As already mentioned in a previous post, on 10 January 2017 the European Commission presented a proposal for a Regulation (the “Regulation”) which is expected to amend the Directive 2002/58/EC (e-Privacy Directive) standardising the current European legal framework for the processing of personal data in the electronic communications sector and whose final approval is expected to coincide with the full application of the General Data Protection Regulation (“GDPR”) scheduled for May 25, 2018.
The Article 29 Working Party (“WP29”), with the opinion n. 1/2017 WP247 of 4 April 2017, and the European Data Protection Supervisor (“EDPS”), with the opinion n. 6/2017 of 24 April 2017, have released their respective views on the proposed Regulation.
Both the WP29 and the EDPS welcomed the Regulation proposal, albeit with some concerns.
- 29WP and EDPS’s opinions
Positive highlighted aspects
The main positive aspects highlighted by WP29 on the proposed Regulation, are the following:
- extension of the scope: of the proposed Regulation also to voice telephony and messaging services based on the Internet (cd. “Over-The-Top” providers “OTT”), i.e. to the processing related to the exchanging of e-mails and online messages, including the new electronic communications services (such as, WhatsApp, Facebook Messenger, Skype, Viber).
- choice of the regulatory instrument: as for the GDPR, the choice of a regulation rather than a directive. This ensures that rules are uniform across the entire EU and provides clarity for supervisory authorities and organisations;
- alignment with the GDPR: the proposed Regulation provides a penalties system that is, largely, similar to that in the GDPR, as well as the choice to make the same authority responsible for monitoring compliance with the GDPR responsible for the enforcement of ePrivacy rules; moreover, the proposed Regulation does not contain a new and different data breach notification regime compared to what is planned already in the GDPR (Articles 33 and 34), with the positive consequences to prevent unnecessary overlap with the data breach requirements of the GDPR;
- communications content and associated metadata: the WP29 also considered positive that the protection is extended not only to the content of communications but also to associated metadata, that is “ancillary and outline elements of an information […]” which “where feasible must be anonymised and, if processed without consent or when they are no longer needed for the purpose for which they were collected, shall be delated” (see the press release of the Italian Data Protection Authority of 26 April, 2016, web 6294728);
- aspects related to the consent: the basic broadband internet access and voice communications services are to be considered “as essential services for individuals to be able to communicate and participate to the benefits of the digital economy” (Regulation, recital 18) and therefore “the consent for the processing of data from the use of internet or voice communication will not be valid if the data controller has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.” (Regulation, recital 18). Therefore, given the dependence of people on access to these services, the WP29 highlights that consent for the processing of their communications data for such additional purposes (i.e. processing for advertising or marketing purposes) cannot be valid. I think it should be understood: where consent is given in one with the positive action to join the service, so called take-it-or-leave-it.
Analogously, the EDPS highlights the positive aspects – similar to those evidenced by WP29 – which consist in particular in:
- the choice of a regulation as the form of legal instrument, which may ensure a more consistent level of protection across the European Union;
- the extension of the confidentiality requirements to a broader range of services, including OTT (‘over-the-top’);
- the approach of allowing processing only under clearly defined conditions;
- the modernisation of the current consent requirements under the new Articles 9 and 10;
- predicting implicitly a full alignment with the GDPR with regard to data breaches, by the choice (already mentioned) not to include any such specific prevision;
- the choice of making the same authorities responsible for supervision of the rules under the GDPR and the ePrivacy Regulation;
- the choice of opt-in rule for all unsolicited commercial communications.
Points of concern
However, both the WP29 and the EDPS have also expressed concerns about a number of provisions of the Regulation.
In particular, the WP29 highlighted four main critical points:
- the tracking of terminal equipment through WiFi or Bluetooth
Art. 8, second paragraph, of the Regulation requires that “The collection of information emitted by terminal equipment to enable it to connect to another device and, or to network equipment shall be prohibited, except if: (b) there is a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and the other information required under Article 13 of Regulation (EU) 2016/679 where personal data are collected, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection”;
The lack of any kind of specification concerning the need for the consent of the data subject suggests that for such tracking it is sufficient to display a mere alert (banner) to inform the users of the possibility of “stopping or minimizing such collection”.
According to the WP29, the obligations in the e-Privacy Regulation for the tracking of the location of terminal equipment should comply with the GDPR’s requirements and therefore, depending on the circumstances and the purpose of the data collection, such tracking should only take place with the consent of the individual concerned or may only be performed if the personal data collected is anonymised;
- The conditions under which the analysis of content and metadata
According to the WP29 metadata and content should be processed only with the consent of all-end users (i.e. senders and recipients), therefore, the consent of only one of the person concerned is not sufficient. However, certain processing may be allowed without consent, if strictly necessary for specific purposes such as, for example, spam filtering;
- terminal equipment and software by default
The WP29 recommends that terminal equipment and software must by default “offer privacy protective settings, and guide users through configuration menu’s to deviate from these default settings upon installation”;
- the prohibition of “tracking walls”
The proposed Regulation should explicitly prohibit “tracking walls”, which consists of a “take it or leave it” situation “whereby access to a website or service is denied unless individuals agree to be tracked”.
As for the EDPS, he has raised concerns over the following main issues:
- the rules outlined in the proposal Regulation are very complex: “Communications are sliced into metadata, content data, data emitted by terminal equipment. Each being entitled to a different level of confidentiality and subject to different exceptions.” According to EDPS this complexity may bring a risk in protection.
- most of the definitions on which the Proposal relies are stated in the European Electronic Communications Code (EECC), which is, however, a different legal instrument for the object (protection of competition and market) and aims (building a single market for effective communication) with respect to the Regulation (which concerns the protection of personal data and the confidentiality of communications in the context of electronic communication services, and aiming to encourage the security of digital services and the resulting user confidence).
This implies that the essential concepts of the Regulation are clearly outlined in the light of the scope and objectives of this legislation.
Consequently, the EDPS recommends to break the link between these sets of rules by directly inserting the core definitions in the Regulation, which must be identified in a coherent way with the EECC, but not necessarily the same;
- the EDPS emphatically endorses the prominence given to the complementary and specification relationship that characterizes the Regulation and the GDPR, which is the basis of an equal protection standard established by the provisions of the Regulation and those of the GDPR, but it also highlights the opportunity to strengthen the provisions on user consent;
- the consent must be truly free: “For example, consent should be genuine, offering a freely given choice to users, as required under the GDPR” and, even for this reason, there should be no more “tracking walls” (also known as “cookie walls”), i.e. the access to websites must not be made conditional upon the individual being forced to ‘consent’ to being tracked across websites.
Consent should then be required for all parties involved in the communication (for example, e-mail senders and receivers), save for specific exceptions related to particular circumstances.
In addition, the contents of the Regulation (including the definitions) should ensure that consent is provided by those who actually use the electronic communications service, and not by anyone who just subscribes it.
Lastly, the law should foresee that browsers are set by default to exclude tracking.
- the exceptions regarding tracking of location of terminal equipment are too broad and lack adequate safeguards;
- the proposal actually extends beyond the scope and objectives of the Regulation (by referring to art. 23, par. 2, lett. a) to e) of the GDPR) the possibility for Member States to introduce restrictions on the rights: the EDPS points out the need to demonstrate the necessity and proportionality of such restrictions in the specific circumstances that may arise;
- the new rules must also set strong requirements for privacy by design and by default.
(On these issues, see also the interesting post by Paolo Calvi: ePrivacy Regulation Proposal and GDPR).