The European Data Protection Supervisor ("EDPS") and WP29 have released opinions on the draft E-Privacy regulations.
Revealing a new E-Privacy law
Back in December 2016 the European Commission ("EC") began a public consultation on the effectiveness of the EU E-Privacy Directive. (The Directive, which is the source of the Privacy and Electronic Communications Regulations ("PECR"), imposes rules on the use of electronic communications including using emails and SMS for marketing, prohibiting nuisance marketing calls without proper consent and setting rules on cookies).
In January 2017, as a result of consultation feedback, the EC officially revealed draft replacement rules - the draft E-Privacy 'Regulation'. Amongst other measures, the draft regulation seeks to increase the financial penalties applicable to non-compliant companies and catches over-the-top communications (e.g. WhatsApp, messenger, Facebook and Skype) since these newer forms of communication were not considered by the current E-Privacy Directive.
Opinions of EDPS and WP29
Both the European Data Protection Supervisor ("EDPS") and WP29 recently released opinions on the draft.
- Both bodies welcomed the draft's application to over-the-top communications providers;
- Both bodies welcomed the decision to implement the proposal as a regulation rather than a directive (which means that the law, if and when enacted, can apply equivalently across all member states);
- WP29 and the EDPS praised "the alignment of fines under the Proposed Regulation with the GDPR" and WP29 supported the clarification of "electronic communications" covering "content and associated metadata".
However, EDPS and WP29 expressed the following concerns:
- Tracking walls should be banned under the proposals. WP29 defined the term as "take it or leave it choices that force users to consent to tracking if they want to have access to the service" - such as blocking a user's access to a webpage should they reject consenting to cookies;
- Stronger end-user (i.e. sender and recipient) consent provisions are needed. WP29 contend that the consent of all end-users should be obtained in order to process all content and metadata (save for some exceptions). The EDPS have called for better consideration of the workability of the proposals, in particular calling the complexity of the rules "daunting" such as how the term "Communications are sliced into metadata, content data, data emitted by terminal equipment. Each being entitled to a different level of confidentiality and subject to different exceptions. This complexity may bring a risk of -perhaps unintended- gaps in protection";
- Software providers and devices should by default operate "privacy protective settings" under the rules to accord with the GDPR's promotion of privacy by design and default; and
- The EC should produce a technical standard which requires mobile devices to automatically signal an objection against WiFi-tracking.
The opinions of EDPS and WP29 will be subject to consideration by the European Parliament and Council of Ministers in the next stages of the development of this proposed draft. Organisations should await the outcome of these considerations. A final form regulation is required before 25 May 2018 since that is the planned date for implementation, in-line with the GDPR.
To view WP29's opinion, please click here.