The original proposal
The European Commission published a proposal for an ePrivacy Regulation (Regulation) to overhaul the Directive and harmonise application across the EU as part of its Digital Single Market initiative. The initial intention was for the Regulation to come into effect at the same time as the General Data Protection Regulation (GDPR) on 25 May 2018, but this always looked ambitious and it now seems likely that the Regulation will not be finalised before the European elections in May 2019.
The initial proposal for an ePrivacy Regulation was published in January 2017. It:
- Applies to ‘over the top’ service providers such as WhatsApp, Facebook, Gmail and Skype and not just to telecommunications service providers.
- Takes the form of a Regulation rather than a Directive.
- Covers both content and metadata derived from electronic communications – both will need to be anonymised or deleted if users have not given consent, unless required for billing purposes.
- Gives traditional telecommunications providers more scope to use data and provide additional services, subject to obtaining appropriate consent.
- Streamlines rules on cookies – consent to cookies will be able to be given through browser settings and consent will not be needed for non-privacy intrusive cookies improving internet experience and cookies set to count visitors to a website.
- Bans unsolicited direct marketing electronic communications to consumers by any means including phone calls if users have not given consent unless exemptions apply.
- Allows Member States to require that marketing callers display their phone number or use a special prefix.
- Enhances enforcement, including by bringing penalties for non-compliance in line with those under the GDPR.
Changes made by the Council
Amidst extensive lobbying, the current Austrian Presidency of the Council of the European Union published a revised draft in July 2018 with some significant changes. The July proposals suggested a watering down of the original requirements around information which has to be given to users about third party cookies and the requirements to make users select privacy settings whenever new privacy options are available. The Presidency commented that the original proposals were impractical and would result in 'consent fatigue'.
The July 2018 proposals also included further exceptions to the prohibition on dropping cookies under certain circumstances, for example, for anti-fraud, security and statistical purposes, or where users are given a choice to use the services with or without cookies which collect their personal data.
The most recent set of amendments at the time of writing was published on 19 October 2018, with further changes to the July draft, in particular, to Articles 6 (Permitted processing) and Article 10 (Protection of end-users' terminal equipment).
It is believed that Austria does not intend to do more than issue a status update before it hands the file over to the Romanian presidency in January 2019. Once the Council has agreed its position, negotiations with the European Parliament will begin provided they have agreed their own position. Due to the interruption of the elections, this means that the ePrivacy Regulation is most unlikely to come into effect before 2020.
What is the position under the latest Council draft?
Focusing on consent, cookies and direct marketing, this is what the latest draft from the European Council proposes. The Council's final agreed position will form the basis for negotiations with the European Parliament.
Provisions for consent under the GDPR apply to natural and legal persons (ie individuals and businesses) under the Regulation. This means consent must be freely given, informed, specific, and provide an unambiguous indication of the individual's wishes by a clear, affirmative action. While the GDPR definition of consent has applied to the ePrivacy Directive since 25 May 2018, the Directive originally used the definition in the Data Protection Directive 1995 (freely given, specific and informed).
The impact of the tougher consent hurdle in relation to marketing communications is, however, likely to be less keenly felt by the time the Regulation comes in, as most businesses should, by then, be used to considering consent in a GDPR context. The situation is slightly less clear cut in relation to consent for cookies.
Cookies (and other similar technologies)
Under the latest version of Article 8 of the Regulation, the use of technologies like cookies to collect information from end-users' "terminal equipment" (devices) or to use the processing and storage capabilities of those devices is prohibited unless:
- It is necessary for the sole purpose of carrying out the transmission of an electronic communication;
- The end-user has given consent;
- It is necessary for providing an "information society service" requested by the end-user;
- It is necessary for audience measuring (subject to restrictions);
- It is necessary for security, fraud prevention or detection of technical faults in a time limited capacity;
- It is necessary for a software update (subject to additional requirements); or
- It is necessary to locate end-user equipment in response to an emergency communication.
Note that there are also requirements around collecting information for device connection which are outside the scope of this article.
Under the old definition of consent, there was some confusion about whether consent to cookies and their equivalents could be implied (opt-out) or had to be explicit (opt-in), with EU Member States taking differing approaches. It is clear that consent now has to provide an unambiguous indication of the data subject's wishes so inaction or silence will be insufficient, however, questions around how to capture specific consent remain.
Crucially, under the latest Council draft of the Regulation, the consent required to place cookies on end-user equipment, can (but does not have to) be expressed by using browser settings, or as the draft Regulation puts it, "the appropriate technical settings of a software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet". Consent collected in this way does not have to identify the individual but can be demonstrated using a technical protocol.
In previous drafts, Article 10 contained a requirement for software (including browsers) to offer the option of preventing third parties storing information on end-user equipment. On installation, the end-user had to be informed about the privacy settings options and required to select their settings in order to complete installation. In relation to existing software, the privacy options had to be presented at the time of the first update and in any event, by a longstop date. The European Data Protection Supervisor had pushed for these (and possibly further) requirements around granularity of technical settings to enable user control, and for a requirement that privacy settings should be set at their highest level by default. Neither of these elements is present in the current draft which has deleted the original Article 10 in its entirety.
The cookie rules in the Regulation makes much more sense with Article 10 included. Under the GDPR, privacy by design and default is required. This means that privacy settings have to be set at their highest by default. One possible interpretation of this requirement without Article 10, is that on the day the Regulation comes into effect, browsers will need to default to rejecting cookies unless they fall within an exemption to requiring consent. But what if the user does nothing to change this? Websites will be unable to override the browser settings themselves and it is the browsers that would need to ask for specific consents on a case by case basis. While Firefox has a plugin which allows you to reject cookies, accept them on a particular site for a particular session, or accept them for a particular site on a permanent basis, not all browsers achieve this level of granularity. Without it, setting cookies preferences through browsers is unlikely to satisfy either legal or commercial requirements.
It is also difficult to see how browser settings could satisfy the requirement that consent be specific without significant granularity. Most current browser settings can be used to say 'yes' or 'no' to general types of cookies or prompt you to decide for yourself, but without dealing with websites individually, would consenting to a particular type of cookie on a generic basis satisfy the requirement that consent be specific?
The Regulation in its latest iteration leaves a number of issues on cookies unclear. The most likely outcome is that, in the absence of sufficiently sophisticated browser options becoming industry standard, websites will need to continue to manage their own cookies through banners and pop-ups, rather than relying on browsers to do so. What is clear, is that opt-in consent is now required to any cookies falling outside one of the exemptions.
Unsolicited and direct marketing communications
The Directive bans the use of automated calls, fax (what's that again?), or email for the purposes of direct marketing, without consent, except, in the specific case of email, where the subscriber has already received goods or services from the business in which case they can receive electronic marketing relating to similar products and services, as long as a right to opt-out is provided at the time the details are collected and with each communication. In addition, Member States are required to ensure that free, unsolicited, non-electronic direct marketing communications either require the consent of the individual, or allow individuals to opt-out of receiving them.
The latest Council draft of the Regulation applies a similar ban on using electronic communications services to send direct marketing communications to "natural persons". It defines direct marketing communications as "any form of advertising, whether written or oral, sent to one or more identified or identifiable end-users of electronic communications services, including the placing of voice-to-voice calls, the use of automated calling and communication systems with or without human interaction, electronic message, etc.".
Other requirements around electronic marketing in the latest draft are: anyone sending electronic direct marketing must also provide a calling line identification on which they can be contacted. Senders are also required to identify themselves with return addresses or numbers, identify the marketing communication as marketing, and provide a means to natural persons to object or withdraw consent. Member States have discretion to allow direct marketing voice-to-voice calls to natural persons who have not opted-out of receiving such calls (overriding the more general ban on direct marketing to individuals without consent), and to require that all direct marketing calls have a dedicated code or prefix to identify them as such.
In relation to B2B marketing, the situation is open to interpretation by Member States under the current Directive. Member States are required to ensure that: "the legitimate interests of subscribers other than natural persons with regard to unsolicited communications are sufficiently protected". The UK has taken that to mean that opt-in consent is not required for B2B marketing (subject to certain exemptions eg sole traders). This applies even where personal names are included in business email addresses. Other Member States, have not, however, distinguished between B2B and B2C direct marketing and require opt-in consent (and in some cases, have a preference for double opt-in) for both.
The latest draft of the Regulation currently appears to preserve this position in as much as it uses similar wording. Member States "shall ensure…that the legitimate interests of end-users that are legal persons with regard to direct marketing communications sent by [electronic means] are sufficiently protected. It is unclear whether the Council's intention is to keep options open for Member States around B2B marketing, or whether it considers that this clause applies only to marketing sent to contacts which do not contain personal data, for example, [email protected]
The preservation of the wording in the Directive potentially puts the ball in the court of governments and, possibly regulators, to decide whether to distinguish between B2C and B2B marketing and could mean that, despite the fact that the rules on electronic direct marketing are moving from a Directive to a Regulation, there will not be a harmonised outlook across the EU.
It is also currently unclear whether the UK will seek to preserve its current position of distinguishing between B2C and B2B electronic direct marketing (if the Regulation provides scope to do so), or whether it will tighten requirements to an opt-in by requiring consent for all electronic marketing, both to individuals and individual contacts within businesses. Given the Regulation is unlikely to come into force before Brexit (assuming that takes place as planned on 29 March 2019), there may be no requirement for the UK to change its current position on B2B marketing in any event. It may, however, choose to fall in line with the Regulation (or with EU market practice) in order to preserve parity with the EU on data privacy.
While we have mostly concentrated on the latest Council draft in this article, we should emphasise that this is still very much a draft and may well change significantly before it gets to the final position.
It is the uncertainty which has been most difficult for businesses. The most pressing issues which the final version of the Regulation needs to clarify are the approach to B2B electronic unsolicited and direct marketing communications, and the extent to which browsers are really able to satisfy cookie consent requirements.
It would have been helpful if the rules had been consolidated (or at least finalised) in one batch. Policies and terms and conditions (should) already have been scrutinised and amended where necessary for the purposes of GDPR compliance. Marketing databases (should) have been cleansed. GDPR consent should already apply where it is being relied upon. These processes may have to be gone through again depending on what the final version of the Regulation says and, for UK businesses, when it comes into force.