As well as the current wide sweeping reforms being proposed to the existing European data protection framework (and in particular the introduction of a new Regulation1 to replace the Data Protection Directive2), another area which will need reviewing in the near future is the regulation of the electronic communications sector and the e-Privacy Directive3.
The e-Privacy Directive which forms part of the Regulatory Framework for Electronic Communications was first adopted in 2002 and, amongst other things, specifies how some of the principles in the Data Protection Directive apply to the electronic communications sector. The e-Privacy Directive was further amended in 20094 as part of a package updating the Regulatory Framework and by January 2013, all Member States had notified the necessary measures to implement the e-Privacy Directive into their national laws.
The European Commission has recognised in its proposal to reform the existing data protection framework that changes will be needed to reconcile the application of this new Regulation with the e-Privacy Directive. Indeed, the proposed Regulation makes a limited number of technical adjustments to the e-Privacy Directive to take account of the fact that the Data Protection Directive is being transformed into a Regulation and the Commission has undertaken to carry out a further review in this area once the Regulation has been published.
In order to prepare for this review, the Commission asked a team of consultants to undertake a study of the transposition and effectiveness of the specifically privacy related articles of the e-Privacy Directive and also to consider the relationship of the e-Privacy Directive to the proposed Regulation. The outcome of the study was published as a report in June 20155 (the “Report’) and raises interesting questions for the fate of the e-Privacy Directive. It is a lengthy document (122 pages) with additional detailed supporting material in the Annexes. This article (which is in two parts) seeks to summarise the scope of the Report, focussing particularly on the consultants’ recommendations for legislative changes. Part 1 below covers their conclusions and recommendations on the structure and scope of regulation and on confidentiality.
- The Report does not deal with the entire e-Privacy Directive but looks in detail at the following five specific topics, providing evidence of how they have been implemented and enforced in practice, suggesting gaps and potential areas for change and examining how the Directive should operate with the Regulation:
- Scope of the e-Privacy Directive (Articles 1 to 3);
- Confidentiality of communications (Article 5(1));
- Cookies, spyware and similar techniques (Article 5(3));
- Traffic and location data(Article 6 and 9); and
- Unsolicited commercial communications (Article 13).
Scope of the e-Privacy Directive (Articles 1-3)
- The provisions of the e-Privacy Directive are applicable to “the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices.”6
- The Report takes a detailed look at the definitions which make up this statement which highlights how complex it can be to work out whether the e-Privacy Directive is applicable to particular services and also how it can result in artificial distinctions being drawn where services that are very similar from a functional perspective are in fact regulated by different legal regimes. For instance, broadcasting services which are intended for a potentially unlimited audience are not covered (e.g. near video on demand services) but when the individual subscriber or user who is receiving that information that is part of the broadcasting service, can be identified, then it will be covered (e.g. video on demand services). Information society services are also excluded from the definition of “electronic communications services” and yet certain provisions in the e-Privacy Directive such as those dealing with cookies are almost certainly applicable to such services. This confusion is further compounded by the fact that the e-Privacy Directive has also not been transposed into the national legislation of the Member States on a consistent basis with certain provisions being transposed into legislation dealing with general data protection laws or other laws dealing with information society services or consumer protection. This means that different services can therefore be treated differently in each Member State.
- The Report goes on to note that in contrast to the Data Protection Directive there are no applicable law provisions in the e-Privacy Directive. In the authors’ view, which is perhaps controversial, in the absence of such an explicit provision, the same principles should currently be applied as to the rest of the European Regulatory Framework for Electronic Communications, namely the place where the services are provided and they conclude that the applicable laws rules in the Data Protection Directive (which look to where the operator is established) would not be applicable to the e-Privacy Directive.
- In the authors’ view, given growing convergence and technological developments, it no longer makes sense to distinguish technologically between information technology services, telecommunications services and media services. Indeed, they have the greatest doubts about whether the regulation of these activities in three separate sectors is sustainable. However, they highlight that this is an issue which goes beyond the e-Privacy Directive because it is a distinction which is underpinning all European regulation dealing with the online environment. As such, it is unlikely to change in the short term, so the Report therefore recommends instead, looking at what changes can be made to the existing e-Privacy Directive to help ensure consistency.
- The recommendation is to amend Article 3 of the e-Privacy Directive (as set out in Para 2 above) to ‘make its provisions applicable to the protection of privacy and the processing of personal data “in connection with the provision of publicly available services in public or publicly accessible private communications networks in the Union”.’
- The Report suggests that this amendment "would put an end to the discussion about the applicability of the provisions of the ePrivacy Directive to information society services and other value-added services provided via public electronic communications networks.’ and ‘ remedy the currently perceived distortion in which very similar services are subject to different regimes and the consequent uneven playing field."
Confidentiality of communications (Article 5.1)
- The Report next turns to the duties in Article 5.1 to keep communications confidential. This Article states that: “Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services through national legislation” and that “in particular, [the member states] shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users”.
- The Report notes that Member States have all had legislation for many years protecting the confidentiality of private communications (together with national exemptions for security and criminal investigation purposes) and that therefore the transposition of Article 5.1 did not have a harmonising effect in this regard. Nor do the consultants believe that this will change with the new draft Law Enforcement Directive7. These elements are so deeply integrated in matters within the jurisdiction of Member States that harmonisation is unrealistic. Nevertheless, the consultants propose changes to reflect their general approach of widening the scope of the e-Privacy Directive beyond public electronic communications systems.
- Consistent with the proposed changes to Article 3 (see para 6 above) the Report suggests making the provision applicable to “confidentiality of communications and the related use of traffic data by means of a public or publicly accessible private communications network”.
- Secondly, in the authors’ view, it is uncertain what the current drafting of this provision means for technologies which are fully automated and which register electronic communications (such as deep packet inspection systems used to detect malware or mobile apps which access contact lists or SIM card data). The Report questions whether such intrusions are justified and that even with the consent of the user under Article 5.3 (i.e. the cookie rules as discussed further in Part 2 of this Article) whether they are incompatible with the proportionality principle applicable to the processing of personal data. The Report concludes that a recital should be added which clarifies that the confidentiality of electronic communications should be protected against “automatic” intrusions without human intervention.
- Thirdly, the exception in Art. 5.2 for “technical storage which is necessary for the conveyance of a communication” should probably be broadened to “storage as far as necessary for ensuring the functioning of the network or the provision of the service on that network”. This is consistent with the Report's proposed extension of scope of Article 5.1 to information society services.
- Finally in this chapter, the Report considers in some detail the lawful business exemption in Article 5.2. This states that the protection of confidentiality “shall not affect any legally authorised recording of a communication and the related traffic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication.”
- Again this exemption has been transposed by Member States in very different ways: The United Kingdom and Belgium are notable for their extensive use of the exemption, but some Member States have made no such provision at all seemingly because it is thought to be too prejudicial to general rights to the privacy of communications. The consultants suggest that the scope of this exemption be clarified to allow further harmonisation in this area. They propose widening it to other situations such as the recording of communications in an employment context for quality control or legitimate supervision of work performance. However, a careful assessment of the impact of such change on stakeholders would be needed to assess its feasibility, taking into account the diversity of rules currently applicable to the processing of personal data in the employment context.