The European Legal Context: the EU Privacy Directives
A foundational statement of European values in relation to privacy vis-à-vis electronic communications, telecommunications, and commercial solicitation is set forth in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Article 7 provides for the European analog to the U.S. "right to be left alone": "Everyone has the right to respect for his or her private and family life, home, and communications." Article 8 sets forth basic rights relating to personal data protection. Strong rights of personal data protection and "respect for private life" are thus enshrined in the Charter under the overarching concepts of personal dignity and freedom. This "respect for private life" is also enshrined in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.
These foundational values have been given legal and administrative teeth in a series of European directives, two of which stand out as being of particular importance:
- Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data (the "Data Privacy Directive")
- Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (the "E-Privacy Directive")
The Data Privacy Directive established the basic legal framework for data privacy protection in the EU, including the default requirement of "opt-in" consent to data sharing and the "adequacy requirement" for data-sharing with non-EU companies. In response to this latter requirement, the U.S. negotiated a "safe harbor" framework for U.S. companies doing business in Europe or with European companies. The Data Privacy Directive also reflects the basic principle that EU privacy protections must be balanced against the four "fundamental freedoms" of the European "internal market": free movement of persons, goods, services, and capital.
The E-Privacy Directive supplements the Data Privacy Directive, replacing a 1997 Telecommunications Privacy Directive, and providing a minimum standard for EU member state regulation of commercial solicitation by means of email and telecommunications technologies. Article 13 of the E-Privacy Directive sets forth a basic rule of "opt-in" consent for "unsolicited communications": automated telephone calls, faxes, texts, and email. With respect to unsolicited commercial emails, an exception is created in Article 13(2) for cases where a business has provided a good or service to an individual previously, the individual has provided his/her email, and an unsolicited email is sent to advertise "similar" goods or services. Unsolicited emails sent under this exception must, however, provide the customer with an opportunity to "opt-out" of future emails. Article 13(4) prohibits the sending of commercial emails that disguise or conceal the identity of the sender. See also European Commission Website: Unsolicited Communications - Fighting Spam.
The E-Privacy Directive is addressed to EU member states, which means that it must be implemented through EU member state law.
In 2006 and 2009, the E-Privacy Directive was amended as part of a wide-ranging initiative to create a "Telecoms Package": a comprehensive regulatory framework for electronic communication and telecommunications. Part of this Telecoms Package involved the creation of a Body of European Regulators for Electronic Communications ("BEREC"). See Regulation (EC) of November 25, 2009 Establishing the Body of European Regulators for Electronic Communications (BEREC) and its Office. The purpose of BEREC is to facilitate institutional coordination of "national regulatory authorities" (NRAs) - i.e. the regulatory bodies of EU member states - and it therefore is intended to supplement the regulatory framework for electronic communications established by Directive 2002/21/EC (the regulatory "Framework Directive").