One of the main pillars of the Digital Single Market Strategy is the overhaul of the data protection framework. The adoption of the General Data Protection Regulation (“GDPR”) was a fundamental action to this end.
In this context, on 10 January 2017 the Commission presented a proposal for a Regulation on Privacy and Electronic Communication (“ePrivacy Proposal”) which would align the existing privacy rules for electronic communications to the GDPR. Moreover, the ePrivacy Proposal interacts with the European Electronic Communications Code - which is still under discussions - and partially relies on definitions provided therein, including that of “electronic communications services”. The Commission aims to implement the ePrivacy Proposal by 25 May 2018, in line with the GDPR.
Within the Parliament, the proposal is going through a fast but intricate process. The file was assigned to the Civil Liberties, Justice and Home Affairs Committee (“LIBE”) and three Committees - Industry (“ITRE”), Legal Affairs (“JURI”) and Internal Market - delivered their opinions at the beginning of October. ITRE and JURI’s opinions recommended serious amendments to the draft report and that, along with the lack of endorsement from the European People’s Party, caused the postponement of the LIBE vote on the Proposal by one week. On 19 October 2017 the report was adopted with a narrow majority and the Committee agreed to enter into interinstitutional negotiations (or “trialogue”).
At first glance it can be stated that, despite facing fierce opposition from the Digital Industry and parties considered more “pro-business”, the controversial key points of the draft report have not been watered down in the voted text:
- An amendment introduced new exceptions to the prohibition of processing, storing and collecting information on and from users' equipment without obtaining users’ consent as defined under the GDPR: (i) when it is technically necessary for web analytics; (ii) when it is necessary for security updates of the terminal equipment; (iii) in the context of employment relationships, when the employer provides and/or is the subscriber of the terminal equipment and it is strictly necessary for the execution of an employee’s task, provided that it will not be further used for monitoring the employee.
Moreover, and most importantly, the aforementioned amendment adds a new paragraph to Article 8 of the ePrivacy Proposal in order to explicitly forbid the so-called “tracking walls”, cookies that track users’ footsteps across the internet. According to this provision, websites and apps cannot deny users’ access to any service or functionality on the ground that they have not provided the consent for processing, storing and collecting information that is not necessary for the provision of that service or functionality.
- The modified report also introduces the privacy-by-default principle for software. It requires software suppliers to configure their products - including browsers - with the greatest possible privacy protection settings. Therefore, right after the installation, software shall automatically protect privacy and impede tracking, storing and collection of information, without requiring any actions from users.
- In case of breach of the cookie and privacy by default provisions (Articles 8 and 10 of the ePrivacy Proposal), the Parliament’s text enables to impose administrative fines of up to EUR 20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover for the preceding financial year, whichever is higher. According to the original proposal from the Commission, such breaches could lead to fines up to EUR 10 million or 2% of the global annual turnover.
As evidence of the tensions behind some of these positions, the Parliament’s Plenary discussed and rejected an exceptional proposal to reopen the negotiations on this text and to send it back for discussion in the LIBE Committee.