The Article 29 Working Party (WP29) and the European Data Protection Supervisor (EDPS) have released their opinions on the European Commission’s proposed e-Privacy Regulation, which intends to repeal and replace the existing e-Privacy Directive.
Both EU regulators welcome many aspects of the proposal including the extension of the applicability of the rules to cover "over-the-top" (OTT) providers and machine-to-machine communications in the context of the Internet of Things (IoT). Whilst welcoming the proposal, the EU regulators remain concerned about a number of provisions which, according to the opinions, have the potential to undermine the level of protection of privacy in electronic communications that the Commission intended to ensure.
Key positive attributes of the opinions
- Choice for a regulation over a directive: The WP29 and the EDPS welcome the use of a regulation as the form of the new legal instrument as this ensures uniform application of the rules across the EU and helps maintain consistency with the approach taken in the GDPR in relation to the harmonisation of data protection laws across all EU member states. According to both opinions, the enforcement of the new rules by data protection authorities, which are responsible for monitoring compliance with the GDPR, will also contribute to the application of a consistent approach across the two legal instruments.
- Extension of scope: In its opinion, the WP29 also points to the applicability of the rules to cover OTT providers and machine-to-machine devices that communicate with each other as well. OTT providers supply communications services that run over the internet, such as Skype, Whatsapp and Viber. Meanwhile machine-to-machine communications commonly refer to the IoT which include, among other devices, personal communications devices and smart TVs. Like the WP29, the EDPS welcomes the expansion of the scope of the regulation and notes in particular the fact that some providers of ancillary communications, such as through games and dating apps, will be caught by the proposed rules.
- Modernisation of consent requirements: The WP29 also considers that it is positive that the proposed rules include the clarification that internet access and mobile telephony service providers cannot force their customers to consent to any data processing which is not required for the provision of the service itself. It also finds it helpful that the rules require any processing of personal data of natural persons in public directories to be allowed with the consent of natural persons.
- Application to publicly accessible networks: The EDPS further embraces the Commission's intention to bring all publicly accessible networks and services within the scope of confidentiality requirements. These should include, among other services, Wi-Fi access offered in hotels, restaurants, coffee shops, trains and networks offered by hospitals and universities.
However, while both EU regulators welcome and support the aims of the proposed rules, they highlight a number of areas of concern. The main concerns and recommendations of the EDPS and the WP29 are explored below.
Tracking walls: WP29 and EDPS recommend explicit prohibition
The WP29 and the EDPS consider that the ability to access online content should not be made conditional upon the individuals' consent to be tracked across websites, devices or apps. While the WP29 argues for an explicit prohibition on tracking walls, regardless of the tracking technology used, the EDPS goes further by recommending an additional explicit ban on the exclusion of users who utilise ad-blocking systems or other applications to protect their information and terminal equipment.
Default settings for preventing unlawful interference with terminal equipment and software
Although the proposed regulation gives end-users the option to prevent interference with their device, the EDPS considers that this requirement does not provide the same standard of protection afforded by the 'Data protection by design and by default' provision of the GDPR (Article 25). It therefore recommends that the regulation imposes an obligation on hardware and software providers to put in place default privacy settings that safeguard end-users' devices from unauthorised interference with their devices. Similarly, the WP29 considers that terminal equipment and software must discourage and prevent such interference by default.
EDPS concerned over loopholes between the e-Privacy Regulation and the GDPR
The EDPS praises the complementary relationship between the e-Privacy Regulation and the GDPR but expresses its concern over loopholes that may arise between the two legal instruments in relation to the protection of personal data. The EDPS notes in particular cases where the end-user has given consent to a service provider to transfer content data and/or metadata to a third party which will act as a data controller. In such cases, under the proposed rules it is unclear whether the processing of data by the third party will be governed by the e-Privacy Regulation or the GDPR. To ensure legal certainty, the EDPS recommends that the proposed rules include a substantive provision stating that "neither providers of electronic communications nor any third parties, shall process personal data collected on the basis of consent or any other legal ground under the e-Privacy Regulation, on any other legal basis not specifically provided for in the e-Privacy Regulation".
Direct marketing provisions
The WP29 has expressed its concerns about the scope of direct marketing suggesting that this should extend beyond traditional forms of marketing communication (such as SMS and email) to include behavioural advertisements (based on end-users' profiles) that appear on the web. It also considered that the proposed rules should clarify the requirements for the withdrawal of consent for direct marketing and for the opt-out for marketing calls.
The WP29 makes further recommendations including the following:
- A clear ban on the use of false identities when sending direct marketing communications.
- An extension of the scope of direct marketing to cover charities and political parties.
Timing and next steps
Although the opinions issued by the EU regulators are non-binding, they may influence the reformation of the existing legal framework, should they be taken on board by the Parliament and Council in the course of the legislative procedure.
The proposed regulation suggests that the Commission is aiming for the regulation to come into force on 25 May 2018 along with the GDPR. It remains to be seen whether the concerns raised by the EDPS and the WP29 will be addressed in the final regulation. Organisations should keep a close eye on the developments of the regulation to ensure that they are in the best position to comply once it is finalised.