Article 12 ePrivacy Regulation – Presentation and restriction of calling and connected line identification

Art. 12 Sec. 1 ePrivacy Regulation applies to number-based interpersonal communications services as defined in Art. 4 Sec. 1 lit. b ePrivacy Regulation in connection with Art. 2 Sec. 6 EECC Directive^[2]. This refers to remunerated services, enabling direct personal interaction in the way of a publicly assigned number, pursuant to a national or international numbering plan, i.e. a telephone (or fax) number. Conversely, non-number-based services, particularly OTT services, are not encompassed by the provision. These can neither be included by way of a teleological expansion, nor an analogy, since in light of Art. 12 Sec. 1 ePrivacy Regulation´s unequivocal wording, the legislator´s intent was to restrict application to other forms of communication. Consequently, the emerging legislative gap does not represent an unplanned incompleteness, but rather a scheduled limitation. What is more, the provision does not apply to closed user groups, such as intra-company communication services. Indeed, such groups might sometimes resort to number-based services, however, a different set of interests and relationships prevails here, making disclosure of connected lines more calculable for the end-user.^[3]

In the course of the procedure to create a connection to another end-device, a bundle of information about the calling and the called party can be exchanged mutually.^[4] First of all, this includes the dial tone, which, according to the technical and setting-related prerequisites, signals the availability of a particular line, i.e. if the called party is recently connected to another line, available or not connected to a service, at all. Besides that, the calling party can convey information themselves, as for instance such, regarding the service characteristics (telephony or fax) or, more importantly, their telephone or fax number.^[5]

According to Art. 115 EECC Directive in connection with its Annex VI Part B lit. a, Member States already had to ensure that competent authorities would require all respective service-providers to make available calling-line identification presentation (CLIP) both free of charge and in accordance with relevant data protection and privacy law. CLIP proves to be useful not only for identification purposes (e.g. when deciding on taking or rejecting a call), but also facilitates return calls and might enable application of specific settings to particular caller-IDs.^[6] This includes, for instance, automatic or time-related rejections, ring-tones or visual displays.^[7] Art. 12 Sec. 1 ePrivacy Regulation recontextualizes this procedure in the light of Art. 8 ePrivacy Directive by implementing the right to refuse such presentation and its related features.

Conversely, Art. 12 Sec. 1 ePrivacy Regulation does not stipulate an obligation to provide for CLIP, neither does it provide a respective right for end-users. According to its wording, stipulations apply only “where” CLIP is offered. Subject to technical feasibility, services may be provided either without CLIP or with automatic prevention of presentation (CLIR). Withal, the provision leaves room for respective business models, which might want to grade scopes of services to specific pricing schemes.

[2] Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code; for details cf. Art. 4 No. I.2.d), Rec. 57 ff.

[3] Kannenberg/Müller, in: Scheurle/Mayen, TKG (2018), § 102 Rec. 13.

[4] Ibid., Rec. 1.

[5] Kannenberg/Müller, ibid.

[6] Büning, in: Geppert/Schütz, Beck’scher TKG-Kommentar (2013), § 102 Rec. 1.

[7] Ibid.

Pursuant to Art. 12 Sec. 1 ePrivacy Regulation, service providers shall provide specific technical facilities for both the calling end-user and the called party. In case these intend to restrict presentation of the calling line identification, such facilities are referred to as ‘Calling Line Identification Restriction’ (CLIR). When intended to restrict presentation on the opposing side, they are referred to as ‘Connected Line Identification Restriction’ (COLR).^[8]

As Art. 12 Sec. 2 ePrivacy Regulation stipulates, both forms must be provided by simple means and free of charge. A facility is ‘simple’, if it does not require special technical knowledge and might be implemented in the course of a few steps.^[9] Generally, this is assumed, if the restriction requires entering a key sequence or number, which includes less steps or digits, than the end-user´s telephone number.^[10] Respective mechanisms must be explained within publicly available information by the provider (e.g. in form of manuals), so that effective use of the facility can be guaranteed.^[11]

Mobile and stationary telephones are no subject to this provision, as far as they are not operated by or included to the service of providers. Yet, manufacturers might still be addressed, if these implement complex and hardly comprehensible user interfaces, which effectively prevent adequate use of Art. 12 Sec. 1 ePrivacy Regulation. Experience shows that end-users will regularly try to apply respective settings within their own device first, before falling back on the service provider itself. Consequently, user interfaces play a central role in guaranteeing the regulatory intent of Art. 12 Sec. 1 ePrivacy Regulation and should therefore be user-friendly and display the applicable features at a plausible and allocable point. Here, a user manual might be advisable to clarify possible difficulties, as well.

a) Facilities of the calling end-user, lit. a

Calling end-users need to be able to prevent the presentation of calling line identification (CLIR) on a “per call, per connection or permanent basis”, cf. Art. 12 Sec. 1 lit. a ePrivacy Regulation. This provision expands the preceding Art. 8 ePrivacy Directive, which had only stipulated a per call restriction for service-users (i.e. one-time-users)^[12] and a per line restriction for subscribers (i.e. long-term-users)^[13]. In light of the wording, Art. 12 Sec. 1 lit. a ePrivacy Regulation, however, does not require a cumulative, but only an alternative facilitation. Subsequently, there is no need to enable all users in light of the entire range of options. Rather, it is left up to the discretion of each service provider itself, which form of CLIR it applies. For example, it could consider that long-term-users will regularly have an increased interest in the entire range of options, while for one-time-users (e.g. customers of a telephone booth, internet-café, copy-shop or related services), such an interest might not generally be given.

With regard to the preceding provision of Art. 8 ePrivacy Directive it was disputed, whether CLIR and COLR had to be provided in any case, or if these were subject to limitations of technical feasibility.^[14] Indeed, the clear wording, which made use of the term “must” indicated a mandatory provision. In the course of Art. 12 Sec. 1 ePrivacy Regulation, however, this wording altered and now confines to the term “shall”. This way, the mandatory character attenuates, limiting to a mere target specification.  Subsequently, Art. 12 Sec. 1 ePrivacy Regulation reads as exempting addressees from the stipulation, any time there is no practicable way of implementation.^[15]

Art. 12 Sec. 1 ePrivacy Regulation only governs the prevention of presentation, not its restoration. This follows from its protective purpose, aiming at privacy and personal data, not general freedom of action.^[16] Consequently, only the prevention of CLIR and COLR must be provided in a simple way and free of charge. Reactivation, conversely, might become subject to a particular fee.^[17] Indeed, one might argue, this way already the initial CLIR becomes fee required and, thus, undermines stipulations pursuant to Art. 12 Sec. 2 ePrivacy Regulation. However, there is no reason not to apply additional costs, where additional effort is produced, especially if such is being requested explicitly. Obviously, such costs would need to be announced within the framework of the contract already. Then, however users or subscribers have enough time and information to adjust accordingly.

b) Facilities of the called end-user, lits. b – d

Called end-users shall be able to prevent presentation of calling line identification of both incoming callers (lit. b) and themselves (lit. d), as well as to reject incoming calls, where CLIR has been applied (lit. c).

Recital 27 ePrivacy Regulation illustrates that in particular help lines and similar organisations might have an interest in guaranteeing anonymity of their callers (lit. b). CLIR however also makes sense in a much wider range of cases, i.e. whenever a called party, for instance in exposed public environments, would like to hide the identity of incoming callers.

An interest in the anonymity of the connected line (COLR) might emerge with respect to all ISDN or GSM services, since these allow not only for the presentation of the connecting line but also for the connected line identification (lit. d).^[18] Indeed, the calling party needs to know the dialled number in the first place, so that, by a first sight, the range of application might by questionable. Yet, whenever the calling party is manually or automatically forwarded to another line, this will not generally be the case. Here, it might be of high interest to the called party, not to disclose his or her line, as for instance, in cases entailing a high demand for a particular individual. Those cases may oftentimes involve mediation offices, which select or filtrate calls, in order to safeguard privacy and remaining capacities. Art. 12 Sec. 1 lit. d ePrivacy Regulation allows for appropriate protective measures, enabling the called end-user to prevent presentation of their connected line identification. Such a facility must be also provided for by simple means and free of charge (cf. above).

Art. 12 Sec. 1 lit. d ePrivacy Regulation does not address the question, whether, from a calling party´s perspective, such a forwarding of calls is admissible unrestrictedly, or if a special legal remedy is needed, preventing this on a case-by-case basis. Pursuant to Art. 11 ePrivacy Directive^[19], call-forwarding had already been regulated to the extent that subscribers had to be provided with the ability to stop automatic call forwarding by a third party to their own device.^[20] German legislation moreover provided for a right of calling parties to be informed of the fact, a call is being redirected.^[21] Both eventually served the end, to prevent nuisances in the course of unrequested forwardings. Indeed, Art. 14 Sec. 2 lit. b ePrivacy Regulation addresses the blocking of unwanted calls in cases of the reception. No such provision, however, applies to the transmission of calls, leaving calling parties in a significant lack of protection.^[22] Withal, calling parties have a justified interest in knowing, who they share information with, i.e. with the party they called^[23] or somebody, they were forwarded to. Also, it seems comprehensible that calling parties may want to reject such forwarding in case it conflicts with the purpose of the call. A regulatory gap seems difficult to understand, especially in light of the fact that the ePrivacy Regulation per se advocates a broad concept of privacy with regard to communications.^[24] Pursuant to Rec. 1 ePrivacy Regulation, it refers to both the “information exchanged between parties and the external elements of such communications, including […] to whom [information is being sent], and not to be revealed to anyone other than to the parties involved in a communication”. Consequently, the regulation must be supplemented, in order to integrate a respective right, enabling callers to detect and prevent call forwarding. Such correction may be done in the course of an analogy, which preferably resorts to its regulatory adjacent provision of Art. 12 Sec. 1 lit. c ePrivacy Regulation.^[25] Accordingly, the possibility to “reject incoming calls” transfers to the possibility of both “being informed about forwarding” and “to reject forwarding of calls”.

Unlike lit. a, lit. d does not specify, which form of prevention needs to be possible. Yet, with regard to the wording in lit. a and its subsequent systematic location, the service provider needs to be able to choose from a similar range of options, entailing a per call, per connection or permanent installation.^[26]

Eventually, corresponding to the possibility of calling end-users to apply CLIR, called end-users need to be able to reject respective calls in a simple manner and free of charge (lit. c). Practically, a ‘simple’ rejection needs to be possible within a single or few keyboard inputs.^[27] Here, the provision also lacks specification of respective modes of rejection. As regards lit. d, it needs to be assumed, however, that also all forms apply in an alternative relation.

[8] Kannenberg/Müller, ibid., Rec. 21.

[9] Ibid., Rec. 6.

[10] Ibid.

[11] Cf. No. III.

[12] Cf. Art. 2 lit. h Directive 2002/21/EC (Framework Directive).

[13] Cf. Art. 2 lit. k Directive 2002/21/EC (Framework Directive), meaning any natural person or legal entity, which is party to a contract with the provider of publicly available electronic communications services for the supply of such services.

[14] Büning, in: Geppert/Schütz, Beck’scher TKG-Kommentar (2013), § 102 Rec. 11.

[15] The inverted, mandatory wording („must“) implemented Art. 8 ePrivacy Directive; cf. in that respect Büning, ibid.

[16] Cf. Recs. 1 to 4, 27 ePrivacy Regulation; in this respect also Büning, ibid., Rec. 19.

[17] Cf. Kannenberg, ibid., Rec. 7.

[18] Kannenberg/Müller, in: Scheurle/Mayen, TKG (2018), § 102 Rec. 21.

[19] Cf. also its corresponding Recs. 19 and 37 and its German transposition in § 16 TTDSG.

[20] This, however, referred to the inverted situation, in which a third party applied (possibly misused) mechanisms, to redirect calls to the subscriber, previously targeted to another line. It has now been implemented within Art. 14 Sec. 2 lit. a ePrivacy Directive.

[21] § 9 Sec. 4 TDSV 1996: Büttgen, in: Geppert/Schütz, Beck´scher TKG-Kommentar (2013), § 103, Rec. 1; regarding Art. 11 ePrivacy Directive: Braun, in: Taeger/Gabel, DSGVO – BDSG – TTDSG, § 16 TTDSG (2022), Rec. 2.

[22] Moreover, Art. 14 Sec. 2 lit. b ePrivacy Regulation only refers to ‘automatic call forwarding’, while here, individual forwarding is the case.

[23] Be it in the course of a direct or ‘indirect’ connection.

[24] Cf. Rec. 1 ePrivacy Regulation in connection with Art. 7 CFR.

[25] Indeed, Art. 14 Sec. 2 lit. b ePrivacy Regulation might be considered, as well. Yet, Art. 12 Sec. 1 lit. c ePrivacy Regulation represents the closer regulatory matter.

[26] Cf. I.2.a).

[27] Kannenberg/Müller, ibid., Rec. 8.