Since its hotly awaited publication in January, the Proposal for an ePrivacy Regulation (“Proposal“) has come under scrutiny from various stakeholders. Recently both the Article 29 Working Party (“WP29“), and the European Data Protection Supervisor (“EDPS“), have joined the chorus. Though both independent bodies are pleased with the concepts in the legislation, both express various concerns, with WP29 describing theirs as particularly ‘grave’. Those (grave) concerns, alongside some recommendations are explored in detail below.
EDPS: concerns over consent, tracking and cookies.
As expected in his Opinion the EDPS welcomes various parts of the Proposal, including the legislators’ choice for a regulation rather than a directive, and the extension of scope to over-the-top (“OTT”) communications services such as Skype and WhatsApp. The Commission’s ambition to bring all publically accessible networks and services within the scope of the confidentiality requirements is also praised.
However, though the EDPS welcomes and supports the aims of the Proposal, the Opinion sets out a number of areas where the Supervisor remains concerned about various provisions that “risk undermining the intention of the Commission”.
In particular the Opinion highlights the following concerns that will be of interest to companies:
The provisions on end-user consent must be strengthened.
Irrespective of whether users have subscribed for a service, the EDPS argues that consent for the processing of electronic communications data must be requested from all users and parties to a communication. So if, for example, a hotel chain contracts communications services for use by its guests, the EDPS is recommending that the guests, rather than the chain, must be the ones to consent to the processing of their communications data.
The Proposal may currently permit a lower standard of protection than that enshrined in the GDPR.
Though the EDPS is quick to praise the complementary nature of the Proposal and the GDPR, the Opinion expresses concern over the practicalities of the relationship between the two. In cases where the end-user has given consent to a service provider to transfer data (meta or content) to a third party which will then act as the controller, it is unclear which Regulation would take precedence. Therefore the EDPS recommends that a substantive provision is added to the Proposal stating that ‘providers shall not process personal data on any legal basis not specifically provided for in the Proposal’.
The Proposal “lacks ambition” with regard to ‘tracking walls’, also known as ‘cookie walls’.
The Supervisor argues that access to websites must not be made conditional upon the individual being forced to ‘consent’ to being tracked across websites. Therefore the EDPS recommends a complete and explicit ban on so called ‘tracking walls’. To complete the provision the EDPS further recommends an explicit prohibition on the practice of excluding users who have ad-blocking or other applications installed to protect their information and terminal equipment
The Proposal fails to ensure that browsers will by default be set to prevent tracking individuals’ digital footsteps.
As it stands end users will be given the option to determine their cookie consent through software settings. Instead, the EDPS recommends that the Proposal imposes an obligation on hardware and software providers to implement privacy-friendly settings by default.
The exceptions regarding tracking of location of terminal equipment are too broad and lack adequate safeguards.
The Supervisor is also concerned about the proposed ‘device tracking’ exception in Article 8(2) (b) of the Proposal. The exception appears to provide nearly blanket permission for device tracking of any purpose, provided there is a notification to the user alerting them to the measures they can take to ‘stop or minimise collection’. The EDPS therefore recommends that the exception in Article 8(2) (b), as well as exceptions in Article 8(3) and 8(4), be deleted and replaced by a simpler requirement of consent.
The definitions in the Proposal must be clearly defined to achieve the core concepts.
The EDPS is concerned that the definitions relied on in the Proposal (set out in the Proposed Directive establishing the European Electronic Communications Code (“EECC“)) are “simply not fit for purpose”. It is argued that the dependence of key definitions in the Proposal on a separate legislative procedure for the EECC Proposal would create unnecessary and avoidable risks for the clarity and effectiveness of the ePrivacy Regulation. The EDPS therefore recommends the inclusion of a set of necessary definitions in the Proposal.
Article 29 Working Party (“WP29”): recommends extending direct marketing to behavioural ads and apps.
The WP29’s Opinion will perhaps be of most interest to businesses though what it does not mention, as opposed to what it does. The four (grave) concerns of WP29 focus on consent for location tracking of terminal equipment; the conditions under which the analysis of content and metadata is allowed; privacy by default protections in respect of terminal equipment and software, and the need for more controls on tracking walls (a practice for requiring that individuals can only use a site or service if they agree to tracking on other sites and services). None of these come as any real surprise and are largely similar to the concerns raised by the EDPS. The WP29’s Opinion will though be of interest to app providers, publishers and telcos, but is unlikely to be hugely controversial.
The most interesting parts of the Proposal for the majority of companies relate to the provisions on direct marketing. There will be relief that the Opinion does not raise material concerns with the ‘soft opt-in’ consent mechanism, which many feared may be challenged and require opt-in for all direct marketing communications. Instead, WP29 simply recommends:
- a clear extension to cover charities and political parties, and
- that the time period between the collection of the contact details and the sending of the marketing could be subject to a time limit.
However, perhaps controversially, the WP29 does suggest that the concept of direct marketing should be extended beyond traditional forms (such as email and SMS) to include behavioural adverts that may appear on a website or in an app. With the potential to have wide reaching commercial implications, one may expect the comments to consider the practicalities of this, in particular how such a provision would sit alongside the cookie requirements (usually the basis upon which such advertising is invoked). If this proposition is indeed included in the Proposal, then the European Commission’s stated aim of making the methods used for “providing information and obtaining end-user’s consent … as user-friendly as possible” will remain a pipe-dream. If anything, we may see even more pop-up consent boxes than we do currently.
Datonomy will continue to monitor the progress of the proposed ePrivacy Regulation as the Commission, in accordance with its stated aim, attempts to implement it alongside the GDPR on 25 May 2018. It should be stressed that the Proposal has many legislative hoops to jump through before then.