Background
The European Commission, in April 2016, launched a public consultation in order to gather opinions of different stakeholders in regard to the future of Directive 2002/58/EC (ePrivacy Directive). The ePrivacy Directive concerns the processing of personal data and the protection of privacy in the electronic communications sector.
Almost a year later and after the publication of the consultation results, the Commission in January 2017 released a draft proposal for a Regulation on Privacy and Electronic Communications (hereinafter ePrivacy Regulation), which will eventually replace the ePrivacy Directive. The proposed reform aims to align with the overhaul of the EU data protection framework, especially the new General Data Protection Regulation (GDPR), which will be applicable as of May 2018, and eventually achieve maximum harmonization in regard to data protection laws across Europe.
In general, the proposed ePrivacy Regulation includes changes such as the extension of the scope covering any company that processes personal data in the context of delivering electronic communications. In that way, not only “traditional” telecommunication providers but also Over-The-ToP (OTT) providers such as WhatsApp, Skype, etc. are being covered under the Regulation. Similar to the “old” ePrivacy Directive, rules on communication content and metadata, provisions for cookies and spam are part of the proposed ePrivacy Regulation.
Council’s First Approach
Following the European legislative procedure, the Council of the European Union (hereinafter Council) released [September 8th] its very first draft version of the ePrivacy Regulation. The Council focuses only on the operational part (provisions) and leaves out the Recitals.[1] According to the Council, the purpose of this first draft is merely to outline specific issues for further examination in light of discussions that will be held in the upcoming WP TELE meetings.[2] The Council invites delegations to express their views on the changes and indicate solutions.[3]
Council seems to highlight the importance of specific topics that need to be addressed under the new Regulation inter alia the processing of data for direct marketing purposes, the provision of cookies, the processing of communications content and metadata, and the machine to machine communications (IoT). However, the most relevant changes from a practitioner and data protection perspective are the provisions on direct marketing, cookies and collection of consent. For the purposes of this blog post, it will be examined both Commission’s proposal and Council’s changes in regard to the specific provisions.
Direct Marketing Communications
Council overall accepted the Commission’s proposal and did not make a lot of amendments regarding direct marketing. In its draft version, the Council replaced the word “Unsolicited” communications in the provision with “Direct Marketing Communications”. Council, thereby seems to give a direct message to the involved parties, that direct marketing communications should be properly addressed and regulated as such, thus pointing out its importance in the new regulation.
According to the provision, prior opt-in consent for sending direct marketing communications is required unless the communications are addressed to existing customers and they have been given the right to opt-out at the time of data collection. The definition of direct marketing includes any form of advertising (written or oral) such as emails, SMS, MMS, automated calling, etc., while direct marketing via live voice calls is up to Member States discretion. Also, individual’s right to receive information regarding the nature of the communication, the identity of the sender, the right to withdraw their consent in an easy manner is highly endorsed under the proposed Regulation as well.
Cookies
One of the main topics under the proposed reform is cookies’ regulation. Under the Commission’s Proposal, cookies are mainly being addressed under Article 8 and 9 as well as Recitals 20 to 24. The Commission in its initial proposal tried to assess the online data protection sphere and consequently proposed rules that will endorse individuals’ rights in order to be aligned with the GDPR. According to Commission’s proposal, current practices regarding cookies will be unlawful under the Regulation; Provided, the regulation remains the same, companies would need to change their practices and create more transparent privacy settings. In other words, companies will not be able to access user’s devices and collect information from them unless the information is necessary for the delivery of a service, or the user provide his/her consent.
Council did not remain silent on the controversial topic of cookies either and it provided amendments to Article 8, 9 (consent) and 10.
Audience Measuring (Article 8 (1) (d))
The Council includes the possibility for the providers to engage a third party who will carry out the audience measuring on behalf of them. However, third parties should comply with the conditions of a “Processor” in accordance with Art. 28 of the GDPR, including specific contracts detailing extent, type and purpose of the processing of data.
IT-Security updates (Art. 8 (1 (e))
The Council introduced a new right to access user’s devices and collection of information for security updates. However, this will be allowed only if user’s privacy settings will not be modified in any way, the user will be informed in advance and be given the chance to postpone or turn off the automatic installation of such security updates.
Limiting data collection (Article 8 (2) (b) (c))
The Commission limited the collection of communication information to cases where this is indispensable for establishing a connection. Council added two other exceptions to this rule; if the user consented to such collection (Art. 8 (2b)) and if this is “necessary for the purpose of statistical counting that it is limited in time and space to the extent necessary for this purpose and the data is made anonymous or erased as soon as it is no longer needed for this purpose” (Art. 8 (2c)). Hence, according to the Council, the possibility for visitor counting by the providers is allowed as long as users are sufficiently informed and security measures are in place.
“Privacy Setting by design” (Art. 10 (2a))
Finally, under the Commission’s proposal, Article 10 (1) requires software which permits electronic communication to include an option that hinders from storing or accessing information on user devices by third parties AND inform users on privacy setting options at the installation. The Council’s proposal slightly “hardens” this requirement by suggesting that the software shall provide in a clear manner easy ways for users to change the settings at any time during its usage (Art. 10 (2a)).
Consent
Consent under the proposed Regulation basically is in line with GDPR’s consent. However apart from user’s right to withdraw his consent, set out in the GDPR, the proposed ePrivacy Regulation, introduces something completely new: the user must even be reminded about his right to withdraw his consent at periodic intervals of 6 months, as long as the processing continues. The Council extended the period in between reminders to “no longer than 12 months”. It will be interesting to see the final version, whether this will withstand marketing companies’ “diplomatic efforts”.
The Commission’s proposal is traditionally the first step in the European legislative procedure. The proposal for the GDPR was released in January 2012 and it took until May 2016 for its final adoption. In light of everyone’s daily usage of OTT-services such as WhatsApp and Facebook but also the application of advanced cookies (fine against Facebook in Spain), it seems that immediate legislative clearance could help to provide legal clarity in this field.
[1] The recitals are not part of the legal text in the Regulation. They provide a further interpretation of the wording of provisions.
[2] Working Party for Telecommunications and Information Society.
[3] The WP TELE meetings are excepted to be held on 19, 20 and 25 of September this year.