eircom Private and Confidential

15/12/11

eircom Submission on the Transposition into Irish Law of EU Directive 2002/58/EC

Private and Confidential

20 August 2003

th

eircom Private and Confidential

15/12/11

DOCUMENT CONTROL

Document name

Eircom Submission on the Transposition into Irish Law of EU Directive 2002/58/EC

Document Owner Document Type Last updated Version Status

Pat Galvin Microsoft Word 20/08/03 Final Confidential

"Please note that for the purposes of the Freedom of Information Act, 1997 and 2003, and, indeed, generally, that information supplied by eircom to you may contain commercially sensitive information consisting of financial, commercial, technical or other information whose disclosure to a third party could result in financial loss to eircom, or could prejudice the competitive position of eircom in the conduct of its business, or could otherwise prejudice the conduct or outcome of contractual or other negotiations to which eircom is a party.

Accordingly, you are requested to contact Pat Galvin, Director of Regulatory Affairs, where there is a request by any party to have access to records which may contain any of the information herein and not to furnish any information before eircom has had an opportunity of considering the matter."

eircom Private and Confidential

15/12/11

TABLE OF CONTENTS

EXECUTIVE SUMMARY ........................................................................................................................... 1 1. GENERAL REMARKS .......................................................................................................................... 2

National Directory Database .............................................................................................................................. 2 Retention of Traffic Data ................................................................................................................................... 3 Contacting Customers ........................................................................................................................................ 4 Appeals Panel .................................................................................................................................................... 5

2. SPECIFIC ISSUES .................................................................................................................................6

Regulation 2 - Interpretation .............................................................................................................................. 6 Regulation 5 Confidentiality of Communication ............................................................................................ 7 Regulation 6 Traffic Data ............................................................................................................................... 8 Regulation 8 Presentation and Restriction of Calling and Connected Line Identification .............................. 9 Regulation 10 - Automatic Call Forwarding .................................................................................................... 10 Regulation 11 Directories of Subscribers ..................................................................................................... 11 Regulation 12 Unsolicited Communications................................................................................................. 11 Regulation 13 National Directory Database.................................................................................................. 11 Regulation 15 Damages for Contravention of Regulations ........................................................................... 12 Regulation 20 - Amendments .......................................................................................................................... 12

eircom Private and Confidential

20th August, 2003

Formatted

Executive Summary
eircom is pleased to submit its comments on the Draft Regulations on the transposition of EU Directive 2002/58/EC. The measures contained in these Regulations deal with complex and important issues which affect users and operators of publicly available electronic communications services. These comments and opinions are provided by eircom in order to help the Department to transpose the Directive accurately and to minimise the risk of ambiguity and uncertainty with regard to regulatory policy decisions arising from the Regulations. Regulation 13 refers to the National Directory Database (NDD) and suggests a number of different proposals in relation to the current operation and policies of the NDD. eircom submits that Regulation 13 exceeds the scope of the Directive. Furthermore, operational and policy issues relating to the NDD are appropriate to the provisions of the European Communities (Electronic Communications Networks and Services) (Universal Service and Users Rights) Regulations, 2003 (S.I. No. 308 of 2003) which were signed into Law on 25th July, 2003. eircom submits that in this instance the provisions as detailed in Regulation 13 should be removed. The retention of and processing of traffic data with respect to billing, marketing, traffic management and the detection of fraud is dealt with in Regulation 6. However, there is at present a significant level of inconsistency in the policy on traffic data retention within Ireland. eircom suggests that the new Data Retention Bill, which is currently being drafted, offers an opportunity to develop the definitive position on traffic data retention. The requirement to inform customers as detailed in a number of the Regulations should be appropriately qualified to exclude undertakings who have previously notified subscribers/users (at considerable cost) within a reasonable timeframe, prior to the implementation of the Regulations. The Guidance Notes acknowledge the role of the Appeals Panel. However, the Regulations contain no reference to it. eircom suggests that the Appeals Panel process provided for in S.I. No. 307 of 2003 should be explicitly referenced in these Regulations. With respect to the operation of Cookies eircom considers that the provisions of these Regulations, while beneficial to the subscriber/end user, require to be dealt with more thoroughly and comprehensively in a separate forum engaging not just network providers, but ISPs, user groups, CPE manufacturers and software applications developers.

Page 1

eircom Private and Confidential

15/12/11

1. General Remarks
eircom welcomes the opportunity to comment on the Draft Regulations (Regulations) on the transposition of EU Directive 2002/58/EC (Directive). Since the measures contained in these Regulations will affect users and operators of publicly available electronic communications services in a fundamental way it is especially important that the implications of the measures are fully considered prior to the adoption of the Regulations. In this section, eircom sets out its views on three key areas contained within the Regulations. In the next section, detailed comments and suggestions are provided on specific Regulations that eircom considers could be improved upon.

eircom notes the comments of the Department of Communications, Marine and Natural Resources (Department) in its Guidance Notes: The new Directive is not intended to create major changes to the substance of the existing Directive, but adapts and updates the existing provisions to new and foreseeable developments in electronic communications services and technologies. It is in this context together with the wishes of the Minister to introduce lighter touch regulation and the fundamental principles of the new EU Regulatory Framework to move towards less burdensome regulation that eircom provides the following comments. National Directory Database Regulation 13 refers to the National Directory Database (NDD) and suggests a number of different proposals in relation to the current operation and policies of the NDD. eircom submits that Regulation 13 exceeds the scope of the Directive. No provision is made within the Directive to deal with issues of policy and the actual operation of the NDD. Those Articles of the Directive which deal with Directories of Subscribers are transposed comprehensively under Regulation 11. eircom wishes to highlight to the Department that the NDD, which is operated and maintained by eircom pursuant to eircoms Universal Service Obligations, is simply a record of all subscribers of publicly available telephone services in the State including those with fixed personal and mobile numbers. The NDD does not include records of

eircom Private and Confidential

15/12/11

those subscribers who have refused to be included in that record. The purpose of the NDD is to keep a record of the necessary information to ensure that a comprehensive directory of subscribers is made available to all end users and also to ensure that a comprehensive telephone directory enquiry service is made available to all end-users. The obligations set out in the Regulations about access to the record would seem more appropriately directed to the service provider providing the service to the customer, as the service provider has the obligation to make the listing available to the customer under their licence. In addition, eircom would point out to the Department that operational and policy issues relating to the NDD are appropriate to the provisions of the European Communities (Electronic Communications Networks and Services) (Universal Service and Users Rights) Regulations 2003 (S.I. No. 308 of 2003) which were signed into Law on 25 th July 2003. As the NDD is a record of subscribers and eircoms role is that of a record keeper of the NDD, the provisions as detailed in Regulation 13 are not practical from an operational point of view and in any event are outside the scope of the Directive. eircom submits that in this instance the provisions as detailed in Regulation 13 should be removed. Retention of Traffic Data Regulation 6 deals with the retention of and processing of traffic data with respect to billing, marketing, traffic management and the detection of fraud. Overall, eircom view Regulation 6 as a correct transposition of Article 6 of the Directive (see below for some specific comments). However, eircom takes this opportunity to highlight to the

Department a number of inconsistencies in the policy on traffic data retention. These inconsistencies are not only confusing but also have significant cost and operational implications. The following conflicting obligations arise for eircom:

The statute of limitations for the period in which a bill may be lawfully challenged is 6 years. Thus, eircom is lawfully entitled to retain traffic data for this period of time; The Data Protection Commissioner has prescribed that traffic data must be erased after a period of 6 months; The Commission for Communications Regulation (ComReg) has directed eircom to keep billing data for a minimum period of 18 months; A Ministerial Direction pursuant to the provisions of Section 110(1) of the Postal and Telecommunications Services Act, 1983 (1983 Act) as amended by Section 7 of

eircom Private and Confidential

15/12/11

the Postal and Telecommunications Services (Amendment) Act,1999 obliges eircom to retain traffic data for not less than three years for the purposes of enabling compliance with any request by a member of the Garda Siochana under Section 98(2B) of the 1983 Act. In light of these conflicting obligations, eircom requires clarification on how the Department proposes to deal with these conflicting obligations. eircom suggests that the new Data Retention Bill, which is currently being drafted, provides the Department with an ideal opportunity to provide the definitive I position on traffic data retention . Contacting Customers In the Regulations various references are made to contacting subscribers or users. In this regard eircom suggests the following:

(a) In some cases the Regulation (e.g. Regulation 6 (2) (a)) states that an undertaking should inform subscribers or users: in writing or by email or publishing a public notice In other cases (e.g. Regulations 6 (3) (a), 6 (3) (b), 9 (2), and 11 (5) (b) it is only stated that the undertaking shall inform subscribers or users: in writing or by email Given eircoms large subscriber base and the fact that eircom has traditionally informed its subscriber base by means of a telephone bill insert and publishing a public notice in national newspapers, eircom suggests that Regulations 6 (2) (a), 6 (3) (a), 6 (3) (b), 9 (2), and 11 (5) (b) be amended to include the term or by publishing a public notice or such other means usually used by an undertaking to communicate with its subscribers. This would ensure that unnecessary costs would not be incurred by eircom and/or other operators.

(b) A related point is that Regulations 6 (2) (a), 6 (3) (a), 6 (3) (b), 8 (5), 9 (2), 10 (1) (b), 11 (5) (b) and 12 (7) require undertakings to inform subscribers or users of possible uses of their traffic and/or location data. eircom has, within the last year, in consultation with the Data Protection Commissioner contacted all subscribers/users. Thus, eircom requests that the requirements to inform customers as set out in these specific

eircom Private and Confidential

15/12/11

Regulations should be appropriately qualified to exclude undertakings who have previously notified subscribers/users (at considerable cost) within a reasonable timeframe prior to the implementation of the Regulations. Appeals Panel In its document Guidance Notes on the Transposition into Irish Law of EU Directive 2002/58/EC the Department notes: The European Communities (Electronic Communications Networks and Services (Framework)) Regulations 2003 (S.I. No 307 of 2003) provides for the establishment of appeal panels to hear and determine appeals against decisions made by ComReg. Decisions by ComReg under the new Data Protection

Regulations will be dealt with by appeal panels established under the Framework Regulations.

Despite this acknowledgement of the Appeals Panel process the Regulations contain no reference to it. eircom suggests that the Appeals Panel process provided for in S.I. No. 307 of 2003 should be explicitly referenced in the Regulations. This could be achieved by inserting the following text as a new paragraph under Regulation 17: Any undertaking that is affected by a decision, designation, determination, specification, requirement direction or any other act of an equivalent nature of the Regulator under these Regulations shall have recourse to the Appeals process set out in S.I. No. 307 of 2003.

eircom Private and Confidential

15/12/11

2. Specific Issues
In this section, eircom provides comments and suggestions on a range of detailed issues arising in the Regulations. Regulation 2 - Interpretation1 Regulation 3 (1) states that These Regulations apply to the processing of personal data in connection with the provision of publicly available electronic communication services in public communications networks in the State and where relevant the European Community. The inclusion of the term publicly available electronic communication services is vital to the underlying sense of both the Directive and the Regulations. In a number of cases parts of the term are omitted. For example: In Regulation 2 (1) Interconnection is defined as linking of public communications networks. This should read linking of publicly available electronic communications networks. In Regulation 2 (1) Traffic Data is defined as any data processedon an electronic communication network . This should read any data processedon a publicly available electronic communications network . In Regulation 2 (1) Undertaking is defined as a person engagedin the provision of electronic communications networks or services . This should read a person engagedin the provision of publicly available electronic communications networks or services . eircom suggests that in order to be consistent with the Directive the proposed amendments above should be adopted and that the Regulations are reviewed to ensure that a consistent definition is applied throughout.

The Universal Service Regulations citation refers to S.I. No. 208 of 2003. This should re ad S.I. No. 308 of 2003.

eircom Private and Confidential

15/12/11

Regulation 5 Confidentiality of Communication eircom seeks clarification on the precise meaning of on each occasion as stated in Regulation 5 (1) (a) and 5 (1) (b). It is eircom view that upon the initial contact with subscribers/users it is sufficient to inform subscribers or users as to what use the information gathered will be used or processed for in order to comply with the Directive, Article 5 (3): on condition that the subscriber or user is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. The transposed term on each occasion exceeds what is required by the Directive and should therefore, be deleted.

Regulations 5 (2) and 5 (3) are not technically possible. Network providers cannot enable or disable Cookies. These are functions of the browser manufacturer, the sites the subscriber visits and the user themselves. 2 eircom's reading of Regulations 5 (2) and (3) is that the Department may be of the view that the use of Cookies will capture and retain information on a users browsing session. However, the user has many other hazards to deal with when surfing the internet. For example, Spyware can potentially track much more details around a users browsing session (sites and data entered by customer) than a Cookie can. A Cookie is restricted in most browsers to a particular site i.e. a given Cookie can only be written and read by a given site. It cannot be used to communicate between sites, and one site cannot find out where a user was on a particular other site using a Cookie. A much more incipient form of surveillance mechanisms are worms and viruses, which have no bounds within the users PC and can allow any or all data stored on the PC to be accessed. Again, this is not the responsibility of the network provider, but the responsibility of the customer, the supplier of the computer applications and the developer of the surveillance applications.

The term Cookie is spelt with a capital C. eircom, suggests that the term should be correctly defined to ensure consistent interpretation under Regulation 2. In addition eircom would suggest that the Department should familiarise themselves with the operation of Cookies. The following website is a useful source of reference http://www.allaboutcookies.org/cookies/cookies-cant-do.html

Formatted

eircom Private and Confidential

15/12/11

eircom considers that the implications of Regulations 5 (2) and (3) require greater thought and more comprehensive legislation which is neither provided for or envisaged in the Directive. Therefore, regulations 5 (2) and (3) should be deleted. Regulation 6 Traffic Data See Section 1 above for discussion on the conflicting policy obligations regarding retention of traffic data.

Regulation 6 (5) purports to be a transposition of the last sentence of Article 6.3 of the Directive. eircom considers that this Regulation is a wholly incorrect transposition for the following two reasons:

(a) The last sentence of Article 6.3 needs to be taken within the context of Article 6.3 as a whole. The first sentence of Article 6.3 begins: For the purpose of marketing electronic communications services or for the provision of value added service

Thus, the in the last sentence of Article 6.3 where it states that users can withdraw their consent, it is clear this refers to the use of the traffic data for the purpose of marketing electronic communications or the provision of value added services. There is no such provision in the current Regulation 6 (5).

(b) This inaccuracy is compounded by the inclusion of an additional phrase at the end of Regulation 6 (5): except where it is undertaken for handling billing or traffic management of for the purposes of fraud detection.

This is not provided for in the Directive, nor it is submitted, is it necessitated by the Directive. eircom submits that a simple transposition of the last sentence of Article 6 (3) with a cross reference to Regulation 6 (3) (a) (i.e. the former part of Article 6.3) would be a more efficient and accurate transposition of the relevant Article from the Directive.

eircom Private and Confidential

15/12/11

Regulation 8 Presentation and Restriction of Calling and Connected Line Identification Regulation 8 (1) (b) requires amendment to reflect the fact that SMS services can only be used with CLI presented. eircom proposes the following additional text (in bold): the undertaking must offer the called subscriber the possibility of using a simple means, free of charge, for reasonable use of this function, of preventing the presentation of the calling line identification of incoming calls. This Regulation shall not apply to those services which require the presentation of CLI as part of their functional operation. Regulation 8 (1) (c) refers to the possibility of rejecting incoming calls where the presentation of the calling line identification has been prevented by the calling user or subscriber. This requirement is usually referred to as Anonymous Call Rejection (ACR). A similar requirement was raised with respect to the regulations governing the introduction of CLI. eircom met this requirement by offering customers suitable

Customer Premises Equipment ("CPE") (i.e. not through the provision of a network solution). This CPE is widely available on the Irish market to cater for the relatively few consumers who demand it. eircom's market experience to date has shown that there is a lack of sufficient demand among subscribers/end users to warrant a network solution of this type. On a practical level while this appears to be a protective level for subscribers/end users, most will, however, stop short of wanting to block the bona-fide calls that have no CLI (e.g. calls from ex-directory or International origins). eircom suggests that network operators should not be required to provide ACR as a network solution and that the text of the Regulation should be amended to reflect this. Regulations 8 (6) and 8 (8) are not necessitated by the Directive. Moreover, eircom considers that the measures provided for in these Regulations are covered by the extensive regulatory policies of ComReg.

The provision of services for people with disabilities and the establishment of a Code of Practice for these services have been directed by ComReg in Decision Notice D17/03 pursuant to the provisions of S.I. No. 308 of 2003. Thus Regulation 8 (7) should be deleted.

Regulations 8 (9) (a) and (b) are somewhat broader than required by Article 10 of the Directive. eircom accepts that some specific legislation dealing with the issues

eircom Private and Confidential

15/12/11

referenced therein is required in relation to the particular national circumstances which pertain in Ireland and agrees overall with the regulations as presented. However, there is also a requirement for the legislation to correspond with existing practice. In this regard eircom suggest that the following: Reference to the Permanent Defence Forces should be removed from the Regulation. It is submitted that there is no requirement to provide this information to the Permanent Defence Forces. eircom set up a Malicious Calls Bureau (Bureau) a number of years ago. The cost of setting up the Bureau was considerable and the ongoing running costs are substantial. The procedures for handling complaints made to the Bureau in respect of malicious telephone calls as well as furnishing the Garda Siochana with the requisite information were derived following extensive consultation between eircom and the Garda Siochana at a national level. If, as is intimated in Regulation 8 (9)(a) the current procedures are to be altered, any such alteration should be done in consultation with the Garda Siochana. Moreover the Garda Siochana, and not the permanent Defence Forces are the agency of the State that deal with law enforcement issues.

There is a need for greater clarity in the wording of the Regulation 8 (9) (b). Specifically with respect to meaning of location data what does this term include in respect of emergency calls from fixed networks and mobile networks respectively?

For example, in the case of fixed line emergency calls, made by eircom subscribers to 999/112, eircom has the ability to retrieve the following data the name, address and telephone number of the caller. However, eircom does not have a record of this basic level of data for subscribers of other network providers.

In the case of a mobile network if location data means the cell of origin from where a mobile call is made from eircom's systems do not have the capacity to receive this data. Moreover, eircom has not been able to identify any readily available software application which could modify the existing systems to capture this data.

Regulation 10 - Automatic Call Forwarding The provision in this Regulation is sensible. However, it may be impractical since the customer responsible for the forwarding in the first place could turn it on again

10

eircom Private and Confidential

15/12/11

immediately after the service provider has disabled it. Essentially the legislation is asking the service provider to police subscribers behaviour. eircom is unsure whether this is the meaning of Regulation 10 (1) (a) and seeks guidance from the Department. Regulation 11 Directories of Subscribers As written Regulations 11 (4) and 11 (5) (b) suggest that providers of publicly available electronic communications networks and services are not obliged to update existing editions of directories under Regulations 11 (1) (2) and (3) but suggests that they must, prior to the publication of the next edition, update all existing records in addition to new records of subscribers/users. eircom requires that the Department clarify the text of these Regulations to ensure that this interpretation is excluded. eircom considers that it is impractical to implement such a proposal. In addition, it is submitted that such a proposal would encourage subscribers to go ex-directory and therefore dilute the numbers of subscribers contained in the NDD. In Regulation 11 (5) (a) reference is made to directories with reverse search functions. It is eircoms understanding that this search facility is prohibited under existing legislation. Thus, eircom would suggest either removing the reference, or if the

Department is aware of persons in possession of directories with this capability, eircom requests the Department to provide details of same. Regulation 12 Unsolicited Communications eircom requires clarification from the Department on the exact meaning of Regulation 12 (1). It is presumed that the prohibition on persons making an unsolicited communication for the purpose of direct marketing by means of an automated calling machine refers only to third parties using a publicly available electronic

communications network and does not preclude an operator of such a network from direct marketing to its own subscribers on products and services offered by that undertaking. eircom submits that the wording of Regulation 12 (1) needs amendment if it is to reflect this precise meaning. Regulation 13 National Directory Database See Section 1 above for detailed discussion on the non-applicability of this Regulation under the Directive.

11

eircom Private and Confidential

15/12/11

Regulation 15 Damages for Contravention of Regulations Regulations 15 (1) and 15 (2) are outside the scope of the EU Directive and should therefore be removed. Regulation 20 - Amendments Clarification is required from the Department with respect to Regulation 20 (3) (a) which refers to Section 98 (6) of the 1983 Act. eircom is not aware of this particular subsection and if such a sub-section exists perhaps the Department might provide the appropriate details.

12