On April 24, 2017, the European Data Protection Supervisor (EDPS) issued its “Opinion on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation)” , which is to repeal and replace the ePrivacy Directive . The Proposal aims at updating ePrivacy Directive as part of the wider effort to provide a coherent and harmonised legal framework for data protection in Europe. The ePrivacy Directive completes Directive 95/46/EC6, which will be replaced by the recently adopted General Data Protection Regulation (GDPR)
According to the EDPS, without the ePrivacy Regulation, the EU privacy and data protection framework would be incomplete. For the EDPS, GDPR -the General Data Protection Regulation- is a great achievement, because the EU needs a specific legal tool to protect the right to private life guaranteed by Article 7 of the Charter of Fundamental Rights, of which confidentiality of communications is an essential component.
Hence, the EDPS also welcomed the fact that many of his comments outlined in his Preliminary Opinion as well as in his informal comments have been taken into account, which has notably contributed to the quality of the Proposal. In addition, the EDPS welcomed the declared ambition to provide a high level of protection with respect to both content and metadata, in particular:
- the choice of a regulation over a directive as the form of legal instrument, which may ensure a more consistent level of protection across the European Union; the extension of the scope to cover OTT (‘over-the-top’) providers; the approach of allowing processing only under clearly defined conditions;
- the modernisation of the current consent requirements under the new Articles 9 and 10; focusing security provisions on issues specific to communications services and ensuring full alignment with the GDPR on data breaches; the choice of making the same authorities responsible for supervision of the rules under the GDPR and the ePrivacy Regulation;
- and the opt-in rule for all unsolicited commercial communications.
However, the EDPS remained concerned regarding the the following key issues, which need to be addressed in the ePrivacy Regulation :
- the definitions in the Proposal must not depend on the separate legislative procedure concerning the Directive establishing the European Electronic Communications Code19 (the EECC Proposal);
- the provisions on end-user consent need to be strengthened. Consent must be requested from the individuals who are using the services, whether or not they have subscribed for them and from all parties to a communication. In addition, other data subjects who are not parties to the communications must also be protected;
- it must be ensured that the relationship between the GDPR and the ePrivacy Regulation does not leave loopholes for the protection of personal data. Personal data collected based on end-user consent or another legal ground under the ePrivacy Regulation must not be subsequently further processed outside the scope of such consent or exception on a legal ground which might otherwise be available under the GDPR, but not under the ePrivacy Regulation;
- the Proposal lacks ambition with regard to the so-called ‘tracking walls’ (also known as ‘cookie walls’). Access to websites must not be made conditional upon the individual being forced to ‘consent’ to being tracked across websites. In other words, the EDPS calls on the legislators to ensure that consent will be genuinely freely given;
- the Proposal fails to ensure that browsers (and other software placed on the market permitting electronic communications) will by default be set to prevent tracking individuals’ digital footsteps;
- the exceptions regarding tracking of location of terminal equipment are too broad and lack adequate safeguards;
- the Proposal includes the possibility for Member States to introduce restrictions. These call for specific safeguards.