The European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs commissioned a study to assess the European Commission’s draft e-Privacy Regulation, which was published in January 2017. The e-Privacy Regulation aims to harmonise privacy rules across the EU in the area of electronic communications, but the study has found that the draft e-Privacy Regulation does not as far as the GDPR in some respects. This contrasts with many other views expressed publicly, which regarded the Commission’s draft as a tightening of the GDPR regime. A central theme of the study, which was carried out by academics of the IViR Institute for Information Law, University of Amsterdam, is the need to protect privacy of correspondence regardless of medium or any other factor. The EU legislative institutions are urged to pay extra attention to four areas in which it is felt that there is insufficient protection of the right to privacy and confidentiality of communications:
- Location tracking
- Browsers and default settings
- Tracking walls
- Confidentiality of communications
The following points are regarded as being particularly problematic:
Location tracking: The report notes that “Article 8(2) allows location tracking without consent and without an opt-out option” as it allows an organisation to follow movements by Wifi or Bluetooth if it has put up a sign warning that this will happen and that phones or devices must be turned off to avoid being tracked. The report warns that “under that proposed rule, people, might never feel free from surveillance when they walk or drive around” and will constantly need to be on the alert for such signs and can only escape tracking by limiting the functionality of their devices. Instead, the report suggests that collecting WiFi or Bluetooth signals should only be allowed after informed consent has been given. There may be an exception to allow people-counting, subject to immediate anonymisation and other appropriate safeguards.
Internet-wide tracking: An early version of the proposal provided that browsers should have privacy-friendly settings by default. However, now Article 10 provides that browsers and similar software should offer the option to allow or reject third-party tracking (internet-wide tracking). It is noted that GDPR prescribes data protection by design and by default, and as the current Article 10 is difficult to reconcile with GDPR it is recommended that the privacy by design approach is reinserted, and that requiring compliance with Do Not Track should be considered (applying to all tracking technologies including cookies and device fingerprinting).
“Take it or leave it” choices: An example of these is “cookie walls” which visitors to websites can only pass if they agree to being tracked. As a result, people are likely to consent to tracking even if they do not want to disclose data. Although a complete ban would provide the greatest level of legal clarity, it is suggested that a partial ban could provide for tracking walls to be prohibited under certain circumstances, for example with regard to state-funded websites, sites regarding health or other sensitive information, and sites with a monopoly-like position. The black list should be complemented with a grey list, which would provide for circumstances under which a tracking wall is presumed to be illegal.
Analysis of communications: It is recommended that analysis of communications content and metadata only be allowed in limited circumstances and only insofar as is strictly necessary. If no exception applies, the law should ensure that all end-users give meaningful consent before companies can analyse their communications content or metadata.
It would now be logical for the Parliament to follow the study’s recommendations when agreeing its preferred draft later this year. Predictably, the impact of this will be a detailed legislative process, similar to the one we saw during the adoption of the GDPR. However, something important to remember is that whatever the timeframe for adoption of the new e-Privacy Regulation, the GDPR will become applicable on 25 May 2018. This means that the GDPR standards for valid consent will apply to the consent requirements under the existing EU e-privacy legislation.
Elizabeth Campion, in our London office, contributed to this entry.