The European Union’s E-Privacy Directive 2002/58/EC (as amended) (E-Privacy Directive) was implemented in the UK by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (as amended) (PECR) and specifically focuses on the security of electronic communications. The European Commission has recently turned the spotlight on the E-Privacy Directive and issued a public consultation on its reform in April this year. The Article 29 Data Protection Working Party (WP29),
European Data Protection Supervisor (EDPS), the United Kingdom’s Information Commissioner’s Office (ICO), and many individuals and organisations have recently provided their formal responses to the consultation.
The European Commission proposed broadening the scope of the E-Privacy Directive to take account of newer technologies, ensuring consistency with the recently adopted General Data Protection Regulation (GDPR)
and strengthening the provisions around the security and confidentiality of electronic communications. The WP29, EDPS, ICO and majority of individuals and organisations supported these proposals. However a substantial 42% of industry respondents were against the scope of the rules being broadened to cover newer technologies and many believed that they should be able to block access to services if users refused cookies.
Cookie Law Not Set to Crumble?
The E-Privacy Directive, which covers cookies and other technologies concerning electronic communications, has not been updated in seven years. During that time, the digital landscape has changed significantly. There have been some suggestions from industry that there is no added value in having specific privacy rules for the electronic communications sector, as well as opposition to the scope of the rules being widened to cover newer technologies (which was revealed by some of the responses to the consultation). However, the WP29, EDPS, and ICO believe that the specific rules should be maintained. They are backed in this respect by 83% of the individuals and civil society organisations that took part in the public consultation, according to preliminary findings.
The WP29, EDPS, and ICO also agree with the Commission that the reformed E-Privacy Directive must be designed to align with and complement the GDPR, which aims to strengthen and harmonise data protection law across the EU. WP29 notes that the key principle behind the GDPR is Article 8 of the Charter of Fundamental Rights of the European Union (Charter) relating to personal data protection, whereas the E-Privacy Directive stems from Article 7 of the Charter which specifically protects the confidentiality of communications. There is clearly some overlap between these underpinning principles, and the WP29, EDPS, and ICO responses to the consultation flag areas where they deem consideration of the GDPR to be necessary in reforming the E-Privacy Directive. An overview of the reforms that the WP29 and EDPS have recommended, which are more substantial than those of the ICO, is set out below.
Many new communication services have emerged since the E-Privacy Directive was last updated, such as “Over The Top / OTT services,”
Voice over IP, and a range of instant messaging apps, such as Facebook Messenger and WhatsApp. The WP29 and EDPS contend that, from the perspective of the user, these services are functionally equivalent to more traditional services such as SMS messaging, and should be included within the scope of the E-Privacy Directive with the relevant definitions updated as necessary. Users also have access to a broad range of Wi-Fi services, for instance in hotels and trains. Acknowledging this, the WP29 and EDPS recommend that the definition of “publically accessible private communications networks” be updated to make it clear that it encompasses these services. The EDPS suggests that the European Commission consider further extending the scope of the E-Privacy Directive to dating apps and games, though this is not commented on by WP29. According to the EDPS, the challenge in updating the scope provisions of the E-Privacy Directive, “lies in ensuring that any new provisions will remain sufficiently technologically neutral to allow coverage of new services, while at the same time affording legal certainty and predictability.”
The EDPS suggests that the E-Privacy Directive have the same territorial scope as the GDPR, including the GDPR’s extra-territorial applicability. The GDPR will apply to processing activities related to the offering of goods or services to, or monitoring of the behaviour of, data subjects located in the EU, even if the relevant controller / processor is not located in the EU. The EDPS therefore appears to be suggesting a similar focus on the location of users (rather than the location of service providers) for determining the geographic scope of the E-Privacy Directive. The WP29 has not commented on this.
Protecting Communications in Transit
The WP29 and EDPS advise that the E-Privacy Directive maintain the general prohibition of interception / surveillance of communications without consent (unless an exception to the consent requirement applies). They suggest that the European Commission elaborate in a Recital that interception and surveillance should be interpreted in the broadest technological sense. They further recommend that certain provisions be clarified, particularly the concepts of “communications data” and “related traffic data”. These two categories could be distinguished with traditional telephony; the content of the call itself could be classed as “communications data” whilst the record of who called whom and when could be classed as “traffic data.” This distinction is not so clear with current network providers. In addition, the WP29 advises that provision be made to protect users from the interception of their communications, which should not depend on whether the communications are between individual users or within a defined users group (such as a conference call).
Protecting Terminal Equipment
The WP29 suggests that the language relating to the storage of information, or access to information stored, on terminal equipment, should be rephrased to better protect the confidentiality of users’ communication devices. The language should be as technologically broad as possible; “the rules governing the collection of information from user devices should not depend on the kind of device owned by the data subject nor on the technology employed by an organisation.” The EDPS also recommends that users be given “real control” of cookies and similar tools on their devices, including the choice of special features, enhancements, and any additional components. For instance users should be given some control over scripts that launch interactions between their device and ad exchanges
or other servers.
It is a key tenet of the GDPR that data subjects freely consent to the processing of their personal data. The WP29 and EDPS recommend the same approach to the issue of consent for the E-Privacy Directive, and specifically recommend the following:
- a total or partial ban on “take it or leave it,” approaches such as “cookie walls” which prevent users from accessing websites unless they accept cookies, as these undermine the principle of freely given consent according to the WP29 and EDPS;
- inclusion of a non-exhaustive list of situations where a choice will not be considered to be freely given, for instance where there is an imbalance of power between a service provider and user, or where consent is being bundled for multiple purposes;
- a requirement that browsers and operating systems offer user-friendly tools within the browser (such as a Do Not Track feature) to enable users to easily provide and revoke their consent to processing;
- clear reference to the GDPR consent provisions to enable consistency; and
- clear exceptions to the consent requirement in certain circumstances, such as where processing is strictly necessary to maintain the security of a service, or if data is immediately and irreversibly anonymised during collection on a device.
The WP29 and EDPS recommend that the E-Privacy Directive be amended to impose more obligations on providers of equipment and services to increase the security of end-user equipment and communications in transit. Both support the inclusion of further security measures proposed by the European Commission, such as the development of minimum security or privacy standards for networks and services and extension of security requirements to reinforce coverage of Internet of Things devices.
There are several aspects of the E-Privacy Directive that require clarification, according to the WP29 and EDPS. Firstly, both contend that the distinction between “traffic data” (data processed for the purpose of sending a communication) and “location data” (data indicating the geographic position of the terminal equipment of a user) is not helpful and that there should be a harmonised consent requirement for all of this data and any similar “metadata” (data that provides context or additional information relating to other data). It is not clear what other information should be included in the definition of “metadata” but it is likely that the European Commission will give this concept further thought.
Secondly, the WP29 and EDPS argue that prior consent should be obtained from the recipients of all types of unsolicited electronic communications, irrespective of the means of such communications (which can vary from text messages to online behavioural advertisements). Further suggestions in this area include obliging the sender of unsolicited communications to keep time-stamped copies of the information provided to users when obtaining their consent and aligning the consent provisions with the GDPR consent guidance.
At the time when the E-Privacy Directive was drafted, it was common for paper copies of telephone directories to be distributed to households, and for people to call directory enquiry services. Similar directory services are now provided by some social networking and information society services. The WP29 and EDPS therefore recommend that the right of directory subscribers to “determine whether their personal data are included in a public (printed or electronic) directory” in the E-Privacy Directive be widened to include all kinds of directory services.
As the GDPR already contains notification requirements in the case of personal data breaches, the WP29 and EDPS advise deleting these requirements from the E-Privacy Directive.
To ensure a simplified supervision and enforcement framework, the WP29 and EDPS recommend that national data protection authorities be considered as the competent authorities responsible for the enforcement of the amended E-Privacy Directive. It is likely that this provision will be linked to the new cooperation and consistency mechanisms for supervisory authorities which are set out in the GDPR.
Impact of Brexit
The UK may have to implement the amended E-Privacy Directive before Brexit takes place, depending on the progress of the E-Privacy Directive reforms and when the Brexit negotiations conclude. Following Brexit, the implementing legislation would remain in force in the UK unless it is amended or repealed.
If the UK is not obliged to implement the amended E-Privacy Directive because Brexit occurs before the E-Privacy Directive amendments are finalised (which appears unlikely at this stage) it may still decide to update the current PECR. Notwithstanding this, if the territorial scope of the E-Privacy Directive is widened to apply to organisations that provide services to users in the EU as suggested by the EDPS, some UK or non-UK organisations may need to adhere to it in any event.
It is possible that, following Brexit, US organisations that process data personal data relating to data subjects located in the UK or EU would have to comply with four distinct regimes; the amended EU E-Privacy Directive, updated UK PECR, the GDPR, and the UK equivalent / variation of the GDPR. However the ICO has stated, in relation to the GDPR, that reform of the UK legislation would be necessary and “international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens.”
It is likely that the ICO would have a similar view in relation to the E-Privacy Directive. Although it is not possible to say with certainty at the moment, it is likely that the UK’s domestic privacy reforms would be harmonised with the European legislation, in order to prevent a negative impact on commercial arrangements.
What is Next?
The European Commission now faces the challenge of ensuring that its drafting achieves the right balance between protecting the privacy of users and not stifling the innovation and legitimate interests of digital service providers. The ICO comments that “revised e-privacy rules should avoid dictating business models, especially where there is minimal privacy impact for the individual.”
The responses discussed in this advisory are not binding on the European Commission, though they are likely to be influential on the reforms. The European Commission will now review all of the feedback on the consultation that it has received, and is expected to provide a new legislative proposal on e-privacy by the end of the year.
Watch this space!