You've probably noticed that the European Commission is thoroughly revising the EU data protection legislative framework. After replacing the Data Protection Directive (95/46) with the General Data Protection Regulation (Regulation (EU) 2016/679), the Commission has now turned to the ePrivacy Directive (Directive 2002/58, as amended by Directive 2009/136).

As part  of its review, the Commission has launched a public consultation to allow every citizen and undertaking to express their views on the ePrivacy Directive and make suggestions for improvement. The consultation runs until 5 July 2016, so you still have time to share your opinion. More information can be found on the European Commission's website.

The ePrivacy Directive is mostly known for its cookie rule, which obliges websites that wish to place cookies to inform users thereof and obtain their consent, unless the cookie will be used for the sole purpose of transmitting a communication over an electronic communications network or only where strictly necessary to provide an information society service expressly requested by the subscriber or user (e.g. shopping cart cookies).

The information and consent requirements are not limited to cookies and apply to all situations whereby a party stores information, or gains access to information already stored, on the user's computer (e.g. the use of software to detect certain activities on the end-user's computer).

Even though the cookie rule applies to all types of companies, the scope of application of the ePrivacy Directive is in principle limited to the electronic communications sector. The ePrivacy Directive forms part of the "Telecoms Package", adopted in 2002 and amended in 2009, which aims to ensure an adequate level of protection and confidentiality with regard to the processing of personal data in the telecoms sector and the free movement of such information. To this end, the ePrivacy Directive contains rules on interalia:

  • data security;
  • data breach notifications;
  • traffic and location data; and
  • caller identification.

The Commission has identified the following four policy issues to be addressed during the review:

  1. Ensuring consistency with the General Data Protection Regulation.  As the e-Privacy Directive complements the GDPR, the two instruments need to be coherent. 
  2. Updating the scope of the ePrivacy Directive in light of new market and technological realities. Currently, the ePrivacy Directive applies to traditional telecommunications service providers (except for a few rules which apply to any type of organization, e.g. the cookie rule). It does not apply, however, to so-called over-the-top providers ("OTTs") which provide content or applications over the Internet. As part of its review, the Commission wishes to assess whether the scope should be extended to OTTs. 
  3. Enhancing security and the confidentiality of communications. Given the increasing number of cyberattacks, reports on covert surveillance activities and online tracking, the Commission wishes to consider various options to improve the efficiency and effectiveness of the current provisions. 
  4. Addressing inconsistent enforcement and fragmentation. As the e-Privacy Directive leaves it up to the Member States to set up national bodies for enforcement, the situation in the EU has become fragmented. Some Member States have allocated enforcement authority to their national data protection authority, while others have empowered telecom regulatory authorities or other bodies such as consumer protection organisations. The Commission wishes to study whether this fragmentation jeopardises the harmonized application of the e-Privacy Directive or causes other issues, such as legal uncertainty.