On July 25, 2016, the Article 29 Working Party (the “Working Party”) and the European Data Protection Supervisor (“EDPS”) released their respective Opinions regarding the review of Directive 2002/58/EC on privacy and electronic communications (the “ePrivacy Directive”). Both the Working Party and the EDPS stressed that new rules should complement the protections available under the EU General Data Protection Regulation (“GDPR”).
These opinions are non-binding, but nevertheless indicate how regulators will seek to interpret the existing legal framework and influence the reformation of the future legal framework on ePrivacy matters.
The main recommendations of the Working Party with regard to the review of the ePrivacy Directive include:
- Extended scope. The scope of the ePrivacy Directive should be extended from the traditional telecom providers to cover new types of Voice over IP services, including instant messaging, webmail and messaging in social networks. In addition, the Working Party recommends clarifying the definitions of “public electronic communications network” and “electronic communications services” to reflect the infrastructure of today’s communication networks. In addition, the Working Party recommends clarifying the term “publicly accessible private communication networks” to expand the application of the confidentiality protections of the ePrivacy Directive to all publicly available networks and services such as Wi-Fi services in hotels and shops, networks offered by universities and hotspots.
- Confidentiality. According to the Working Party, the confidentiality protections of the ePrivacy Directive should be improved to protect users against interception of the content of their communication, regardless of whether it concerns direct electronic communications between users or within a defined users group (e.g., a conference call or webcast). Furthermore, interception should be interpreted broadly to include the injection of unique identifiers. Moreover, the Working Party recommends merging the currently separate provisions on traffic and location data to create a harmonized consent requirement for the processing of metadata.
- Consent. Given the sensitive nature of communications data, the Working Party believes that prior user consent should remain a key principle in the ePrivacy context regarding the collection of metadata, content data and tracking techniques. To ensure consistency with the GDPR, the future ePrivacy framework should clearly refer to the GDPR provisions, specifying the definition, conditions and forms of the consent. According to the Working Party, “take it or leave it” approaches that do not give users free choice regarding processing rarely meet the requirements for freely given consent. Therefore, forced consent should be prohibited (e.g., tracking by unidentified third parties for unspecified purposes and non-granular consent bundled with multiple purposes). The Working Party recommends that instead of relying on website operators to obtain consent on behalf of third parties (such as advertising and social networks), manufacturers of browsers and other software or operating systems should be encouraged to offer Do Not Track controls to allow users to withdraw consent.
- Cookies. According to the Working Party, the cookie rules should be rephrased to be as technologically neutral as possible in order to capture tracking techniques used on smartphones and Internet of Things applications, including ‘passive tracking.’ The Working Party seeks to ensure that the rules governing the collection of information from user devices do not depend on the kind of device owned by the user nor on the technology employed by an organization, especially with respect to the use of information for marketing and market analysis purposes. The cookie consent requirements should also apply when the data is not stored on the terminal equipment, but made available through the device and processed elsewhere. The Working Party nevertheless invites the European Commission to consider circumstances in which cookie consent will not be required due to the minor impact on the rights of users, such as when anonymization techniques are used to immediately and irreversibly anonymize data during collection on the device, or on the endpoints of the network or sensors.
- Direct marketing. The Working Party recommends updating the rules on unsolicited communications to require prior consent of the user for sending any type of unsolicited communications independent of the means (e.g., electronic mail, behavioral advertising, voice or video calls, fax, text and direct-messaging). In addition, users must be able to revoke their consent easily and free of charge, without stating a reason, via simple means that have to be indicated in each subsequent communication. The commercial purpose of the communication should be clearly identified at the beginning of the communication. According to the Working Party, the currently applicable opt-out exception for sending marketing communications to existing customers for similar products and services should be limited to a reasonable amount of marketing communications so that senders do not bombard users with an excessive number of marketing calls or messages.
- Deletion of specific data breach notification. The ePrivacy Directive contains sector-specific breach notification requirements applicable to telecom providers and Internet service providers. To avoid duplicative notifications, the Working Party recommends simplifying the process to require the notification of supervisory authorities under the GDPR regarding all data breaches involving personal data.
- Enforcement. The Working Party believes it should be clarified that the supervisory authorities under the GDPR will also have jurisdiction on ePrivacy matters involving personal data to ensure consistent enforcement and harmonization of sanctions.
The EDPS makes similar recommendations as the Working Party with respect to the review of the ePrivacy Directive. In particular, the EDPS recommends that:
- the scope of the ePrivacy Directive be extended to all forms of electronic communications irrespective of network or service used;
- the updated rules should ensure that the confidentiality of users is protected on all publicly accessible networks;
- no communications should be subject to unlawful tracking and monitoring without freely given consent, whether by cookies, device-fingerprinting or other technological means;
- communications should not be tracked or monitored, except with users’ freely given consent;
- the current consent requirement for traffic and location data should be strengthened;
- the existing rules on unsolicited communications should be updated to strengthen the consent requirements; and
- the future ePrivacy Directive provide specific rules enhancing transparency regarding government access requests, such as a requirement for organizations to periodically issue transparency reports on the amount of the law enforcement requests they receive in aggregate form.
Read the Opinion of the Article 29 Working Party.
Read the Opinion of the EDPS.