Technological advances and the advent of the EU General Data Protection Regulation (“GDPR”) prompted the European Commission (“Commission”) to update the EU’s Privacy and Electronic Communications Directive. The recommendations made to it last summer suggest wide-ranging changes are likely, including to rules on the use of cookies, direct digital marketing and on the processing of location data, along with a general expansion of the framework. Public consultations have begun and, in light of a similar review scheduled for Canadian privacy laws, may forecast what’s on the horizon for Canada.

The Commission, which first outlined its intention to reform the e-Privacy Directive in 2014, recently launched a public consultation project to evaluate and review the text of the ePrivacy Directive 2002/58/EC (the “Directive”) and the related existing legal framework. The purpose of the public consultation is to collect comments on the main provisions of the Directive, which include the scope of application, the applicable security provisions, confidentiality considerations, competent authorities, and considerations related to unsolicited commercial communications (spam).

Background

In 2012, the Commission announced the EU Data Protection Reform (the “Reform”), designed to make Europe a leader in adaption to a technological era. The Digital Single Market Strategy (the “DSMS”) represented a priority program directed at creating improved online access to digital goods and services through rules and regulations crafted specifically to keep pace with an increasingly digital age. In addition to these mandates, the DSMS also announced that ePrivacy rules would be reviewed following the adoption of the component parts of the reform.

In December of 2015, the Commission, along with the European Parliament and the Council, announced the final agreement, which consisted of two components: the Data Protection Directive for the police sector and criminal justice system and the GDPRfor personal data. The GDPR represented an unprecedented and notable reform of data protection rules in the electronic communication sector targeted at enabling a greater level of control over consumer data and reinforcing consumer trust in data use while also levelling the playing field in the market. This reform process also affects the Directive, which is a complementary component of the GDPR that further particularizes the specific rules applicable to personal data processing in the electronic communications sector.

The ePrivacy Directive was last updated over seven years ago to provide privacy protections related to personal data breaches and to tackle issues associated with the use of cookies.

The Consultation

The public consultation process on the Directive is an integral part of a group of initiatives targeted at creating a high level of protection for European citizens in order to ensure both security and trust when it comes to personal data in the electronic communications sector, especially given the increasing use of and reliance on digital communications. Starting as of April 12, 2016, with comments being received over a period of 12 weeks, the questionnaire is open to citizens, consumer and user associations, civil society organizations, businesses, public authorities and academia.

Topics for comment in the questionnaire include:

  • The effectiveness of the Directive in harmonizing existing provisions to ensure both the free movement of data and electronic communication equipment and a consistent level of privacy protection in data processing in the electronic communications sector;
  • The relevance of the Directive as a new and necessary further particularization of the applicable rules in the electronic communications sector in the context of technological, social and legal considerations;
  • The cohesive nature of the Directive as it relates to other pre-existing rules and legislation;
  • The costs, benefits and economic efficiency of the Directive for both businesses and users;
  • The applicable scope of the Directive to publicly available, traditional electronic communication services and providers, but not so-called “over-the-top” providers that create equivalent communications services that operate over the internet (for example, VOIP providers);
  • The confidentiality and security of communications that occur over public communications networks and the related prohibition on both interception and surveillance except where authorized by law or express consent;
  • The right of subscribers to non-itemized bills, anonymity, control over automatic call forwarding, and decisions related to listings in a public directory;
  • The requirement of prior consent to unsolicited commercial communications, including via SMS, with an opt-out approach for direct marketing emails; and
  • Implementation and enforcement considerations, such as what entity should be responsible for cross-border matters covered by the ePrivacy instrument and the remedies available in instances of breach.

Considerations Closer to Home

Canada is also in the process of both reviewing and revising privacy laws. With a number of government organizations and agencies responsible for overseeing the applicable legislation related to privacy rights in the country, there may be lessons to be learned from the European approach and the public consultation process. The issues listed in the questionnaire are in large part issues that the Office of the Privacy Commissioner of Canada and the CRTC have identified as being of concern.