In July 2016, the Article 29 Working Party (“WP29”) and the European Data Protection Supervisor (“EDPS”) published opinions (the “Opinions”) on the reform of the ePrivacy Directive (2002/58/EC) (the “Directive”). These Opinions followed a public review and consultation on the Directive, carried out by the European Commission (“EC”). While these sets of proposals are non-binding, they can still influence how the Directive is reformed. We take a look at the main talking points.
The Directive currently regulates an assortment of areas, including cookies, spam and the use of location data. It also covers many telecoms-specific issues, such as billing, collection of traffic data and the interception of communications. The recent Opinions support the retention of many of the features of the Directive while extending the protections to cover services of non-telecoms providers (such as Skype and Viber). The Opinions also include proposals to regulate Wi-Fi hotspots and reform existing rules on spam, cookies and consent.
1.Over-the-top (OTT) Service Providers
OTT service providers are those that use the existing telecoms and internet infrastructure to provide their services. Examples of OTT service operators include Skype, Viber and FaceTime.
Currently, the Directive does not require OTT service providers to implement the same protections as required from telecoms communications providers. However, both Opinions recommend extending certain existing obligations to cover services that are “functionally equivalent” to telecoms service providers, such as OTT service providers. This would mean that OTT service providers would be made subject to obligations around interception and the processing of traffic data.
2.Interception of Electronic Communications
The WP29 Opinion recommends extending the existing prohibition on the interception of electronic communications so that it covers group communications, such as conference calls. The Opinion also recommends that ‘interception’ and ‘surveillance’ be interpreted broadly to include the use of unique identifiers. Given the potential for location and traffic data to reveal an individual’s habits and private life, the Opinions also include proposals to create a more harmonised concept of ‘metadata’.
The Opinions favour extending the protections on user communications to cover “publicly accessible private networks”. Examples of these networks are hotel or train Wi-Fi, workplace Wi-Fi for visitors and guests, and hotspots created by individuals. Wi-Fi hotspots such as these would be required to implement measures to protect the confidentiality of users’ communications, something that is presently only a requirement for ‘public’ Wi-Fi hotspots.
The EDPS Opinion proposes that recipients’ consent be sought for all types of unsolicited electronic communications, whatever the means of communication. In addition to traditional forms of communication such as e-mail, text, voice and video calls, the revised rules would also cover direct messaging and behavioural advertisements. In addition, the EDPS Opinion highlights that only the sending of “commercial” communications is currently regulated. With this in mind, the EDPS has proposed broadening the definition to include all “spam, unsolicited telephone calls and marketing messages, phishing and other malicious attempts”.
The existing cookies rules cover both user notice and consent regarding cookies and similar technologies. Essentially, before cookies are dropped on a computer or device, the user must be notified of, and consent to, their use. In its Opinion, WP29 has suggested rewording the rules to make them technology-neutral. This would aim to capture tracking techniques used on smartphones and on ‘Internet of Things’ apps, as well as “passive tracking”. The EDPS suggests that when defining “passive tracking”, the definition should be as neutral as possible to capture future tracking technologies. WP29 has also invited the EC to consider reforming user consent requirements, as discussed below.
Both Opinions highlight the fact that users may not be given the opportunity to “freely” consent to the types of processing regulated by the Directive. Often, if consent is withheld, so are the services offered. Given this, WP29 has suggested 5 instances where the withdrawal of services should not be allowed if user consent is withheld:
- Tracking on websites, apps and/or location data that reveal special categories of data, such as information relating to health or sexual life, if the information impacts the private lives of users.
- Tracking by unidentified third parties for unspecified purposes.
- When using any government-funded services.
- Where there is an unequal balance of power between the parties, if there is no equivalent alternative service for the user or where consent is part of a contract.
- When bundled consent for processing is sought for multiple purposes.
Along with obligations to obtain consent, the service provider must also provide easy and user-friendly ways to revoke consent.
7.Where No User Consent is Required
In contrast to the above, WP29 envisages 3 instances under the Directive where user consent is not required:
- Where data is necessary for the transmission of the electronic communication requested by the user. This does not include marketing, research and audience measurement data.
- Where data is strictly necessary to proactively or defensively maintain or manage a security network.
- Where location and traffic data is strictly necessary for keeping evidence of billing or electronic transactions.
Other examples proposed by WP29 of when consent would not be required:
- when data is anonymised;
- when data has little or no impact on the rights of users;
- when the collection of data services a legitimate purpose; or
- when there is no processing of sensitive data.
What Reforms to Expect?
In summary, the following recommended reforms could be seen in a revision to the Directive:
- Regulation of OTT service providers.
- Protection of publicly accessible ‘private’ WiFi hotspots.
- Revisions to consent obligations.
- Future-proofed, technology neutral concepts.
Extended obligations regarding spam and cookies.