As the use of digital services and Internet-based communications has become well-nigh ubiquitous, the underlying technology continues to evolve. Nevertheless, users still have generic concerns about the inherent risks, especially those associated with security and privacy issues. Against that backdrop, the European Commission has established that increasing trust and security in digital services must be among the main objectives of the Digital Single Market Strategy. Accordingly, the long term goal for the reform of the EU data protection legal framework, which commenced in 2012, culminated last year in the adoption of the General Data Protection Regulation (GDPR), which will apply throughout the EU from 25 May 2018. However, in order to complement this new system with the right of individuals to data protection, the European Commission has also been engaged in updating the legal framework set forth in the Directive on Privacy and Electronic Communications, Directive 2002/58/EC, with respect to the processing of personal data and the protection of privacy in the electronic communications sector. This directive was last revised back in 2009.
As a result, on January 10, 2017, the European Commission published a proposal for a new regulation, entitled the ePrivacy Regulation. They recognized the economic and social importance of digital services, whilst observing that the internet of things and over-the-top communications services currently fall outside of the Directive on Privacy and Electronic Communications. (For more details on OTT services and the scope of protection of the ePrivacy Regulation, see WP240, Article 29 Data Protection Working Party’s opinion 3/2016 on the evaluation and review of the ePrivacy Directive.)
The purpose of these efforts has been to fashion a technologically neutral legal instrument, which can keep pace with future technological developments as well as to fully harmonize the privacy issues in all the EU Member States. (Regulations are secondary law having general application and are binding in their entirety and directly applicable in all European Union countries.) The published proposal has been modified from the version that was leaked in mid-December 2016. The main issues that the reform is meant to address can be summarized as follows.
1. EU-wide application
As with the GDPR, the scope of protection of the ePrivacy Regulation covers any publicly available electronic communications services, either provided to or used by end-users in the EU, regardless of whether the end-user pays for them or not, as well as the information associated with the EU end-user’s terminal equipment (see Article 1(1) of Directive 2008/63/EC for definition of terminal equipment). For the purposes of the ePrivacy Regulation, end-users can be either natural or legal persons, especially insofar as the consent to the processing of end-user’s electronic communications metadata is concerned.
2. Scope of protection
The ePrivacy Regulation affords protection to fundamental rights and freedoms, such as the right to data protection and the freedom of expression, information, thought, conscience and religion, of natural and legal persons, regarding the provision and use of electronic communications services. In particular, it covers these rights with respect to one’s private life and communications and an individual’s personal data protection. All the foregoing is directed towards ensuring the free movement of electronic communications data and services within the EU.
The ePrivacy Regulation rests on the principle of secrecy of communications. Electronic communications must be confidential and interference therewith is prohibited, without the consent of the end-user concerned. The principle of confidentiality also applies to devices and machines that communicate with each other by using electronic communications networks. However, since the ePrivacy Regulation does not apply to activity falling outside the scope of EU law, member states may derogate its provision for the purposes of state security, defence, public security and crime enforcement.
4. Information stored on, or retrieved from, user devices
5. Direct marketing opt-in and opt-out
End-users must give their opt-in consent in order for a natural or legal person to transmit direct marketing communications (i.e. for any advertising, whether written or oral), sent to one or more identified or identifiable end-users of electronic communications services, such as automated calling, an email, or a SMS message. Natural and legal persons are permitted to direct marketing of similar goods and services to those already sold to end-users, using their emails already collected in the course of those previous sales, provided that end-users have been clearly, distinctly and freely given the opportunity to object to such further use of their data.
Regarding direct marketing calls, the electronic communications services providers must supply a contact line to the end-user targeted and must use a code/prefix identifying that this is a marketing call. Finally, member states may implement opt-out rules for regulating the expression of an end-user’s consent in the context of voice-to-voice marketing calls, e.g. registering their number on a do-not-call list.
6. Privacy by design
By default, software permitting electronic communications, including web browsers, must be configured to impede third party cookies from being stored on an end-user’s terminal equipment and to process information already stored on the equipment. Once the software has been installed, the end-user will be informed of the privacy settings options so to provide the consent to the installation.
Users of electronic communications services will be granted compensation for both material and non-material damage incurred by virtue of infringement of the ePrivacy Regulation, unless the alleged infringer can otherwise exclude his liability. Also, the scheme of administrative fines set forth under the GDPR applies, namely up to a maximum of 20 million euros or 4% of the total worldwide turnover, whichever is higher, with respect to a breach of the rules of confidentiality, the processing of electronic communications content and metadata, as well as the erasure and anonymity of electronic communications data; or up to 10 million euros or 2% of the total worldwide turnover, whichever is higher, where rules on cookies are infringed, software providers do not fulfil their obligations of privacy by default or the providers of publicly available directories do not comply with their obligations towards end users.
In view of the above, end-users of electronic communications services have the right both to commence a judicial action before the courts of a EU Member State of her/his habitual residence and to lodge complaints before the supervisory authority of the place of residence, work, or alleged infringement of her/his rights under the ePrivacy Regulation. It is immediately apparent that the proposed ePrivacy Regulation is meant to be consistent with the GDPR. Both legal texts are to be read in conjunction with respect to an end-user’s privacy and confidentiality, where personal data are processed in the electronic communication sector. It is noted that the GDPR will apply to matters not specifically covered by the prospective ePrivacy Regulation, such as is the case for an individual’s access, rectification, cancellation and opposition (ARCO) of an individual’s personal data rights and the obligations on controllers and processors.
Finally, while the ISP’s liability framework set out in the e-Commerce Directive will remain intact, the contemplated ePrivacy Regulation will be associated with the prospective European Electronic Communications Code (The European Commission’s proposal was published on 14 September 2016 and the new legal text will recast the four Directives comprised in the EU regulatory framework of electronic communications: the Framework, Access, Authorization and Universal Service Directives) and will maintain synergies with the Radio Equipment Directive 2014/53/EU, providing that radio equipment should incorporate safeguards to ensure that the personal data and privacy of users and subscribers are protected.
As the ultimate objective is to make the ePrivacy Regulation applicable along with the GDPR, as of 25 May 2018, it seems that we can expect that the final text of the ePrivacy Regulation will be published during the next twelve months.