On 10 January 2017, the European Commission (‘Commission’) presented a proposal for a Regulation on Privacy and Electronic Communication (‘ePrivacy Proposal’). The main objective behind the proposed act is to align the existing privacy legislation for electronic communications to the General Data Protection Regulation (‘GDPR’). A previous analysis of the ePrivacy Proposal as initially proposed by the Commission can be found here.
This will be an important text not only for providers of online electronic services, but for any company involved in e-commerce.
On 19 October, the Committee on Civil Liberties, Justice and Home Affairs (‘LIBE Committee’), responsible for the proposal, adopted its report (the ‘Report’) and decided to enter into interinstitutional negotiations with the Commission and the Council of the European Union (‘Council’). This was challenged by 76 Members of the European Parliament, who made use of a special rule in the Parliament’s Rules of Procedure in order to request a plenary vote on the said LIBE Committee decision to enter into negotiations in accordance to that text.
On 26 October, the Plenary voted and confirmed the full endorsing of the LIBE Committee’s Report as the Parliament’s position ahead of negotiations with the other Institutions.
The proposed amendments
The key measures of the Report, which is structured as a set of amendments to the original proposal from the Commission, include:
- An explicit ban of “tracking cookies”: cookies that track users’ footsteps across the internet. According to Amendment 92 of the Report, which aims to complement Article 8 of the Commission’s proposal with a new paragraph, websites and apps cannot deny users’ access to any service or functionality on the ground that they have not provided the consent for processing, storing and collecting information that is not necessary for the provision of that service or functionality.
- A privacy-by-default principle for software. The Parliament’s position requires software suppliers to configure their products—including browsers—with the greatest possible privacy protection settings. Therefore, right after the installation, software shall automatically protect privacy and impede tracking, storing and collection of information, without requiring any actions from users.
- The possibility to apply the maximum thresholds for administrative fines set up by the GDPR in case of infringement of the cookie and privacy by default provisions (article 8 and 10 of the ePrivacy Proposal). The changes proposed in the Report enable to impose administrative fines of up to € 20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover for the preceding financial year, whichever is higher. According to the original proposal from the Commission, such breaches could lead to fines up to € 10 million or 2% of the global annual turnover.
Tracking cookies are a particular class of cookies that follow users’ movements from site to site. They can be shared among more than one website to carry out cross-site users’ profiling and analyse their behaviour across the web.
Tracking cookies are the prime source of data for behavioural targeting, a technique used by online advertisers to present targeted advertisement to consumers by collecting information about their browsing habits. Advertisers gather data from potential customers, create specific market segments based upon users’ preferences and spread out advertisements on other sites they visit later. Although tracking cookies in most cases collect no personally identifiable information, they have raised concerns on the part of privacy advocates and consumers. Browsers already permit to prevent cookies from being stored in the hard drive; nevertheless, disabling tracking cookies often affects the correct functioning and accessibility of websites.
The purpose of the proposed amendments is to prohibit the use of tracking cookies and to configure software and browsers in order to impede tracking, storing and collection of information by default. If included in the ePrivacy proposal, they would lead to a radical change of the online advertising ecosystem with implication for the European data-driven industry, as well as for the access and variety of online contents.
The Report is provoking a strong debate among stakeholders, consumer groups and policy makers. The digital industry warned that it does not reflect a balanced consensus and undermines digital innovation. Online advertisers emphasized that such limitations would have severe repercussions on the economy, the independence of media and even on access to the Internet. On the opposite side, consumer groups and privacy advocates consider the Report as an appropriate tool to prevent unjustified intrusions into individuals’ privacy.
While the Parliament is now ready to negotiate, the Council still has to reach a compromise position among Member States, who will be now subject to fierce lobbying from all sides. It would not be surprising if this external pressure slows down the pace of internal discussion. At this rate, it will be difficult to fulfil the initial engagement, which was to have this ePrivacy Proposal fully ready by 25 May 2018, in line with the timeline for the entry into force of its “bigger brother”, the GDPR. This dual timing may be having a negative impact in legal certainty.