Recently in the UK press there has been media attention focused on the changes being proposed to the EU e-Privacy Directive and in particular the extension of the confidentiality of communications and other security requirements from traditional telecommunication providers to virtual network operators and providers of so-called over-the-top (OTT) services.

By extending the e-Privacy Directive to OTT service providers companies such as Skype and Facebook will now be required to address confidentiality of communications for subscribers as well as having in place mandatory data breach procedures.

However, the e-Privacy Directive is not all about Telco’s and indeed the most recent impact of the e-Privacy Directive has been the rules relating to “cookies”. In 2009 the e-Privacy Directive was amended to not only impose data breach notification requirements on Telco’s but to also require all website operators and providers of other online services to be transparent about the use of cookies and other tracking technologies and to give consumers the choice of disenabling most cookies.

The EU is currently reviewing the cookies rules and it has been suggested by certain EU bodies that there should only be a need to obtain consumers consent to the use of cookies where they are intrusive in the way that they track and profile consumers and/or serve targeting advertisements in online communications.

In his recent Opinion (Opinion 5/2016) the European Data Protection Supervisor (“EDPS”) gave his thoughts on what changes should be made to the e-Privacy Directive and said “we need a new legal framework for e-Privacy, but we need a smarter, clearer and stronger one: we need more clarity but also better enforcement.” He added that “the scope of the legal framework must be extended. This is to take account of the technological and societal changes and to ensure that individuals be afforded the same level of protection for al functionally equivalent services, irrespective of whether they are provided, for example, by traditional telephone companies, by Voice over IP services or via mobile phone messaging apps. Indeed, there is a need to go even further and protect not only “functionally equivalent” services, but also those services that offer new opportunities for communication. The new rules should also unambiguously continue to cover machine to machine communications in the context of the Internet of Things, irrespective of the type of network or communication service used. These new rules should also ensure that the confidentiality of users communications will be protected on all publically accessible networks, including Wi-Fi services in hotels, coffee shops, shops, airports and networks offered by hospitals to patients, universities to students, and hotspots created by public administrations.

The EDPS also said in his Opinion that “Consent should be genuine, offering a freely given choice to users, as required under the General Data Protection Regulation. The new rules should also clearly allow users to use end to end encryption (without “backdoors”) to protect their electronic communications”.

The specific mention of Internet of Things indicates that public authorities and businesses investing in smart cities and smart buildings should take care to note the e-Privacy Directive as it is updated and to build privacy by design and security by default into applications and systems that continuously monitor consumers and workers every movement.