The Department for Business Innovation & Skills published a consultation on Sept. 13:
The Department for Business Innovation and Skills has launched its proposals for implementing the revised EU Electronic Communications Framework. This document sets out our preferred approach to implementation and asks questions on a limited number of specific issues. Stakeholders will have 12 weeks to respond to Government proposals.
You can find out more about the consultation and how to comment on it from their site, here.
From the consultation:
The Electronic Communications Framework is the regulatory framework that applies to all transmission networks and services (including access) for electronic communications including: telecommunications (fixed and mobile); e-mail; access to the internet; and content related broadcasting. The Framework is intended to raise standards of regulation and competition across all 27 European Member States’ communications markets. It consists of five Directives:
- the “Framework” directive (2002/21/EC);
- the “Access” directive (2002/19/EC);
- the “Authorisation” directive (2002/20/EC);
- the “Universal Service” directive (2002/22/EC); and
- the “E-Privacy” directive (2002/58/EC).
The amendments to the Framework must be implemented by 25th May 2011.
Discussion of the e-Privacy directive begins on p. 54 of the report and outlines security requirements, enforcement, and penalties. There are new provisions on security:
4.1a. Without prejudice to Directive 95/46/EC, the measures referred to in paragraph 1 shall at least:
– ensure that personal data can be accessed only by authorised personnel for legally authorised purposes;
– protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure; and
– ensure the implementation of a security policy with respect to the processing of personal data.
Relevant national authorities shall be able to audit the measures taken by providers of publicly available electronic communication services and to issue recommendations about best practices concerning the level of security which those measures should achieve.
There is also a section on penalties for breaches or data protection violations.
The penalties provided for must be effective, proportionate and dissuasive and may be applied to cover the period of any breach, even where the breach has subsequently been rectified.
Member states would also have the authority to not only investigate any breaches but “have the power to order the cessation of the infringements referred to in paragraph 1.”
The framework also includes a section on cookies:
5.3. Member States shall ensure that the
use of electronic communications networks to storestoring of information or to gainthe gaining of access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned ishas given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. and is offered the right to refuse such processing by the data controller.This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to providefor the provider of an information society service explicitly requested by the subscriber or user to provide the service.
You can read the entire consultation at BIS.