Electronic privacy loopholes closed

 

A RAFT of new electronic privacy regulations, which came into force yesterday, will make it illegal for companies to cold-call people on their mobile phone for marketing purposes and place tighter controls on the use of personal data by website operators.

The legislation was transposed into Irish law on the back of an EU directive, and will strengthen protections afforded to phone and internet subscribers.

A long-standing loophole in the legislation had meant telecommunication companies could legally contact mobile subscribers for marketing purposes without their consent.

Intense competition in the mobile phone sector had seen Irish operators renege on an undertaking not to contact customers.

Several leading companies, including Vodafone, 02, Eircom and UPC, were prosecuted in March for repeatedly spamming customers with unsolicited text messages and phone calls in breach of the Data Protection Acts.

The new rules now extend the existing legislation to cover all forms of marketing carried out by means of a publicly available electronic communications service – including, for example, the soliciting of support for charitable organisations or political parties.

Another aspect of the legislation deals with the use of “cookies”, which are small text files left on computers by internet providers to allow them keep track of information about a user’s activity on the site.

They are increasingly being used to display advertising that is highly targeted to individual users.

The new regulations mean websites placing cookies on a user’s equipment that are not deleted when the user leaves the website must now identify a means of obtaining user consent.

Under the legislation, telecommunications companies and internet service providers also face tougher penalties for failing to notify the Data Protection Commissioner of every data breach involving a subscriber.

The providers will also be required to notify customers in all cases where there is a risk that user data may be accessed.

Failure to do so can lead to prosecution by the commissioner, with a fine of up to €5,000 per instance.

The commissioner can also, for the first time, prosecute companies for allowing a data breach with fines on indictment of up to €250,000.

Data Protection Commissioner Billy Hawkes said the legal requirements recognised that “the challenges to the maintenance of individual privacy” was becoming increasingly complex in today’s electronic age.

“Individuals must be able to enjoy the benefits of new technology while at the same time remaining in control of their privacy. These new requirements give individuals new rights which my office will enforce,” Mr Hawkes said.