ePrivacy: Exceptions for Emergency Services
Exceptions for Emergency Services [Art 10]
Rule: Privacy protections for calling line identification and location data can be overridden for emergency services and lawful interception purposes.
Core Principle
Article 10 creates exceptions to privacy rules when necessary for:
- Emergency services to respond effectively
- Law enforcement to trace malicious calls
- Public safety organizations to fulfill their functions
Override of Caller ID Restrictions [Art 10(1)]
Member States must ensure that calling line identification is provided regardless of user preferences to:
| Organization Type | Purpose | Legal Basis |
|---|---|---|
| Emergency services | Responding to emergency calls | Art 10(1) |
| Recognized emergency organizations | Handling emergency situations | Art 10(1) |
| Law enforcement agencies | Investigating crimes | Art 10(1) |
| Ambulance services | Medical emergencies | Art 10(1) |
What this means:
- Caller ID blocking is automatically overridden when calling emergency numbers
- Emergency responders can see the calling number even if hidden
- Works for both per-call and per-line caller ID restrictions
Emergency Call Examples
Typical emergency services:
- 112 (European emergency number)
- 999 (UK emergency services)
- National equivalents
- Poison control centers
- Crisis helplines (where recognized as emergency services)
Location Data for Emergency Services [Art 10(2)]
Member States may provide for location data to be processed:
- For emergency services to determine caller location
- Without user consent
- To improve emergency response times
Technologies covered:
- Mobile phone location tracking
- GPS coordinates
- Cell tower triangulation
- Wi-Fi positioning
- VoIP call origin data
Malicious Call Tracing [Art 10(3)]
Article 10(3) allows temporary override of privacy protections for tracing malicious or nuisance calls.
Requirements:
- Must be done on a per-line basis
- Requires consent of the subscriber
- Used for specific investigation of particular calls
Process:
- Subscriber reports malicious calls
- Subscriber consents to tracing
- Provider temporarily disables privacy restrictions
- Malicious caller identified
- Information provided to authorities
Examples of malicious calls:
- Harassment or threatening calls
- Bomb threats
- Fraud attempts
- Persistent nuisance calling
Absence of Consent [Art 10(4)]
Member States may provide rules for overriding consent requirements when:
- User consent is temporarily denied
- User consent is absent
- For communications to emergency organizations
Application:
- Unconscious caller cannot give consent for location tracking
- Child calling emergency services
- Accidental emergency calls
Who Qualifies as “Emergency Organization”?
Must be recognized by a Member State as dealing with emergencies. This typically includes:
Always included:
- Police forces
- Fire services
- Ambulance services
- Coast guard
May be included (if recognized):
- Mountain rescue
- Cave rescue
- Lifeboat services
- Air ambulance
- Suicide prevention hotlines
- Domestic violence helplines
Limitations and Safeguards
Purpose limitation:
- Data only used for emergency response
- Not for general surveillance
- Cannot be retained longer than necessary
Proportionality:
- Override only when necessary
- Least intrusive means
- Limited to specific emergency situation
Security:
- Emergency organizations must protect data
- Access restricted to authorized personnel
- Logging and audit trails required
Relationship with GDPR
Article 10 exceptions must still comply with:
- GDPR Article 6 (lawful basis for processing)
- GDPR Article 9 (special category data, if applicable)
- Data minimization principles
- Purpose limitation
Legal basis: Typically relies on:
- Vital interests (GDPR Article 6(1)(d))
- Public interest/official authority (GDPR Article 6(1)(e))
Member State Implementation
National laws specify:
- Which organizations qualify as “emergency services”
- Procedures for malicious call tracing
- Technical requirements for location data
- Complaint mechanisms
Practical Examples
Scenario 1: Emergency call with blocked caller ID
- User has per-line caller ID blocking active
- Calls 112 (emergency services)
- Result: Caller ID automatically revealed to emergency dispatcher
Scenario 2: Mobile emergency call
- Person calls from mobile phone
- Cannot verbally provide location
- Result: Network provides approximate location to emergency services
Scenario 3: Malicious calls investigation
- Subscriber receives threatening calls
- Consent to call tracing
- Result: Provider logs next incoming calls to identify source
Scenario 4: Unconscious caller
- Person accidentally dials emergency services
- Cannot speak or consent
- Result: Location data processed anyway to send help
Penalties
Non-compliance by service providers:
- Failing to override caller ID for emergencies
- Not providing location data when required
- Unauthorized use of exception powers
- Result: Regulatory fines, enforcement action
Citation
Article 10, ePrivacy Directive