As we have already mentioned in our latest news, on 10 January 2017 the European Commission presented a proposal for a Regulation (the “Regulation”) which is expected to amend the Directive 2002/58/EC (e-Privacy Directive) standardising the current European legal framework for the processing of personal data in the electronic communications sector and whose final approval is expected to coincide with the full application of the General Data Protection Regulation (“GDPR”) scheduled for May 25, 2018.
The Article 29 Working Party (“WP29”), with the opinion n. 1/2017 WP247 of 4 April 2017, and the European Data Protection Supervisor (“EDPS”), with the opinion n. 6/2017 of 24 April 2017, have released their respective views on the proposed Regulation.
Both the WP29 and the EDPS welcomed the Regulation proposal, albeit with some concerns.
- Art. 29WP and EDPS’s opinions
Positive highlighted aspects
The main positive aspects highlighted by WP29 on the proposed Regulation, are the following:
- extension of the scope: of the proposed Regulation also to voice telephony and messaging services based on the Internet (cd. “Over-The-Top” providers “OTT”), i.e. to the processing related to the exchanging of e-mails and online messages, including the new electronic communications services (such as, WhatsApp, Facebook Messenger, Skype, Viber).
- choice of the regulatory instrument: as for the GDPR, the choice of a regulation rather than a directive. This ensures that rules are uniform across the entire EU and provides clarity for supervisory authorities and organisations;
- alignment with the GDPR: the proposed Regulation provides a penalties system that is, largely, similar to that in the GDPR, as well as the choice to make the same authority responsible for monitoring compliance with the GDPR responsible for the enforcement of ePrivacy rules; moreover, the proposed Regulation does not contain a new and different data breach notification regime compared to what is planned already in the GDPR (Articles 33 and 34), with the positive consequences to prevent unnecessary overlap with the data breach requirements of the GDPR;
- communications content and associated metadata: the WP29 also considered positive that the protection is extended not only to the content of communications but also to associated metadata, that is “ancillary and outline elements of an information […]” which “where feasible must be anonymised and, if processed without consent or when they are no longer needed for the purpose for which they were collected, shall be delated” (see the press release of the Italian Data Protection Authority of 26 April, 2016, doc. web 6294728);
- aspects related to the consent: the basic broadband internet access and voice communications services are to be considered “as essential services for individuals to be able to communicate and participate to the benefits of the digital economy” (Regulation, recital 18) and therefore “the consent for the processing of data from the use of internet or voice communication will not be valid if the data controller has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.” (Regulation, recital 18). Therefore, given the dependence of people on access to these services, the WP29 highlights that consent for the processing of their communications data for such additional purposes (i.e. processing for advertising or marketing purposes) cannot be valid. I think it should be understood: where consent is given in one with the positive action to join the service, so called take-it-or-leave-it.
Analogously, the EDPS highlights the positive aspects – similar to those evidenced by WP29 – which consist in particular in:
- the choice of a regulation as the form of legal instrument, which may ensure a more consistent level of protection across the European Union;
- the extension of the confidentiality requirements to a broader range of services, including OTT (‘over-the-top’);
- the approach of allowing processing only under clearly defined conditions;
- the modernisation of the current consent requirements under the new Articles 9 and 10;
- predicting implicitly a full alignment with the GDPR with regard to data breaches, by the choice (already mentioned) not to include any such specific prevision;
- the choice of making the same authorities responsible for supervision of the rules under the GDPR and the ePrivacy Regulation;
- the choice of opt-in rule for all unsolicited commercial communications.
Points of concern
However, both the WP29 and the EDPS have also expressed concerns about a number of provisions of the Regulation.
In particular, the WP29 highlighted four main critical points:
1. the tracking of terminal equipment through WiFi or Bluetooth
Art. 8, second paragraph, of the Regulation requires that “The collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment shall be prohibited, except if: (b) there is a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection”;
The lack of any kind of specification concerning the need for the consent of the data subject suggests that for such tracking it is sufficient to display a mere alert (banner) to inform the users of the possibility of “stopping or minimizing such collection”.
According to the WP29, the obligations in the e-Privacy Regulation for the tracking of the location of terminal equipment should comply with the GDPR’s requirements and therefore, depending on the circumstances and the purpose of the data collection, such tracking should only take place with the consent of the individual concerned or may only be performed if the personal data collected is anonymised;
2. The conditions under which the analysis of content and metadata
According to the WP29 metadata and content should be processed only with the consent of all-end users (i.e. senders and recipients), therefore, the consent of only one of the person concerned is not sufficient. However, certain processing may be allowed without consent, if strictly necessary for specific purposes such as, for example, spam filtering;
3. terminal equipment and software by default
The WP29 recommends that terminal equipment and software must by default “offer privacy protective settings, and guide users through configuration menu's to deviate from these default settings upon installation”;
4. the prohibition of “tracking walls”
The proposed Regulation should explicitly prohibit “tracking walls”, which consists of a “take it or leave it” situation “whereby access to a website or service is denied unless individuals agree to be tracked”.
As for the EDPS, he has raised concerns over the following main issues:
1. the rules outlined in the proposal Regulation are very complex: “Communications are sliced into metadata, content data, data emitted by terminal equipment. Each being entitled to a different level of confidentiality and subject to different exceptions.” According to EDPS this complexity may bring a risk in protection.
2. most of the definitions on which the Proposal relies are stated in the European Electronic Communications Code (EECC), which is, however, a different legal instrument for the object (protection of competition and market) and aims (building a single market for effective communication) with respect to the Regulation (which concerns the protection of personal data and the confidentiality of communications in the context of electronic communication services, and aiming to encourage the security of digital services and the resulting user confidence).
This implies that the essential concepts of the Regulation are clearly outlined in the light of the scope and objectives of this legislation.
Consequently, the EDPS recommends to break the link between these sets of rules by directly inserting the core definitions in the Regulation, which must be identified in a coherent way with the EECC, but not necessarily the same;
3. the EDPS emphatically endorses the prominence given to the complementary and specification relationship that characterizes the Regulation and the GDPR, which is the basis of an equal protection standard established by the provisions of the Regulation and those of the GDPR, but it also highlights the opportunity to strengthen the provisions on user consent;
4. the consent must be truly free: “For example, consent should be genuine, offering a freely given choice to users, as required under the GDPR” and, even for this reason, there should be no more “tracking walls” (also known as “cookie walls”), i.e. the access to websites must not be made conditional upon the individual being forced to ‘consent’ to being tracked across websites.
Consent should then be required for all parties involved in the communication (for example, e-mail senders and receivers), save for specific exceptions related to particular circumstances.
In addition, the contents of the Regulation (including the definitions) should ensure that consent is provided by those who actually use the electronic communications service, and not by anyone who just subscribes it. Lastly, the law should foresee that browsers are set by default to exclude tracking.
5. the exceptions regarding tracking of location of terminal equipment are too broad and lack adequate safeguards;
6. the proposal actually extends beyond the scope and objectives of the Regulation (by referring to art. 23, par. 2, lett. a) to e) of the GDPR) the possibility for Member States to introduce restrictions on the rights: the EDPS points out the need to demonstrate the necessity and proportionality of such restrictions in the specific circumstances that may arise;
7. the new rules must also set strong requirements for privacy by design and by default.
(On these issues, see also the interesting post by Paolo Calvi: ePrivacy Regulation Proposal and GDPR, published on the blog europrivacy.info).
II. Work in progress
- on June 9, Marju Lauristin, the Member of the European Parliament (MEP) and Member of the Committee on Civil Liberties, Justice and Home Affairs (LIBE), released a draft report containing amendments to the Regulation.
In the preparation of this report, the rapporteur Marju Lauristin has conducted extensive and thorough discussions with the following Committees: draft opinion of the Committee on Legal Affairs, draft opinion of the Committee on the Internal Market and Consumer Protection, draft report of the Committee on Industry, Research and Energy.
- on June 21 Marju Lauristin presented her draft report to her colleagues in the LIBE Committee, on 10 July 2017 the LIBE Committee meeting was held to discuss of the draft report containing the amendments to the Regulation and, as confirmed by the rapporteur herself, the next step will take place in September/October. That draft Report needs to be adopted first by the LIBE Committee and at a later stage by the European Parliament.
The main aspects highlighted by draft report are the following:
- The draft report clarifies the relationship between the GDPR and the ePrivacy Regulation, specifying that the ePrivacy Regulation “aims to provide additional and complementary safeguards taking into account the need for additional protection as regards the confidentiality of communications” and for this “Processing of electronic communications data by providers of electronic communications services should only be permitted in accordance with, and on a legal ground specifically provided for under, this Regulation” (see amdt 4).
- The amendment 18 proposes the deletion of Recital 18 of the Regulation (under which “the consent for the processing of data from the use of internet or voice communication will not be valid if the data controller has no genuine and free choice, or is unable to refuse or withdraw consent without detriment”) and introduces of new recital 17, point a, which partially repeats what is already provided in the recital 18, i.e. “for the purposes of this Regulation, the consent of an end-user, regardless of whether the latter is a natural or legal person, should have the same meaning and be subject to the same conditions as the consent of the data subject under Regulation (EU) 2016/679” and also clarifies the fact that “the end-users should have the right to withdraw their consent from an additional service without breaching the contract for the basic service. Consent for processing data from internet or voice communications usage should not be valid if the user has no genuine and free choice, or is unable to refuse or withdraw consent without detriment” (see amdt 17).
- The draft report removed the cross-reference to European Electronic Communications Code by amending article 4, paragraph 1 point b) and removing article 4, paragraph 2, of the Regulation and introducing these definitions directly in the new paragraph 3 of Article 4 (see amdt 47 to 54).
In this way, the Regulation would be free and separate from any other legislative initiatives adopted by EU, such as European Electronic Communications Code, in line with the opinion expressed by EDPS who raised, as noted above, about the fact that the Regulation simply refers to article 2 of the of the proposal for a directive of the European Electronic Communications Code for the definitions (see article 4, paragraph 1 point b) of the Regulation).
4. The draft report introduces the distinction (absent in the original version of the Regulation) between ‘end-user’ means “a legal entity or a natural person using or requesting a publicly available electronic communications service” (see amdt 53, our underline) and ‘user’ means “any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service” (see amdt 54, our underline).
By reason of this distinction the definition “end-user” has been replaced, in some points, by that of “user” (ex multis, see amdt 58, 59, 69, 70) limiting, in this way, the protection of the confidentiality of communications to only natural persons, and this despite the draft report has left unchanged recital 3 of the Regulation which similarly protects the confidentiality of communications of both natural and legal persons.
5. The definition of ‘electronic communications metadata’ is also extended to “any other communications related data processed for the provision of the service, which is not considered content” including “data broadcasted or emitted by the terminal equipment to identify users' communications and/or the terminal equipment or its location and enable it to connect to a network or to another device” (see amdt 55). As specified in the draft report “this amendment serves to clarify the exact concept of metadata, as underlined by the Article 29 Working Party, scholars and case-law authorities” (see justification at the end of the amdt 55).
6. In addition to the specific cases of “permitted” processing (now defined as “lawful” based on amendment 60) of electronic communication under Article 6 of the Regulation, the draft report provides that “for the provision of a service explicitly requested by a user of an electronic communications service for their purely individual or individual work-related usage, the provider of the electronic communications service may process electronic communications data solely for the provision of the explicitly requested service and without the consent of all users” but this is possible “only where such requested processing produces effects solely in relation to the user who requested the service and does not adversely affect the fundamental rights of another user or users” (see amdt 71, my highlighting in bold).
However, in this way, the processing of electronic communications could be permitted without consent in many cases given that “individual or individual work-related usage” surely are among the main purpose of use of electronic communications services. For “the consent of all users” we suppose we should refer to both senders and recipients, therefore, the consent of only one of the data subject should not be sufficient.
7. The amendment 78 provides that tracking user (for example, via cookies) may be permitted with their consent (i.e. “the user has given his or her specific consent”) “which shall not be mandatory to access the service”. Therefore, the draft report conforms with the opinions of WP29 and EDPS making the user’s consent actually free and by allowing the user access to the service even if the user do not consent to be tracking.
Moreover, this rule is strengthened in a new and separate paragraph of article 8 introduced by amendment 83 whereby “No user shall be denied access to any information society service or functionality, regardless of whether this service is remunerated or not, on grounds that he or she has not given his or her consent under Article 8(1)(b) to the processing of personal information and/or the use of storage capabilities of his or her terminal equipment that is not necessary for the provision of that service or functionality”.
8. In addition to those already provided for in article 8 of the Regulation, the draft report introduces other exceptions for the tracking of terminals equipment (see amdt 75 to 83). Especially, the amendment 82 proposes an exception for tracking employees “if it is necessary in the context of employment relationships” but only on condition that the employee uses the equipment provided by the employer and only if this tracking is “strictly necessary for the functioning of the equipment by the employee” (see amdt 82).
9. The draft report introduces some important amendments about tracking terminal equipment (i.e. WI-FI tracking or Bluetooth tracking) by providing the collection of information emitted by terminal equipment only (i) in order to, for the time necessary for, and for the sole purpose of establishing a connection requested by the user, or (ii) with the informed consent of the user, or (iii) if the data are anonymised and the risk are adequately mitigated (see amdt 84 to 90).
For the mitigation of risk, the draft report recommends the following measures: (a) the purpose of the data collection from the terminal equipment shall be restricted to mere statistical counting; and (b) the tracking shall be limited in time and space to the extent strictly necessary for this purpose; and (c) the data shall be deleted or anonymised immediately after the purpose is fulfilled; and (d) he users shall be given effective opt-out possibilities (see amdt 89).
Lastly, users must be informed about tracking their terminals equipment by a clear information detailing how the information will be collected, the purpose of collection, the person responsible for it and other information required under Article 13 of Regulation (EU) 2016/679 (see amdt 90). Anyway, “the collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in Article 32 of Regulation (EU) 2016/679” (see amdt 90).
Therefore, the draft report proposes, in line with the opinion of WP29, a significant change compared to Commission’s proposed (which suggests that for tracking user is sufficient to display a mere alert/banner to inform the users of the possibility of “stopping or minimizing such collection”, together with the adoption of appropriate technical and organisational measures to mitigate the risk: see article 8, paragraph 2, of the Regulation).
10. Article 10 of the Regulation refers to options for terminal equipment and software by default and this article is amended with a clear preference for “Do-Not-Track” mechanisms (DNTs) by providing that all software are set by default to “offer privacy protective settings to prevent other parties from storing information on the terminal equipment of a user and from processing information already stored on that equipment” (see amdt 95).
In this regard, the rapporteur explains at the end of the draft report that “the settings should allow for granulation of consent by the user, taking into account the functionality of cookies and tracking techniques and DNTs should send signals to the other parties informing them of the user’s privacy settings. Compliance with these settings should be legally binding and enforceable against all other parties” (see p. 88 of the draft report).
11. The penalties provided for in article 23 of the Regulation are also extended to cases of infringements of obligations covered by article 8 (WI-FI tracking, cookies, Bluetooth tracking) with administrative fines up to 20.000.000 EUR or up to 4% of the total worldwide annual turnover (see amdt 131).
For further information:
opinion n. 1/2017 WP247, of the Art. 29 Working Party
opinion n. 6/2017, of the European Data Protection Supervisor
proposal for a Regulation, of the European Commission
draft report, of the Committee on Civil Liberties, Justice and Home Affairs, Rapporteur: Marju Lauristin