The ePrivacy draft regulation is turning towards a more stringent regime with after the approval by European Parliament of the latest draft.

The European ePrivacy Regulation is meant to integrate the European General Data Protection Regulationwhen it comes to “electronic communications data“. It is still in a draft stage and apparently the plan is to speed up the approval process so that it will be effective from the 25th of May 2018 as the GDPR.

And a major step forward was made with the approval by the European Parliament of an amended text of the draft ePrivacy Regulation which seems to meet the requests from the European data protection authority for more stringent provisions in the opinion of the Article 29 Working Party on the topic. This does not mean that the ePrivacy Regulation will be eventually approved in its current wording, but just means that the European Parliament gave a mandate to start negotiations with the European Council on the current text.

The main chages that were introduced can be summarized as follows:

Broader scope for the ePrivacy regulation

The ePrivacy regulation now provides at recital 4 that

electronic communications data are generally personal data as defined in the Regulation (EU) 2016/679

The subsequent recital clarifies that the regulation applies only to “electronic communications data that qualify as personal data” which appears in contradiction with the previous recital. But in general terms the recital 4 seems to create a presumption that any electronic communication data falls within the scope of the GDPR. This is confirmed by the changes to the provisions relating to the material scope of the regulation whose applicability

  • is now clearly extended to the processing of any electronic communication data both online and offline by means of users terminals;
  • includes any content transmitted, distributed or exchanged by means of electronic communications services, including metadata;
  • applies to any type of direct marketing communication; and
  • any machine to machine service, which therefore would include Industrial Internet of Things communications.

Finally, the applicability to non-EU entities processing data of individuals located in the European Union (regardless of where the processing takes place) has been further expanded.

More reliance on users’ prior consent

The ePrivacy draft regulation relies on the users’ consent more than the GDPR which provides a wider number of alternative solutions, including the legitimate interest. On the contrary, the latest draft of the regulation emphasizes that

The provider of the electronic communications service may process electronic communications data solely for the provision of an explicitly requested service, for purely individual usage, only for the duration necessary for that purpose and without the consent of all users only where such requested processing does not adversely affect the fundamental rights and interests of another user or users.

This position seems confirmed also in relation to communications for direct marketing purposes whose provision of the ePrivacy regulation refers to the need of a prior consent, only providing for the “soft spam exemption” and without mentioning the possibility to rely on the legitimate interest which on the contrary is expressly provided by the GDPR.

Likewise any interception of electronic communications, also by means of wireless networks and for traffic analytics, shall occur with the prior consent of the relevant individuals.

Cookie walls and banners are banned

The ePrivacy draft regulation takes a strong position agains cookie walls and banners which on the contrary are the solution provided by the guidelines of the Italian data protection authority. On the contrary, more control shall be given to users by means for instance of browser settings. This solution is aimed at avoiding a sort of unknown approval by users that are just bothered by cookie walls and accept it without reading the terms of the applicable cookies policy. But the draft regulation also adds that

  • in compliance with the principle of privacy by default, the default settings of the browser or software to be used to control cookies shall be set so that the storing of information on the terminal equipment by third parties is prohibited. This might have a massive negative effective on all the applications aimed at tracking users’ behaviour on the Internet and
  • users shall be given sufficient granular options as to the categories of consent to be given in order to have a better control on them.

Strong limitations to web analytics

No consent is required for cookies that are technically necessary for measuring the reach of an information society service requested by the user provided that such measurement is carried out by the provider or on behalf of the provider and

  1. data is aggregated;
  2. user is given a possibility to object;
  3. no personal data is made accessible to any third party and
  4. data is kept separate from the data collected in the course of audience measuring on behalf of other providers.

Broader applicability of fines

The scenarios in which the highest fine of 4% of the global turnover or € 20 million is applicable have been extended to include for instance the breach of the provisions on consent and on privacy settings for cookies. Also, it has been clarified that if the same conduct represents a breach both under the GDPR and the ePrivacy regulation, the highest fine will apply.

My impression is that the European regulators are setting a regime that is excessively restrictive and might render the European market less attractive in a period when there is a strong tendency towards digitalization and the usage of tools of machine learning, artificial intelligence and IoT. The goal is to protect consumers, but I am concerned that the European Union is currently in an economic condition to be able to “set the path“, while a more balanced approach might encourge investments.