Act referred to
as "an information notice") requiring him, within such time as is
specified in the notice, to furnish the Commissioner, in such form as may be
so specified, with such information relating to compliance with the relevant
requirements as is so specified.
(2) An information notice must contain a statement
that the Commissioner regards the specified information as relevant for the
purpose of determining whether the person has complied or is complying with
the relevant requirements and his reason for regarding it as relevant for
that purpose."
(b) in subsection (6)(a),
after the word "under" there shall be inserted the words "the
Privacy and Electronic Communications (EC Directive) Regulations 2003
or";
(c) in subsection (6)(b), after the words "arising out of" there
shall be inserted the words "the said Regulations or"; and
(d) subsection (10) shall be omitted.
5. Sections 44, 45 and 46
shall be omitted.
6. In
section 47 -
(a) in subsection (1), for
the words "an information notice or special information notice"
there shall be substituted the words "or an information notice";
and
(b) in subsection (2) the words "or a special information notice"
shall be omitted.
7. In section 48 -
(a) in subsections (1) and (3), for the words
"an information notice or a special information notice", in both
places where they occur, there shall be substituted the words "or an
information notice";
(b) in subsection (3) for the words "43(5) or 44(6)" there shall be
substituted the words "or 43(5)"; and
(c) subsection (4) shall be omitted.
8. In section 49 subsection (5) shall be omitted.
9. In
paragraph 4(1) of Schedule (6), for the words "(2) or (4)" there
shall be substituted the words "or (2)".
10.
In paragraph 1 of Schedule 9 -
(a) for subparagraph (1)(a) there shall be
substituted the following provision -
" (a) that a person has contravened or is
contravening any of the requirements of the Privacy and Electronic
Communications (EC Directive) Regulations 2003 (in this Schedule referred to
as "the 2003 Regulations") or";
and
(b)
subparagraph (2) shall be omitted.
11. In paragraph 9 of Schedule
9 -
(a) in subparagraph (1)(a)
after the words "rights under" there shall be inserted the words
"the 2003 Regulations or"; and
(b) in subparagraph (1)(b) after the words "arising out of" there
shall be inserted the words "the 2003 Regulations or".
SCHEDULE 2
Regulation 36
Transitional provisions
Interpretation
1. In
this Schedule "the 1999 Regulations" means the Telecommunications
(Data Protection and Privacy) Regulations 1999 and "caller" has the
same meaning as in regulation 21 of the 1999 Regulations.
Directories
2.
- (1) Regulation 18 of these Regulations shall not apply in
relation to editions of directories first published before 11th December
2003.
(2) Where the personal data of a subscriber have been
included in a directory in accordance with Part IV of the 1999 Regulations,
the personal data of that subscriber may remain included in that directory
provided that the subscriber -
| 
Legal Guidance - Telephone, Fax and E-mail Selling