Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
Menü
Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
1. Providers of number-based interpersonal communications services shall deploy state of the art measures to limit the reception of unwanted, malicious or nuisance calls by end-users.
1a. Member States shall establish more specific provisions with regard to the establishment of transparent procedures and the circumstances where providers of number-based interpersonal communication services shall override, or otherwise address, the elimination of the presentation of the calling line identification on a temporary basis, where end-users request the tracing of unwanted, malicious or nuisance calls.
2. Providers of number-based interpersonal communications services shall also provide the called end-user with the following possibilities, free of charge:
(a) to block, where technically feasible, incoming calls from specific numbers or from anonymous sources or from numbers using a specific code or prefix referred to in Article 16(3a); and
(b) to stop automatic call forwarding by a third party to the end-user’s terminal equipment.
(29) Technology exists that enables providers of electronic communications services to limit the reception of unwanted, malicious or nuisance calls by end-users in different ways, including blocking silent calls and other unwanted, malicious and nuisance calls, such as calls originating from invalid numbers, i.e. numbers that do not exist in the numbering plan, valid numbers that are not allocated to a provider of a number-based interpersonal communications service, and valid numbers that are allocated but not assigned to an end-user. Providers of number-based interpersonal communications services should deploy this technology and protect end-users against such calls free of charge. Providers should ensure that end-users are aware of the existence of such functionalities, for instance, by publicising the fact on their webpage.
According to Art. 14 ePrivacy Regulation, number-based interpersonal communications services shall deploy state of the art measures to limit the reception of unwanted, malicious or nuisance calls by the end-user (Sec. 1), including the facilities to block specific numbers (Sec. 2 lit. a), to stop automatic call forwarding by a third party to the end-user (Sec. 2 lit. b) and establish procedures to override the restriction of calling line identification restriction (‘CLIR’) in the sense of Art. 12 Sec. 1 lit. a ePrivacy Regulation (Sec. 1a).
The provision takes over the preceding ePrivacy Directive´s Art. 10 lit. a and its corresponding Recitals 36 et seqq., pertaining to the suspension of CLIR as well as Art. 11, requiring the provision of end-users´ facilities to stop automatic call forwarding.[1] With regard to the limitation of unwanted call-receptions by the end-user and their ability to block the remaining ones, Art. 14 ePrivacy Regulation moreover amends the ePrivacy Directive, which had previously stipulated only a general restriction of direct marketing communications pursuant to its Art. 13 Secs. 3 and 4. Thus, Art. 14 ePrivacy Regulation at the same time erases the marketing context and the associated requirement of a commercial act. This corresponds to the ePrivacy Regulation´s comprehensive claim to protection.[2] Consequently, respective calls might be either of a private or a commercial nature, making Art. 14 ePrivacy Regulation lex generalis to the specific marketing-related communications under Art. 16 Sec. 3 ePrivacy Regulation.[3] As regards the way of communication, however, both provisions mark an individual scope of application, which is unrelated to that extent.
With regard to commercial actions, Art. 14 ePrivacy Regulation is, indeed, thematically related to the law of unfair competition and must therefore be considered in light of its related provisions. That particularly includes Art. 8 Directive 2005/29/EC (Unfair Commercial Practices Directive) and its Annex I No. 26, concerning aggressive commercial practices by telephone. Yet, unfair competition law only concerns end-users specifically in their function as market actors (referred to in this context as ‘consumer’), while privacy and data protection law concerns end-users´ fundamental rights.[4] Consequently, Art. 14 ePrivacy Regulation does not itself represent law of unfair competition.[5]
Systematically it remains questionable, how reasonable the approach of assigning end-user-facilities by topic, i.e. “unwanted, malicious or nuisance calls”, CLIR or “unsolicited and direct marketing communications”, actually is. That is, particularly, since elaboration between Arts. 12 and 16 ePrivacy Regulation in its present form lacks logical consistency. For instance, the facility to override CLIR is found within Arts. 13 Sec. 1 and 14 Sec. 1a ePrivacy Regulation, however not in Art. 12 ePrivacy Regulation itself. Conversely, the facility to reject a call as a reaction to CLIR is set out within both Arts. 12 Sec. 1 lit. c, 13 Sec. 1a and 14 Sec. 2 lit. 1 Var. 2 ePrivacy Regulation, as opposed to the latter alone. In contradiction to a stringent topic-related assignment, the legislator, thus, chooses to sometimes take the regulatory subject and sometimes their respective remedies as a connecting point for regulation. In this respect, a unified approach, opting for one or the other, would have been preferable.
[1] For details on the term ‘CLIR’ cf. Art. 12 No. I.1.
[2] Cf. Art. 1 Secs. 1, 2 ePrivacy Regulation and its corresponding Recs. 1 – 6.
[3] The remaining scope of application includes, for instance, surveys, (purely) informational calls or various forms of fraudulent calls.
[4] Ohly, in: Ohly/Sosnitza, Gesetz gegen den unlauteren Wettbewerb (2016), § 7 Rec. 10 with further reference to Köhler, WRP 13, p. 367 Rec. 13.
[5] Insofar as national legislations had nonetheless incorporated respective provisions within the framework of unfair competition law, these will be superseded by Art. 14 ePrivacy Regulation, taking direct effect pursuant to Art. 288 Sec. 2 TFEU. This particularly concerns German § 7 UWG, which, in national scholars´ notion, represented an “alien element” to national unfair competition law, cf. Ohly, ibid.; in this regard, the UWG will undergo significant systematic improvement.
Art. 14 Sec. 1 ePrivacy Regulation concerns the limitation of unwanted, malicious or nuisance calls. Providers of number-based interpersonal communications services are obliged to deploy state of the art measures to limit respective receptions by end-users. While the provision´s focus lies on the protection of privacy towards unsolicited intrusions via telephone, it nonetheless has also an economic significance. Already in its early days (i.e. from the 2000´s onwards) the economic damage caused by so-called ‘cold calling’ was estimated at 2.5 billion Euros Europewide just in terms of lost productivity.[6] Consequently, Art. 14 Sec. 1 ePrivacy Regulation contributes to a comprehensive protection of privacy, not least with regard to its economic preconditions and personal scope of application vis-á-vis legal persons.[7]
The provision was added in the course of the Council´s version, since before, Art. 14 ePrivacy Regulation had only encompassed blocking of calls and call-forwarding.[8] It is designed in form of a general clause, leaving significant leeway for judicial interpretation. That concerns not only the conceivable breadth of its central terms “unwantedness, maliciousness or nuisance” but also to the non-compulsory legal requirement conveyed by the wording “shall”. Due to a lack of definition within the framework of Art. 4 ePrivacy Regulation or further case-related specification, there is a need for legally secure interpretation, which, most reasonably, needs to orient towards Art. 14 Sec. 1 ePrivacy Regulation´s main areas of application. Withal, it stands to reason that due to judicial and scholars´ application a certain differentiation between case-groups will evolve, providing proper guidance in the course of time.
[6] Mankowski, in: Fezer/Büscher/Obergfell, Lauterkeitsrecht: UWG (2016), § 7 Rec. 44, referring to European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on unsolicited commercial communications or ‘spam’, p. 8.
[7] Cf. Art. 1 Sec. 1a ePrivacy Regulation.
[8] Cf. Proposal 6087/21 of 10 February 2021.
Art. 14 Sec. 1 ePrivacy Regulation takes to task providers of number-based interpersonal communications services. Pursuant to Art. 4 Sec. 1 lit. b ePrivacy Regulation in connection with Art. 2 Secs. 6 and 16 Directive (EU) 2018/1972 (European Electronic Communications Code Directive, ‘EECC’) these are defined as persons or entities establishing, operating, controlling or making available an interpersonal communications service, which connects with publicly assigned numbering resources, notably, a number in national or international numbering plans (i.e. telephone service providers). Providers need to deploy state of the art measures to limit the reception of unwanted, malicious or nuisance calls by end-users. This way, Art. 14 Sec. 1 ePrivacy Regulation shifts the focus away from end-users, which, under Art. 12 ePrivacy Regulation have to safeguard their privacy on their own terms, as for instance by rejecting incoming calls.[9] In light of a higher intensity of interference, emerging from the distinct unwantedness of respective calls, however, this shift appears to be justified.[10]
[9] Cf. Art. 12 No. I.2.b)
[10] Cf. below, Art. 14 No. II.2.d).
The triad of restriction grounds, differentiating between “unwanted, malicious and nuisance calls” rather represents a further description of the same issue, than separate prerequisites. This is confirmed by the version of the original draft [COM(2017) 10 final], which had previously spoken only of “unwanted calls”. In fact, it is hard to draw a clear line between terms, particularly, since many cases qualify for all three attributes. Nuisant calls are regularly as unwanted, as they might be malicious. Despite its distinction, Art. 14 Sec. 1 ePrivacy Regulation is therefore to be treated as a single stipulation, covering all cases of unwelcome telephone calls in the manner of a general clause.
a) Calls
Initial prerequisite and general connecting factor within Art. 14 ePrivacy Regulation is the term ‘calls’, which, pursuant to Art. 4 Sec. 1 lit. b ePrivacy Regulation in connection with Art. 2 Sec. 31 EECC, describes a connection established by means of a publicly available interpersonal communications service, and allowing two-way voice communication. Interpersonal communications services, according to Art. 2 Sec. 5 EECC mean services normally provided for remuneration, which enable direct interpersonal and interactive exchange of information between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s). They also include services, which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.[11]
It is questionable, whether besides ‘classical’, number-based interpersonal communications services, also electronic communications services are encompassed by the provision.[12] This issue arises, since on the one hand, the definition of ‘calls’ itself does not differentiate between technical forms of enactment (i.e. encompasses all forms of ‘two-way voice communication’), Art. 14 ePrivacy Regulation´s orientation with regard to its addressees, however, is limited to number-based communications only. On the other hand, OTT-services today oftentimes perform the same function like ‘classical’ number-based interpersonal communications services and take the same shape (cf. for example WhatsApp or FaceTime voice calling functions), so that from an end-user-perspective, reception of an actual phone-call or an OTT-voice-call does not make any difference.[13] That is particularly, because in both cases their phone will display an incoming call, often in no visually or interface-wise distinguishable way from the respective other. OTT-calls can, thereby, qualify just as unwanted as ‘regular’ phone-calls and should therefore not be treated differently, based only on their technical prerequisites.[14]
This applies all the more, since electronic communications services underly a different legal regime, compared to their number-based counterpart. Pursuant to Art. 16 ePrivacy Regulation, direct marketing communications lacking prior addressee consent is, generally, prohibited. Accordingly, the scope of application narrows down and leaves open important cases like fraud, surveys or private malignance. Moreover, protection within this scope is significantly lower, since such is guaranteed only legally, while Art. 14 Sec. 1 ePrivacy Regulation demands technical protection. From a legislative standpoint, this would create an inexplicable regulatory gap, which is probably not in intended, given the comprehensive privacy approach of the ePrivacy Regulation.[15] Indeed, it could be argued that the explicit provision of Art. 16 Sec. 1 ePrivacy Regulation might as well speak in favor of an argumentum e contrario, according to which in the electronic communications sector only marketing related privacy-interferences shall be regulated. In fact, this argument, however, cannot stand, because Art. 16 Sec. 3 ePrivacy Regulation itself overrides a respective restriction, including ‘calls’ to the regulatory scope, indicating that it is not intended to limit the regulation of electronic communications to a specific case, but rather to regulate marketing communications regardless of their medium.[16] Recital 33 ePrivacy Regulation supports this view, stating that “the degree of privacy intrusion and nuisance is considered relatively similar, independently of the wide range of technologies and channels”. This, consequently, makes room for a technology-open understanding of Art. 14 Sec. 1 ePrivacy Regulation, encompassing OTT-calls in the frame of application.
Dogmatically, a respective widening of interpretation can be anchored within a teleological extension of the provision, which in view of its wording indicates limitation to number-based interpersonal communications services, however, needs to include OTT-calls with regard to its purpose.
b) Unwanted
The term ‘unwanted’ gives effect to the will of an end-user, whose privacy might be affected in the course of particular calling-behaviors. It, thus, describes both a general programme of the provision and an actual state of mind of the end-user. Since, naturally, an opposing will derives from an end-user´s subjective sensation, determination imposes certain difficulties, if not unequivocally manifested within an externally perceptible form. Consequently, this suggests a two-tier approach, taking into account both (i) the individual will and (ii) general assumptions regarding socially undesirable calling-behavior.[17] With regard to the first step, assessment might recourse on manifestations such as declarations towards the provider or injunctions against the calling party. This approach had already been taken by the ePrivacy Directive, which had only referred to respective requests by the end-user.[18]
Insofar as implied conduct shall play a role, it is necessary that such is both adequately recognizable and clearly interpretable. Taking into account legitimate interests of the provider, which, as a norm addressee must technically enforce a corresponding measure, it is, moreover, necessary that this unfolds in a way, which is noticeable to it. For instance, consideration could be given to an end-user´s rejection of certain callers over a longer period of time. Principally, however, mere action towards the calling party itself does not suffice, as far as such is not sufficiently recognizable (for instance single time rejections or declarations).
In cases, such a will is not clearly determinable, assessment on a second step should take into account general assumptions on social acceptance and desirability of particular calling-behavior. Indeed, this will to a certain extent anticipate following case-groups of “malicious” and “nuisant” calls. Yet, terminological inaccuracy does not result in a different legal consequence and is therefore neglectable. Respective case groups include, for example, repetitive calls, registered numbers of fraudulent callers, spam-lists or decoy calls. Indeed, it is questionable, to what extent providers can be obliged to monitor respective lists, since this entails significant economic expenses and, as a result, still does not entirely safeguard privacy.[19] A viable way, however, might be to at least oblige providers establishing company-internal procedures of regular, automatic monitoring and respective blockage according to a specific catalogue of criteria. Mentioned lists of fraudulent, spam or decoy callers, which are publicly available and function on the basis of public registration and evaluation mechanisms represent reasonable sources for such monitoring and do not overburden service providers in the course of its enactment.
c) Malicious
The term “malicious” was added in the course of the Council´s version, as was the term “nuisance”.[20] It applies to activities aimed primarily to harass, threaten, defraud or otherwise harm an addressee.[21] While such conduct can be simultaneously relevant under criminal law and in tort as repressive means, Art. 14 Sec. 1 Var. 2 ePrivacy Regulation concerns the regulatory approach to prevent it from the outset. According to a 2021 survey the estimated global telecommunications fraud loss amounted up to 40 Billion USD[22], including in particular so-called ‘spoofing’ and call back schemes as main methods of telephone crime[23]. Thus, in addition to their direct effects on privacy, various techniques of infringement of the addressee also have an economic function.
d) Nuisance
Nuisance refers to actions, which are imposed onto the addressee and are perceived as annoying particularly because of their nature and manner.[24] It can emerge from various aspects of calls, as for example their repetition, commercial or other background, the situations, in which a call is made (e.g. at night time) or the specific nature, as for instance fee-required or typically long or short connections. Scholars suggested with regard to the time frame of calls that nuisance unfolds in the course of a period of at least one month, in which calls are being made without sufficient feedback by the end-user and an even smaller time-frame, to the extent that calls are being made at a higher frequency.[25] Addressees have limited choice in whether or not they deal with nuisance calls and are, thus, deprived of their personal and economic resources.[26] In this regard, the opposing will is particularly high, as he or she does not only “not want” to receive these calls, but more importantly feels molested by them. Consequently, nuisance represents an intensification of unwanted calls pursuant to Var. 1.
Withal, it is questionable, if also the content of calls must be taken into consideration. While by a first view, this might generally be the case, corresponding legislature regarding law of unfair competition holds a different opinion.[27] In view of the specific orientation of the latter, pursuing a market-related triad of purposes, this view may as well be justified.[28] With regard to the fundamental rights oriented design of the ePrivacy Regulation[29], however, a respective restriction is untenable. Rather, the ePrivacy Regulation pursues an encompassing approach to privacy-protection, which includes all aspects of “private and family life, home and communications”.[30] Calls, which, because of their moral, ideological, religious or political intent, can unequivocally be labelled as offensive, intrude a sound private environment and must therefore be considered nuisant in the sense of Art. 14 Sec. 1 Var. 3 ePrivacy Regulation.
e) Case groups
Following case groups try to provide an overview of techniques, most commonly associated with unwanted, malicious and nuisance calls. Indeed, a clear assignment to one or the other term might be difficult. Consequently, these examples should rather be understood as the description of a uniform stipulation, which, despite of its conceptual differentiation, does not make any distinction in its legal consequence. What is more, consideration of case-groups in the course of the above introduced two-tier assessment requires an objective feedback, in order to be feasible for service providers. This might either pertain to an explicit notice by the end-user, the registration of related activities within specific company-internal or
-external lists or the exceeding of a certain intensity threshold, which practically ‘imposes’ corresponding actions on consideration by the provider.
aa) Fraudulent calls
Fraud related calls encompass various forms of criminally relevant conduct, aimed at causing the victim to dispose of its assets without receiving an economic or social value in return. Victims are being deceived in the course of a targeted behaviour, that obscures or disguises the actual meaning of the call, keeping the earlier unknowing until the actual financial loss.
One common technique represents caller ID spoofing, causing a network to indicate a different connected line identification than the one, from which the call actually originates. That may particularly include Voice over IP-services, prepaid calling cards or so-called ‘orange boxing’.[31] Fraudsters may this way inter alia pretend to be officials, e.g. from local police stations, accusing the victim of different crimes in order to collect made-up fines[32], utility companies, threatening with disconnection as a means to extort additional fees or promising discounts in the event of a recall[33], medical insurers to obtain personal data for the purpose of identity theft[34] or family members, targeting elderly people to request wire transfers[35].
bb) Harassing calls
Harassment in the course of malicious calls may appear in various forms. Generally, the quality of malignance, needed to speak of harassment, is diverse and depends on the perception of each addressee. This, at the same time, reveals the difficulty of subsumption under Art. 14 Sec. 1 ePrivacy Regulation, since in individual cases it is not always clear, whether corresponding actions in fact contradict the will of the end user or are still within the bounds of what is tolerable to them. Thus, here as well, a certain feedback to objective indications is needed, allowing for adequate consideration by the service provider.[36]
An example in this context is provided by the act of stalking. It defines activities aimed at interfering with the victim´s privacy in the course of direct or indirect approaches, colliding with its freedom of action and decision.[37] That might include both actions, which are accepted by their addressee, as for instance in family-environments, and such, that are not. In German law, legislation has accounted for that finding by adding the requirements “unauthorised” and “persistent”.[38] Within the framework of Art. 14 Sec. 1 ePrivacy Regulation, objectivation should accordingly provide reference points (e.g. by telephone-number-lists), when these requirements would generally apply.
Further cases include other forms of threatening calls, sexual forms of harassment (so-called telephone scatalogia), in which callers confront the victim with obscene language, or prank calls, which particularly in repetitive cases represent serious intrusions of privacy.[39]
cc) Decoy calls
Decoy calls describe a specific procedure, in which calls will only last a short amount of time, regularly just as long, as it takes to evoke a pre-connection to the targeted line and leave a respective note on the recipient´s display, stating he or she “missed a call”.[40] This way, the latter shall be prompted to undertake a recall and, thus, pay for a fee-required connection or be exposed to advertising or sales scenarios.[41] As far as automatic call forwarding is involved, Art. 14 Sec. 2 lit. b ePrivacy Regulation serves as lex specialis. To the extent advertising is involved, Art. 16 ePrivacy Regulation prevails.
dd) Invalid numbers
Calling by invalid numbers, i.e. numbers that do not exist in the numbering plan (cf. Art. 2 Sec. 6 EECC), valid numbers that are not allocated to a provider and valid numbers, that are allocated but not assigned to an end-user, even though enlisted as an example of unwanted, malicious or nuisance calls by Recital 29 ePrivacy Regulation, are not subject to Art. 14 Sec. 1 ePrivacy Regulation. That is, because Art. 14 Sec. 2 lit. a ePrivacy Regulation encompasses these numbers already in the course of requiring providers to make available facilities to the end-user, by which he or she can block respective calls. If providers, however, already needed to exclude calls from reception, this provision would lapse. Calling by invalid numbers, therefore only subsumes under Art. 14 Sec. 2 lit. a ePrivacy Regulation.
ee) Other forms
Other forms of unwanted, malicious and nuisance calls include repetitive calls, which are not associated to stalking activities and calls at inappropriate times. Also, forms of unsolicited commercial calls, which are not marketing-related (cf. to that extent Art. 16 ePrivacy Regulation), might be enlisted, here. That pertains to, for example, unsolicited surveys or (purely) informational calls (e.g. by current or former contractual parties).
[11] Insofar Art. 4 Sec. 2 ePrivacy Regulation modifies the EECC´s definition pursuant to Art. 4 Sec. 1 lit. b ePrivacy Regulation in conjunction with Art. 2 Sec. 5 EECC.
[12] Cf. for a definition: Art. 4 Sec. 1 lit. b ePrivacy Regulation in connection with Art. 2 Sec. 4 EECC.
[13] As regards their usage: https://faq.whatsapp.com/android/voice-and-video-calls/how-to-make-a-voice-call/?lang=en and https://support.apple.com/en-us/HT204380, last retrieved 14 March 2022; details on the term of ‘OTT-services’ under Art. 1 No. II.1.
[14] With regard to the ‘technology-neutral’ approach of both ePrivacy Regulation and corresponding definitions within the EECC, see Rec. 14 ePrivacy Regulation and Rec. 14 EECC.
[15] Cf. Art. 1 Secs. 1, 2 ePrivacy Regulation and its corresponding Recs. 1 – 6.
[16] Cf. in this regard Rec. 33 ePrivacy Regulation
[17] Indeed, social aspects as well as an assessment of objective interests dogmatically rather speak in favor of a consent requirement than an individually opposing will, cf. Ohly, in: Ohly/Sosnitza, Gesetz gegen den unlauteren Wettbewerb (2016), § 7 Rec. 32. However, consent is not laid down in Art. 14 ePrivacy Regulation and the explicit requirement within Art. 16 Sec. 1 ePrivacy Regulation indicates, to the contrary that such was not wanted either. Thus, it seems preferable to incorporate a respective assessment within the determination of an opposing will.
[18] Cf. Rec. 37 ePrivay Directive.
[19] With respect to the same question, regarding so-called “Robinson lists” in the context of marketing, cf. Köhler, in: Köhler/Bornkamm/Feddersen, UWG (2022), § 7 Rec. 115.
[20] Version of 10 February 2021, 6087/21.
[21] Cf. https://en.wikipedia.org/wiki/Malicious_caller_identification, last retrieved, 14 March 2022.
[22] Communications Fraud Control Association (‘CFCA’), Fraud Loss Survey Report 2021, p. 53, available at https://cfca.org/wp-content/uploads/2021/12/CFCA-Fraud-Loss-Survey-2021-2.pdf, last retrieved 14 March 2022.
[23] CFCA, ibid., p. 55; for details on case groups and techniques, as well as measures in order to seize or limit respective activities see below under II.2.e) and II.3.
[24] Ohly, ibid., § 7 Rec. 24; with regard to a telecommunications-specific interpretation under § 101 of the former German Telecommunications Act (TKG), compare Kannenberg/Müller, in: Scheurle/Mayen, TKG (2018), § 101 Rec. 13.
[25] Cf. in that regard, Kannenberg/Müller, ibid., § 101 Rec. 17.
[26] Köhler, ibid., § 7 Rec. 19.
[27] Ohly, ibid.
[28] Ohly, ibid., § 1 Rec. 10 with reference to CJEU, decision of 28 January 1999, C-77/97 – Unilever, Rec. 26; CJEU, decision of 13 January 2000, C-220/98 – Lifting-Creme, Rec. 25; cf. also Köhler, ibid., Rec. 19.
[29] Cf. Art. 1 ePrivacy Regulation and Recs. 1 et seqq; corresponding remarks are also made already under No. I.
[30] Rec. 1 ePrivacy Regulation.
[31] For details, see https://en.wikipedia.org/wiki/Caller_ID_spoofing, last retrieved 14 March 2022.
[32] Polizei Hamburg, Call-Center-Betrug – Falsche Polizeibeamte, https://www.polizei.hamburg/falsche-polizeibeamte/11198102/callcenterbetrug-a/, last retrieved 14 March 2022; MDR, Telefonbetrug und Trickbetrug durch falsche Polizisten, 22 February 2022.
[33] Cf. Beck-aktuell, Bundesnetzagentur unterbindet Spam-Anrufe mit Lockangeboten zu kostenlosen Stromlieferungen, 30 April 2008.
[34] On identity theft in general: Peeters, MMR 2005, p. 415 ff.
[35] BR 24, Geiselbach: Telefonbetrüger erleichtern Seniorin um 200.000 Euro, 16 August 2021.
[36] Cf. No. II.2.d) et seq.
[37] Gericke, in: Münchener Kommentar zum StGB (2021), § 238 Rec. 17.
[38] Cf. § 238 Sec. 1 German Penal Code (StGB).
[39] Colman, Oxford Dictionary of Psychology (2008), available at https://www.oxfordreference.com/view/ 10.1093/acref/9780199534067.001.0001/acref-9780199534067-e-8311, last retrieved 14 March 2022.
[40] Köhler, in: Köhler/Bornkamm/Feddersen, UWG (2022), § 7 Rec. 128b.
[41] Ibid.
According to Art. 14 Sec. 1 ePrivacy Regulation, providers of number-based interpersonal communications services shall deploy “state of the art measures” to limit reception of unwanted, malicious or nuisance calls by end-users. Firstly, that concerns so-called malicious caller identification (MCI), which, if activated by insertion of a specific code into the telephone-keyboard directly after a respective call, records metadata for police follow-up.[42] Pursuing a high data protection standard, data is oftentimes forwarded only to law enforcement authorities and not the call-recipient itself.[43] This technique, hence, correlates Art. 14 Sec. 1a ePrivacy Regulation´s requirement of transparent procedures to override calling line identification restriction (CLIR). Indeed, the effect envisioned by Art. 14 Sec. 1 ePrivacy Regulation, to limit reception of calls, is, thus, only achieved indirectly, i.e. with regard to possible future calls, which the provider will then be able to block in advance.[44] MCI must therefore be amended with complementary measures, identifying unwanted calls and blocking them automatically. As already mentioned before, these might recur on both respective requests by subscribers and public or company-internal lists with registered numbers, associated with a malicious history.[45] Conceivable might be also to apply automatisms detecting fraudulent or decoying-behavior and preventing their succession. Finally, as regards repetitive calls, such an automatism might limit repetitions to a certain amount in a defined time-frame and block exceeding calls, respectively.
[42] Cf. https://en.wikipedia.org/wiki/Malicious_caller_identification, last retrieved 14 March 2022.
[43] Differently however § 14 Secs. 1, 2 German Telecommunications Telemedia Data Protection Act (TTDSG).
[44] Cf. to that extent § 14 German TTDSG.
[45] Cf. No. II.2.a).
Pursuant to Art. 14 Sec. 1a ePrivacy Regulation, Member States are requested to pass delegated acts, establishing transparent procedures and defining circumstances, under which providers of number-based interpersonal communication services shall “override, or otherwise address, the elimination of the presentation of the calling line identification on a temporary basis, where end-users request the tracing of unwanted, malicious or nuisance calls”. This pertains to the mechanism of so-called malicious caller identification (MCI), which, besides allowing to record metadata, such as time and duration of a call, encompasses the calling line identification itself, i.e. the telephone number.[46] Since the latter also allows for an identification of the related subscriber, it represents an original provision of data protection law in the sense of Art. 1 Sec. 3 ePrivacy Regulation, which, from a conflict of laws perspective, corresponds Art. 95 GDPR.[47]
The provision takes over the stipulation of its preceding Art. 10 lit. a ePrivacy Directive. In Germany a transposing provision had been installed within §§ 14 and 15 Sec. 2 Telecommunications, Telemedia and Data Protection Act (TTDSG), both in regard to malicious or nuisance and marketing calls. Art. 14 Sec. 1a ePrivacy Regulation corresponds this regulation to the extent that it explicitly covers non-marketing-related calls (cf. in this regard No. I.) and requires a formal request by the end-user on the tracing of unwanted, malicious or nuisance calls.
The elimination of calling line identification presentation restriction (‘CLIR’), affects privacy to the calling party itself and represents an exception to the rights pursuant to Art. 12 Sec. 1 lit. a ePrivacy Regulation.[48] Consequently, interpretation of the requirements pursuant to Art. 14 Sec. 1a ePrivacy Regulation must be strict and determine, to what extend an intrusion into the end-user´s privacy is, actually, present.[49] That applies all the more, since many Member States (as for example Germany) experienced extensive privatization of service providers, subsequent to which no longer any official control according to procedural standards of the rule of law applies.[50] This, in turn, requires private procedural standards, both safeguarding and balancing out rights and interests of the concerned parties. Indeed, Art. 14 Sec. 1a ePrivacy Regulation generally leaves significant leeway for national legislation as of how such procedures should be designed. Nevertheless should national provisions stipulate rather strict standards, in particular to the extent that MCI does not apply in any case and immediately starting from the first end-user-request, but rather requires appropriate preparation in terms of assessment, validation and general procedural feedback by the service provider.[51] Accordingly, national provisions should require at least two requests pertaining to an initial (formal) request, initiating established provider-internal procedures and a second (informal) request, triggering the actual MCI.
This approach, at the same time, limits misuse, to the extent that not only the concerned party but also the one requesting can be inspected and that an adequate “barrier of implementation” applies. Optimally, regulation will in this regard require applicants narrowing down possible callers at least with respect to time and date of the call. In terms of length and duration, Art. 14 Sec. 1a ePrivacy Regulation stipulates that MCI should be available “on a temporary basis”. In order to meet general requirements of proportionality that means, MCI should be adjusted to the intensity of the disturbance. The latter, hereby needs to be determined in the course of an overall assessment, taking into account all circumstances of the individual case as presented by the applicant. This might, for instance, result in a finding, distinguishing between private and company requests, since from a purely economic point of view costs of unwanted, malicious and nuisance calls and related disturbances of work processes might be significantly higher.[52]
As regards costs of implementation, national provisions might want to allow for additional fees in the amount of standard market rates. These can be higher than the actual costs, i.e. include a profit, particularly, since respective services usually include a high proportion of manually provided services.[53] Subsequent to a first implementation „switching on“ MCI, however, tariffs might decrease in accordance to the existing market standard.[54] Prices should also include possible involvement of third-party service-providers, which will need to take part any time MCI pertains to a provider different from the one of the requester.
Finally, legislation should, with regard to the procedural principle of equality of arms, consider implementing procedures notifying concerned callers about MCI, as far as such notices do not conflict with justified and overriding interests of the applicant.[55] Only then, the caller is able to seek legal protection itself.[56]
[46] Cf. already under No. II.3; further details under https://de.wikipedia.org/wiki/Fangschaltung, last retrieved 14 March 2022.
[47] In this respect, Kühling/Raab, in: Kühling/Buchner, DSGVO/BDSG (2020), Art. 95 Rec. 5 et seqq.
[48] Cf. Art. 12 No. I.2.a).
[49] Cf. German Federal Commissioner for Data Protection and Freedom of Information (BfDI), Datenschutz und Telekommunikation (Info 5), p. 30.
[50] Deutsche Welle, Privatisierung oder: Wenn sich der Staat zurückzieht, available at https://www.dw.com/de/privatisierung-oder-wenn-sich-der-staat-zurückzieht/a-59567488; Kespohl, 25 Jahre Deutsche Telekom AG – vom öffentlichen Unternehmen zur Aktiengesellschaft, available at https://www.telekom.com/de/medien/medieninformationen/detail/25-jahre-deutsche-telekom-ag-589914, both last retrievend 14 March 2022.
[51] According to § 14 Sec. 1 TTDSG, for instance, that requires examination of a “coherent assertion” by the end-user, as opposed to an assessment, whether the alleged malignance or nuisance actually exists, cf. Kannenberg/Müller, in: Scheurle/Mayen, TKG (2018), § 101 Rec. 9.
[52] Kannenberg/Müller, ibid., § 101 Rec. 31 suggest limiting private requests on a duration of one month and company requests on six months.
[53] Kannenberg/Müller, ibid., § 101 Rec. 4, stating a fee of fifty Euro per MCI as adequate.
[54] Ibid.
[55] With respect to the principle of equality of arms, see Köhler/Feddersen, in: Köhler/Bornkamm/Feddersen, UWG (2022), § 12 Rec. 2.23 et seqq.
[56] Kannenberg/Müller, ibid., § 101 Rec. 43.
Art. 14 Sec. 2 ePrivacy Regulation amends the provider-centered stipulations pursuant to Secs. 1 and 1a, requiring the latter to provide specific facilities for the end-user, which allow both blocking calls originating from specific numbers and stopping automatic call forwarding by a third party.[57] The Article corresponds Arts. 8 Sec. 3 and 11 ePrivacy Directive and at the same time expands end-users´ possibilities in the light of Art. 12 Sec. 1 ePrivacy Regulation.[58]
[58] Cf. Art. 12 No. I.2.a).
According to Art. 14 Sec. 2 lit. a ePrivacy Regulation, providers of number-based interpersonal communications services[59] shall provide called end-users with the possibility, to (free of charge and subject to technical feasibility) block incoming calls from specific numbers, anonymous sources or numbers, using a specific code or prefix referred to in Art. 16 Sec. 1 lit. a ePrivacy Regulation. In conjunction with Art. 12 Sec. 1 lit. c ePrivacy Regulation, allowing for rejection in cases of CLIR[60], end-users can, hence, decide entirely for themselves, which calls they want to accept and which they would like to decline.
a) Blocking incoming calls
Blockage of incoming calls may be enacted in various ways. Generally, it refers to facilities, limiting reception of calls on the discretion of their recipients. Thus, Art. 14 Sec. 2 lit. a ePrivacy Regulation bases on the end-user´s own responsibility, as in contrast to Sec. 1, which places the onus solely on the providers. Blocking may appear in various methods and devices, targeted either to prevent a call from being put through in the first place, to reject calls as they are in progress (i.e. before accepting them), or to block a number subsequent to a call or calling-attempt.[61] When applied in the course of land lines, for instance, it may make use of external devices connected with the phone or line of the end-user, providing specific settings and options to block a number.[62] With regard to cell-phones, particularly smart-phones, respective facilities are regularly available directly within the device´s settings.[63] Withal, blocking relies on the calling line identification presentation (‘CLIP’) and thus requires a respective recognition service.[64] When applied, it may send the caller to the end-user´s voice mail, signal the end-user is currently connected to another line, play an announcement that the number would no longer be in service or even signal further “ringing”.[65]
With regard to the breadth of the term in common parlance, ‘bocking’ a call must be delimited from the more specific method of ‘rejecting’ a call, pursuant to Art. 12 Sec. 3 ePrivacy Regulation.[66] Blocking will most regularly refer to a permanent technique of protection and limit initial call-reception. Rejecting calls, to the contrary, refers to a single or punctual application, whenever calls are already “put through”.[67]
b) Specific numbers, Art. 14 Sec. 2 lit. a Var. 1
Pursuant to Rec. 29 ePrivacy Regulation, the term ‘specific numbers’ refers to invalid numbers, i.e. numbers that do not exist in the numbering plan, valid numbers that are not allocated to a provider of a number-based interpersonal communications service and valid numbers that are allocated but no assigned to an end-user. Consequently, the provision is designed to protect the end-user towards malicious or nuisance calls, which are set up to misuse the end-user´s good faith in the regularity of an incoming call, whatever specific motivation lying behind it. Since in addition to irregular calls, calls from specific numbers might also intrude an end-user´s privacy, when made by parties rejected for certain (e.g. personal) reasons, the term must be interpreted in a broad way, allowing for a comprehensive rejection-facility, open for use by the end-user´s sole discretion. This will, at the same time, not unduly interfere with the interests of the calling party, since there is no right to be connected to a specific line or person in reverse.
c) Anonymous sources, Art. 14 Sec. 2 lit. a Var. 2
End-users shall be able to block incoming calls from anonymous sources. Accordingly, Art. 14 Sec. 2 lit. a Var. 2 ePrivacy Regulation overlaps with Art. 12 Sec. 1 lit. c ePrivacy Regulation to the extent that sources remain anonymous consequent to the fact that CLIR has been applied and the called end-user is therefore unable to identify the calling party.[68] Here, the latter represents the more specific provision with regard to the technique of rejecting calls, while a general and more encompassing blocking pertains to the earlier.[69] However, anonymous calls might occur due to various reasons, as for instance in cases the calling party uses invalid numbers, which de facto do not correspond to an identifiable person (cf. Recital 29 ePrivacy Regulation). Either way, the concerned end-user´s privacy is affected, since he or she is being derived of the ability to decide on a sound basis, whether to take or decline a call. Moreover, insofar as reasons to disguise the origin of a call will additionally represent a certain burden to the end-user, this finding is further confirmed. Conversely, Art. 14 Sec. 2 lit. a Var. 2 ePrivacy Regulation (as all stipulations under Art. 14 Sec. 2) protects not only the privacy pursuant to Art. 7 CFR itself, but also the general freedom of action.[70]
d) Numbers using a specific code or prefix, Art. 14 Sec. 2 lit. a Var. 3
According to Art. 16 Sec. 3a ePrivacy Regulation, Member States should require natural or legal persons using electronic communications services for the purposes of placing direct marketing calls to present a specific code or prefix identifying the fact that the call is a direct marketing call. Prefixes, e.g. in Germany, already apply on a voluntary basis, regularly associated to specific advantages as for instance a fee-requirement (e.g. “0800”, “0900” or “01805” numbers).[71] Under Art. 14 Sec. 2 lit. a Var. 3 ePrivacy Regulation, such prefixes will now become obligatory. This way, the norm amends Art. 16 ePrivacy Regulation, which does not itself provide for a respective facility.[72]
[59] For details, see No. II.1.
[60] Cf. for details on this term see Art. 12 No. I.1.
[61] Consumer Reports, Robocall blocker review, 14 August 2015, available at https://www.consumer
reports.org/cro/magazine/2015/07/robocall-blocker-review/index.htm, last retrieved 14 March 2022.[62] Ibid.
[63] That pertains to both to number-based interpersonal communications services (i.e. regular phone-calls) and, by way of analogy, to OTT-calls, cf. above pursuant to No. II.2.a); with regard to different blocking settings on both iOS- and Android-phones, see https://support.apple.com/de-de/guide/iphone/ iphe4b3f7823/ios; https://www.businessinsider.com/how-to-block-a-number-on-android, last retrieved 14 March 2022.
[64] https://en.wikipedia.org/wiki/Call_blocking, last retrieved March 14 2022.
[65] Ibid.
[66] Cf. Art. 12 No. I.2.b).
[67] Ibid.
[68] Cf. Art. 12 No. I.2. et seqq.
[69] Cf. No. IV.1.a).
[70] Cf. Streinz, in: Streinz, EUV/AEUV (2018), Art. 6 GRC, Rec. 3 et seqq.; Wolff, in: Pechstein/Nowak/Häde, Frankfurter Kommentar (2017), Art. 6 GRC, Rec. 16; the general freedom of action, indeed, lacks regulation by the CFR. It does, however, find manifestation within the CJEU´s judgment of 21. September 1989, C-46/87 and C-227/88 – Hoechst, Rec. 19, according to which “in all the legal systems of the Member States, any intervention by the public authorities in the sphere of private activities of any person, whether natural or legal, must have a legal basis and be justified on the grounds laid down by law, and, consequently, those systems provide, albeit in different forms, protection against arbitrary or disproportionate intervention.”
[71] Cf. tariff listing of German Telecom, https://servicenummern.telekom.de/weitere-informationen/anrufer tarife/.
[72] With regard to the sensibility of this approach, cf. explanations under No. I.
Art. 14 Sec. 2 lit. b ePrivacy Regulation obliges providers of number-based interpersonal communications services[73] to provide the called end-user with the possibility to stop automatic call forwarding by a third party to their terminal equipment. It corresponds to the preceding Art. 11 ePrivacy Directive, which had already addressed the issue and made respective facilities subject to a “simple request” by the subscriber towards the provider.[74] As far as no alternative means of protection are available, i.e. such, that the end-user can apply without additional involvement of the provider, this approach remains valid under Art. 14 Sec. 2 lit. b ePrivacy Regulation. A respective service, moreover, must be provided free of charge.
a) Third parties
The protective purpose of Art. 14 Sec. 2 lit. b ePrivacy Regulation relates solely to the called end-user. ‘Third party’ in this context refers to a person, which is both different to the called end-user and to the caller. Since oftentimes call forwarding will take place in the course of a commercial agreement between the forwarding and the calling party, the term must, however, not be interpreted in a strict way, excluding such agreements and referring only to such parties, forwarding on an unrelated basis. Rather, only such persons will not qualify as ‘third parties’, located ‘in the sphere’ of the calling party, i.e. an actual proximity relationship of familiar, private or work-related kind, since then a forwarding equals a direct call by the latter itself.[75] Conversely, it is likewise improper to speak of a third party, if a call, reaching the targeted line, is forwarded by a telephone exchange office on the premises of the called party (e.g. in larger companies or public institutions). In this case, on the one hand, the person forwarding the call does not act independently but rather ‘from within the sphere’ of the called party and thus equates with the latter and, on the other hand, falls outside the protective purpose of Art. 14, which is specifically and solely tailored to the privacy of the called party (cf. above).
b) Automatic call forwarding
Automatic call forwarding only refers to the act of transmitting an initiated call to a specific line, i.e. not the activity of initiating the call itself. This results both from the explicit wording, which deviates from a legislatively noted definition in Art. 4 Sec. 3 lit. h ePrivacy Regulation (‘automated calling and communication systems’) and the explanation to the preceding stipulation of Art. 11 ePrivacy Directive within its Rec. 37 S. 2, speaking of calls “passed on to [subscribers´] terminals”. By wording, the legislator also defines that only ‘automatic’ forwarding qualifies under Art. 14 Sec. 2 lit. b ePrivacy Regulation, excluding such that is made on a punctual and individual basis.[76] Forwarding must, hence, be configured to apply in general or with regard to specific calls and must not be implemented manually or on a case-by-case basis. Consequently, a significant regulatory gap opens up, since on the one hand called end-users have a justified interest in not being molested by forwarded calls and on the other hand, also calling parties may want to decide, whether their call will be diverted. With regard to the latter, further explanations are made in the context of Art. 12 Sec. 1 lit. d ePrivacy Regulation. Here, a filling of the gap is proposed by way of analogy.[77] In light of the earlier, however, the assumption is closer that the legislator left open protection of the end-user deliberately, since otherwise it would have not applied the specific wording of ”automatic call forwarding”. Indeed, this discrepancy might seems contradictory on a first sight. Yet, it justifies in front of the fact that a punctual forwarding under presentation of the connected line (CLIP) by the calling side represents a low intensity of privacy intrusion (or even a socially accepted action), since it is comprehensible to the called end-user, whereas on the other side, the same action from the point of view of the calling party (particularly, if no announcement or signal prior to the act is played) is not comprehensible.
[73] For details, see No. II.1.
[74] Recital 37 ePrivacy Directive.
[75] In the broadest sense, this approach is based on the German criminal law theory of “spheres” and “permissions” pursuant to § 263 German Penal Code (StGB), cf. in that regard Hefendehl, in: Münchener Kommentar zum StGB (2019), § 263, Rec. 357 et seqq.
[76] Cf. also https://de.wikipedia.org/wiki/Rufumleitung, last retrieved 14 March 2022.
[77] Cf. Art. 12 No. I.2.b).