The European Data Protection Supervisor (EDPS) has recommended further changes to the proposed ePrivacy Regulation that would have significant impacts on the electronic communication sector and other online companies. In a 40-page opinion issued on April 24, 2017, the EDPS praises certain aspects of the current proposal as positive, voices key concerns about other aspects of the proposal, and makes several recommendations to change the proposed draft. The EDPS’s opinion follows another recent opinion by the Article 29 Working Party that recommended also changing the current proposal. The European Parliament and European Council are set to review and negotiate the final text over the coming months, with the ambitious goal of concluding negotiations by the end of 2017.
The EDPS’s opinion focuses on the following key concerns and recommendations:
- Privacy-focused definitions. Under the current draft, the ePrivacy Regulation depends on definitions contained in the European Commission proposal for a Directive establishing the European Electronic Communications Code (the EECC Proposal). However, the EDPS believes that core concepts used in the ePrivacy Regulation—such as “end-user” and “interpersonal communications service”—must be separately and carefully defined to improve the clarity and effectiveness of the ePrivacy Regulation. Accordingly, the EDPS recommends that the scope and definitions of the new ePrivacy Regulation focus on the protection of fundamental rights, instead of concerns about fair competition, efficient use of resources, and incentives for investment.
- Strengthened consent requirements. The opinion notes that, under the current proposal, it is not always clear whose consent is required in certain circumstances. Therefore, the opinion recommends that the proposal’s consent requirements be strengthened in three key ways:
- Consent must be given by the individuals using the communications service, instead of employers, business owners, landlords, heads of households, or other third parties who may subscribe to the services;
- Consent must be requested from all parties to a communication, except in limited and specific circumstances when consent of one party may be sufficient, such as “when an individual’s location data is tracked in such a way that no other person’s personal data is involved, or when an individual requests specific limited services such as the ability to search and organise her own incoming emails, according to key words or by senders” (see page 15 of the opinion); and
- Any processing based on end-user consent must not adversely affect the privacy rights of individuals who are not parties to a communication but whose personal data are included in those communications.
- Limitations on legal grounds for processing electronic communications data and information related to terminal equipment of users. The opinion emphasizes that the ePrivacy Regulation should provide additional, and complementary, safeguards relative to the GDPR. Therefore, in the view of the EDPS, the stricter regime of the ePrivacy Regulation must not be circumvented in cases where the end-user has given consent to a service provider to transfer metadata and/or content data to a third party, who will then act as a controller and engage in further processing. Among other changes, the EDPS recommends that the ePrivacy Regulation should specify, in a substantive provision, that “neither providers of electronic communications services, nor any third parties, shall process personal data collected on the basis of consent or any other legal ground under the ePrivacy Regulation, on any other legal basis not specifically provided for in the ePrivacy Regulation.”
- Prohibition on “tracking walls” and other practices that exclude users with ad-blocking or similar applications installed. Consistent with the Working Party’s opinion on the proposed ePrivacy Regulation, the EDPS recommends prohibiting so-called “tracking walls” and other practices that exclude or deny access to users who do not consent to tracking across sites or who take additional steps to protect their privacy. The opinion notes that under the current ePrivacy Directive, “consent mechanisms have been developed by businesses and other organisations with the objective of arguably meeting the bare legal requirements for compliance under the ePrivacy Directive but failing to give users a genuine choice and control over what is happening to their data.” Accordingly, the EDPS recommends adding several provisions to the current proposal to prohibit certain practices:
- a “complete and explicit ban” on tracking walls;
- a substantive provision providing that “no one shall be denied access to any information society services (whether these services are remunerated or not) on grounds that he or she has not given his or her consent under Article 8(1)(b) to the processing of personal data that is not necessary for the provision of those services”;
- an additional, explicit prohibition on the practice of excluding users who have ad-blocking or other applications and add-ons installed to protect their information and terminal equipment;
- a recital stating that “processing of data for purposes of providing targeted advertisements cannot be considered as necessary for the performance of a service”—which, in practice, likely means that websites and apps would need to rely on user consent instead, and would not be allowed to exclude or deny access to users who do not consent to interest-based advertising; and
- a substantive provision requiring that “no one shall be denied any functionality of an IoT device (whether use of a device is remunerated or not) on grounds that he or she has not given his or her consent under Article 8(1)(b) for processing of any data that is not necessary for the functionality requested.”
- Privacy-friendly default settings. Also consistent with the Working Party’s opinion on the proposed ePrivacy Regulation, the EDPS recommends that technical settings of browsers, devices, applications, or other software that allow individuals to express consent must be privacy-friendly by default, both: (i) during installation or first use; and (ii) when users make significant changes to their devices or software.
- Mandatory adherence to accepted technical and policy compliance standards, which could include “Do Not Track.” Moreover, in the view of the EDPS, website operators and other parties should be required to adhere to “accepted technical and policy compliance standards,” which could include standards applicable to “Do Not Track,” “Limit Ad Tracking,” or similar privacy settings that may be developed in the future.
- Restrictions on mobile location tracking. The opinion recommends that—subject to certain limited exceptions for scientific research, official statistics, protection of vital interests, and narrowly-tailored location analytics—companies should not track the physical location of users’ devices without consent. This is consistent with the Working Party’s recommendation that companies must obtain consent to track individuals’ physical movements via Wi-Fi or Bluetooth.
- Safeguards against Member State restrictions on privacy rights and mandatory disclosures about government access requests. The EDPS recommends that any national data retention regime introduced by Member States to detect, investigate, and prosecute serious crime should be consistent with the EU Charter of Fundamental Rights and should be restricted by appropriate safeguards, such as prior judicial authorization for any access to content or metadata. In addition, the EDPS recommends requiring companies to publish information about the frequency and volume of government access requests, at least periodically and in an aggregate form, to enhance transparency about government requests to access individuals’ personal data.
Finally, in anticipation that the ePrivacy Regulation will be finalized in time for it to become effective on May 25, 2018, the opinion contains additional recommendations for technical changes and comments to revise the text of the current proposal. Given the number of outstanding issues, we expect that the EDPS and other stakeholders will continue to recommend changes to the proposal and provide further advice in subsequent stages of the legislative process. The extent to which these advisory opinions and positions will actually be taken into consideration remains to be seen.