E-Privacy does not end with the GDPR
Published on 22nd Jun 2018
The EU Proposal for an e-Privacy Regulation, that will repeal the Directive 2002/58/EC (amended by 2009/136/EC), is increasingly raising concerns among digital companies for it may have a financial impact of more than € 500 billion on the industry. The European Data Protection Board has made a recent statement on the revision of such Proposal and its impact on the protection of individuals with regard to their privacy and the confidentiality of their communications.
Besides the General Data Protection Regulation ("GDPR"), there is yet another upcoming EU Regulation that everyone must take into consideration: the e-Privacy Regulation. On 10 January 2017 the European Commission made a Proposal for an EU Regulation on the respect for private life and the protection of personal data in electronic communications (e-Privacy Regulation), with the aim of strengthening trust and security in the Digital Single Market. While the Proposal was initially intended to become applicable on the same date as the GDPR, its approval was delayed and its terms for the enactment, entry into force and application remain currently unclear. The scope of the e-Privacy Regulation would comprise electronic communications understood in a really broad sense, being applicable to all communications that would affect the consumer's privacy in their e-mails and instant messaging, which includes –but not limited to– spam, direct marketing, and cookies and similar technologies. The European digital industry are deeply concerned with the Proposal, which may have a severe economic impact on it. On the other hand, the European Data Protection Board (that has replaced the Article 29 Working Party as of 25 of May of 2018) has made public its opinion on the Proposal for the e-Privacy Regulation the very same day of their commencement of activity.
The new e-Privacy Regulation would aim to update the legal framework and further unite national laws on this matter. In particular, it seeks to set cookie rules in a more user-friendly way, enabling users to give (or not) consent through the browser settings. These new cookie rules would mean no more cookie banners, but instead, it may imply that we would see more 'please, accept our cookies to visit the website' in a similar way users are asked to disable their ad blockers. Nonetheless, the draft legislation on e-Privacy would not require consent for non-privacy intrusive cookies (i.e. e-commerce cookies). Furthermore, the first recital of the text of the Proposal mentions that 'the principle of confidentiality should apply to current and future means of communication'; with clear regard to e-mails and instant messaging (Over-The-Top communication services ("OTT")), but also regarding the Internet of Things (IoT) and Machine to Machine ("M2M") communications. The e-Privacy Regulation Proposal would also have provisions on Big Data, where it is stated that telecommunications firms may develop new services by leveraging on contents and/or metadata when consent is given for such a processing (otherwise, data should be anonymized or deleted except for billing).
On 4 June 2018 the AEPD (the Spanish data protection authority) organized the 10th Opened Annual Session in which the latest developments on data protection were shared and discussed. During the event, it was introduced the matter of how cookies shall be used in order to comply with GDPR rules on consent. In Spain, the e-Commerce Law (Law 34/2002, on Information Society and e-Commerce Services) is lex specialis in relation to the GDPR –lex specialis derogat legi generali–, but it refers to the latter when it comes to informed consent. Based on the requirements for obtaining a consent sufficiently informed as established in the GDPR, the speakers addressed how cookies should be settled hereinafter. In particular, how information should be displayed to the consumer or the way consent should be given/withdrawn.
As previously mentioned, the e-Privacy Regulation would now also be addressed to OTT (voice over IP and instant messaging services), which were not captured by the definition of 'electronic communication service' in the Spanish Telecommunications Law. These communications services –sometimes operated by the biggest players in the market worldwide– were from their emergence a hot legal topic as they could not easily be caught by any piece of legislation in Spain, while presenting true competition to regulated players in the Spanish telecommunications market. It would be interesting to see how the definition of the electronic communications services is finally determined by reference to the Directive establishing the European Electronic Communications Code to cover the OTT business models.
The Regulation would aim to ensure that information exchanged is not to be revealed to anyone other than to the parties involved in a communication, regardless of its kind. Thus, the proposed text of the e-Privacy Regulation states that "the principle of confidentiality which is enshrined in the Regulation should also apply to the transmission of machine-to-machine communications". Nonetheless, the current text does not distinguish between M2M transmissions that contain human communications and those that do not. In this sense, it must be noted that the e-Privacy Regulation would be adding legal requirements to services that rely on this means of communication, even if not all M2M transmissions involve interpersonal communications.
To sum up, the proposed Regulation would set strict and clear privacy and data protection rules, which are said by industry stakeholders to have a clear economic impact. Indeed, this Regulation might be inviting online services providers to adopt an alternative payments-based business model without data-driven advertising. According to the Developers Alliance (a non-profit global membership organization that supports digital developers), European –and global– digital industry is concerned by the current draft legislation and quantified in € 551.9 billion the estimated potential annual loss related with the Regulation. Moreover, non-compliance with the e-Privacy Regulation may entail GDPR fines (which may be up to 20 million euros or the 4% of the annual worldwide turnover of the preceding financial year, whichever is higher).
Amidst the legislative procedure that will flow into the enactment of the e-Privacy Regulation, the European Data Protection Board ("EDPB") has decided to offer further advice and clarifications on some specific issues raised by the proposed amendments by the co-legislator. The EPDB starts by mentioning that the revision of the currently in force e-Privacy Directive is needed, as OTT communications are not covered by the same. The main observations of the EDPB are the following:
- Our current daily digital lives involve the use of electronic communications, which are likely to contain personal data and conclusions concerning the private lives of individuals can be drawn. Bearing that in mind, the proposed e-Privacy Regulation provides a new set of rules that should become the perfect tool to ensure the protection of such privacy, as it uses broad prohibitions and narrow exceptions and is consent-based.
- The protection of confidentiality is not a new concept and is currently ensured by the existing e-Privacy Directive. In this sense, the EDPB reminds that not only cookies, but every tracking technology is already subject to the consent of the user or is subject to one of the exceptions specified in the e-Privacy Directive. Additionally, the proposed Regulation includes some new exceptions that were proposed by the Article 29 Working Party.
- It is an objective of the proposed Regulation to ensure a uniform application across Member States and all data controllers, as well as to cover OTT communications in the scope of the Regulation. In this sense, any proposed change to the draft legislation that may undermine this objective should be avoided. The EDPB states that the consent needed under the e-Privacy Regulation should have the same meaning as in the GDPR, which would prevent online service providers from including the so-called "cookie walls".
- Article 10 of the proposed Regulation (information and options for privacy settings to be provided) is designed to offer users control over the use of the storage capabilities of their terminal equipment, which is supported by EDPB and further pushed forward by calling for explicitly including smartphones and other devices. In addition, EDPB declares that privacy settings should facilitate users to grant or withdraw consent in an easy way.
It must be reminded that EU Parliament draft ‘as it is approved’ and the final version of the EU Council (representing Member States) may vary, and we cannot anticipate the date when the e-Privacy Regulation will be published nor applied. Until the final version of the Regulation is approved we must be aware on any statements by the EDPB, national data protection authorities, and stakeholders on this matter.