Part 1 of this article reported the publication in June 2015 of a Report on the implementation and effectiveness of the privacy-focussed articles in the e-Privacy Directive and their relationship to the proposed general Data Protection Regulation prepared for the Commission. Part 2 of this article looks particularly at the Report’s recommendations for legislative change in the provisions relating to cookies, traffic and location data and unsolicited marketing.
Cookies and consent (Article 5.3)
- Under Article 5.3 (following the amendments made to the e-Privacy Directive in 2009), Member states are required to ensure that "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent…".
- The Report looks in some detail at the historical background to the introduction of this consent requirement and takes the view that this provision does require "prior consent" (which is interesting to note in the light of arguments to the contrary by advertising interests). The consultants note that Article 5.3 regulates any information stored on terminal equipment and not just personal data, and they point out that it was pressure from the European Parliament which gave rise to the ‘consent’ requirement. The Commission, reacting to the widespread objection to the distribution of a tool called Mediamax by Sony as a Digital Rights Management measure which installed a rootkit onto the terminal equipment of the user, had merely proposed to widen the scope of the article to include distribution of ‘spyware’ by means other than an electronic communications network (now Recital 24).
- The Report also highlights both the seemingly inconsistent wording of Recital 66 of the Citizens Rights Directive (which amends the e-Privacy Directive), which speaks of the ‘right to refuse’ and the use of browser settings to give consent, and also the declaration by 13 Member States that a right to object is sufficient ‘consent’ in the case of legitimate cookies. As practitioners well know this new law is surrounded with confusion, not least because some states (such as Germany and Estonia) have not yet transposed the revised Article 5.3 into Member State law.
- Much of the authors’ discussion is consequently directed to the issue of obtaining consent by browser settings and they propose that the Directive be amended by a Recital to make it clear that this will only be effective if the default settings reject third-party cookies and require the user to engage in an affirmative action to accept both the setting of and continued transmission of information contained in the cookies. The authors are concerned by the proliferation of warning messages generated by the new rules and propose that such warnings should be restricted to third-party cookies, those used for direct marketing and those not related to the purpose for which the user has visited a web site.
- Article 5.3 also includes exemptions from the need for consent either in the case of ‘any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’ The Report proposes widening these exemptions by removing the ‘strictly necessary’ condition and by providing a specific exemption for cookies used to obtain web-site usage statistics. On the other hand, the authors suggest an amendment requiring the explicit collection of ‘specific, active and prior consent in all cases where cookies or similar techniques are used for direct marketing.’
- In concluding their discussion of cookies, the authors also mention briefly the unclear territorial scope of application of Article 5.3 and conclude that the most logical solution would be to use the rules in the general data protection framework. They mention in passing the fact that new server-side techniques of identification have been developed not requiring any storage on or access to terminal equipment. More substantially they raise doubts about the appropriateness of ‘consent’ to legitimise tracking activities which might be extensive or unlimited. They recognise that this question is part of the current debate on the proposed general data protection Regulation around the topic of ‘profiling’. The authors raise questions concerning their considerable misgivings as to whether ‘consent’ is ‘effective and logically plausible’ in this context, but give no answer to their question.
Traffic & Location Data (Articles 5 and 9)
- Next, the Report considers the provisions relating to traffic and location data. Traffic data are “any data processed for the purpose of a conveyance of a communication on an electronic communications network or for the billing thereof”.
- In principle, traffic data are to be deleted after their use for the transmission of the communication, but they may be retained for billing purposes and Member States can require their retention for national security and law enforcement purposes. Article 6.3 also permits providers of publicly available electronic communications services to process traffic data for the purpose of marketing electronic communications services as well as for the provision of value added services although this is only allowed where the subscriber or user has given her prior consent, which may be withdrawn at any time. In practice this means that traffic data, unlike other categories of personal data cannot be processed for direct marketing purposes based on an organisation’s legitimate interests.
- The Report expresses some concern at the state of compliance with this provision and comments on the practice of obtaining consent in the general terms and conditions of a communications supplier and in some cases obtaining the right to use the data for two years after the end of the contract.
- The Report also examines the rules for the use of location data which are not traffic data which are set out in Article 9 (although it recognises that some traffic data will also be location data and vice versa). Location data are defined as “any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.”
- Article 9 requires that these data can only be used for value-added services (commonly known as location based services) if they are anonymised or with the consent of the subscriber or user. There is scope for retention of the data for national security and law enforcement purposes and the need for consent can be over-ridden by the emergency services.
- There is an extensive discussion of the problems created by this Article in requiring consent of either subscriber or user and in providing information in advance of consent. The Report is particularly conscious that Article 9 applies only to electronic communications service providers and not to information society service providers. Consequently, innumerable mobile apps providing location based services are outside its scope. Neither does the Article cover location data that are transmitted via enterprise networks aimed at a private user group.
- Consistent with the Report’s general approach to extending the scope of the e-Privacy Directive, it proposes ‘to make the rules with regard to the processing of traffic and location data applicable to all services provided via public or publicly available private communications networks that collect and further process traffic and location data. As a result, the processing of location data in the context of information society services provided via all kinds of mobile apps would be subject to the application of Art. 6 and Art. 9 …’
- Finally the Report suggests that the actual processing of traffic data and location data in Member States should continue to be closely monitored and that the solution for determining applicable law should also be brought in line with the solution adopted in the general data protection framework.
Unsolicited Direct Marketing (Article 13)
- The anti-spam Article 13.1, which prohibits the use of the use of automated calling and communication systems, fax and e-mail for direct marketing without the prior consent of the subscriber or user, has, according to the Report, been reasonably transposed in a variety of ways into Member State laws.
- The principal concern expressed is that the restriction to electronic communications systems has been strictly interpreted leaving unregulated direct marketing by information society services such as Facebook, LinkedIn, Skype or Twitter even though the message might ultimately be delivered over an electronic communications system and notwithstanding the fact that the Article applies to messages sent by anyone and not just communications service providers. The Report suggests that such a narrow interpretation might not be correct and that messages sent by a communications service, but finally delivered by, for example, a webmail service should be treated as falling within Article 13.1.
- The Report considers at some length the ‘soft opt-in’ provisions (namely the exception to the consent rule) which have not been uniformly transposed and they express doubt about whether this exception is properly consistent with the notion of consent. When discussing means of giving consent, the Report is critical of what it describes as the ‘flexible’ UK approach and the advice given by the UK Information Commissioner. The Report notes the different approaches adopted by Member States in relation to direct marketing by other types of marketing medium and to the protection of legal persons.
- The Report makes recommendations consistent with its general approach to the scope of the Directive. Accordingly, it proposes that ‘the opt-in rule of Article 13.1 should also apply to e-mail messages transmitted via information society services.’ The choice of opt-in or opt-out under Article 13.3 should continue to be in the discretion of the Member States, partly because some states have already adopted an opt-in rule and partly to examine the success of systems such as the Telephone Preference Service. As a consequence of the different ways in which Member States have transposed Article 13, direct marketing can be subject to multiple and potentially inconsistent regulation. Consequently, the Report also calls for greater harmonisation of the rules on applicable law.
Relationship to Proposed General Data Protection Regulation
- The Report in its final section refers to Article 89 of the draft Regulation which recognises the need to ensure the integration with the e-Privacy Directive. Article 89 reads thus:
‘This Regulation shall not impose additional obligations on natural or legal persons in relation to the processing of personal data in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.‘Article 1(2) of Directive 2002/58/EC shall be deleted’
- The Report is content that this article would provide a workable relationship between the proposed Regulation and the articles in the e-Privacy Directive which are the subject of the Report.
- However, the authors note, ‘if… the scope of application of the ePrivacy Directive were to be modified, the text of Article 89(1) should be amended as well… This should be changed into “obligations on natural and legal persons in relation to the processing of personal data in connection with the provision of publicly available services in public or publicly accessible private communications networks in the Union”.
- Finally, the Report proposes that ‘the Commission should consider transforming the Directive into a Regulation for three reasons.’ That would first reduce the complexity of the relationship between the provisions of the two legislative instruments; secondly, apply to the topics of the study the supervisory and enforcement mechanism introduced by the proposed Data Protection Regulation and thirdly, provide the technical basis for the amendment of Art. 89 of the general Data Protection Regulation (once adopted) if it were no longer consistent with any future “ePrivacy Regulation”.
- Clearly, something must be done with the e-Privacy Directive. This Report gives the Commission a basis for dealing with the parts of that Directive which are specifically privacy related. The Commission has an opportunity, if it so wishes, to propose a further Regulation to deal with these topics and to extend its scope to information society service providers.
- Beyond that political value, the Report provides a valuable survey and analysis. It clearly demonstrates that we are faced with public policy and legislative incoherence, graphically illustrating the inconsistencies generated by seeking to regulate such matters as location-based services and direct marketing on the basis of the three sectoral silos of electronic communication, information services and audio/visual media.