Who: Article 29 Working Party (Art29WP)

Where: EU

When: 4 April 2017

What happened:

The European Commission’s draft proposal for an e-Privacy Regulation (intended to replace the outdated e-Privacy Directive) was published in January 2017. On 4 April 2017, the Article 29 Working Party adopted its opinion on the Regulation. In general, the Art 29 WP welcomed the proposal. However, the opinion highlighted certain areas of concern, whilst also recommending a number of clarifications to protect end-users and ensure legal certainty.

What are the positives?

It wasn’t all grumbles; the Art 29 WP was pleased with a number of aspects of the draft Regulation, including:

  • ensuring uniform application across the EU, through the use of a regulation as the legislative instrument of choice;
  • the expansion of the scope to cover Over-The-Top providers and machine-to-machine interactions, as well as some providers of ancillary communications, such as through games, dating apps and review sites;
  • the inclusion of both content and associated metadata in the definition of “electronic communications data”, recognising that metadata may contain particularly sensitive data; and
  • a number of changes relating to the concept of consent:
    • clarification that providers of internet access and (mobile) telephony services cannot force their customers to consent to data processing which isn’t necessary for the provision of the service itself;
    • harmonising the requirement for consent to include individuals’ personal data in public directories, meaning any processing of such data will require the consent of natural persons; and
    • a new targeted exception for the non-intrusive measuring of web traffic.

What didn’t they like?

Despite what it perceived as positives, the Art 29 WP drew particular attention to four key areas of “grave” concern which it believes undermine the promise to provide an equal or higher level of protection than the GDPR.

Tracking of the location of terminal equipment

The proposed Regulation suggests that the mere display of a notice, implementation of security measures, and informing users of steps to minimise or stop the collection, are adequate for the collection of tracking data from terminal equipment. The Art 29 WP considers that this falls far short of the requirements under the GDPR. Furthermore, the Regulation fails to impose any clear limitations on the scope of collecting and processing such tracking data, and the Art 29 WP recommends the promotion of the development of technical standards for automatic signalling by mobile devices against such tracking.

The conditions under which the analysis of content and metadata is allowed

The Regulation affords different protection to content and metadata, a distinction with which the Art 29 WP strongly disagrees, arguing that both may be highly sensitive. Its recommendation is to prohibit processing of both unless consent is obtained from all end-users, i.e. both sender and recipient – with certain exemptions where strictly necessary.

Default settings of terminal equipment and software

Although the Regulation obliges software providers to offer end-users the option to prevent interference with their device, the Art 29 WP believes this falls far short of the requirement of “privacy by design and default” under the GDPR, pointing out that the “option” to prevent interference already exists and has done little to address the issue of unwarranted tracking. The Art 29 WP believes equipment and software must discourage and prevent such interference by default.

Lack of an express prohibition on tracking walls

Tracking walls prevent an individual from accessing a website or service unless they agree to be tracked on other websites and services. The Art 29 WP believes such conditionality should be expressly prohibited, stating that the ability to track users over time or across several services may seriously intrude on an individual’s privacy.

Other minor concerns

Although not quite as worrying to it, the Art 29 WP drew further attention to a number of more minor concerns, including:

  • the need for the territorial and substantive scope to be expanded;
  • the need to strengthen the protection of terminal equipment;
  • expanding the scope of direct marketing; and
  • the ambitious deadline to implement the Regulation alongside the GDPR in May 2018.

Why this matters:

The Art 29 WP’s opinion is not binding on the European Commission and, therefore, it is not clear whether, and to what extent, its concerns will be addressed in the final Regulation. However, the European Commission may be influenced by one or more of the “grave” concerns, particularly given the intention of the Regulation to compliment, and ensure consistency with, the GDPR.

Both the e-Privacy Regulation and the GDPR aim to harmonise privacy rules across the EU. However, with certain aspects currently suggesting a different standard of protection, it is likely to lead to confusion.

With just one year until its intended implementation date, businesses should be assessing their own processes to ensure they address any data protection issues. Organisations should keep a close eye on the developments of the e-Privacy Regulation as, come May next year, much stricter requirements could catch businesses off-guard.