The Article 29 Working Party (WP29) and the European Data Protection Supervisor (EDPS) have released their opinions on the European Commission’s proposed e-Privacy Regulation, which intends to repeal and replace the existing e-Privacy Directive.
Both EU regulators welcome many aspects of the proposal including the extension of the applicability of the rules to cover "over-the-top" (OTT) providers and machine-to-machine communications in the context of the Internet of Things (IoT). Whilst welcoming the proposal, the EU regulators remain concerned about a number of provisions which, according to the opinions, have the potential to undermine the level of protection of privacy in electronic communications that the Commission intended to ensure.
However, while both EU regulators welcome and support the aims of the proposed rules, they highlight a number of areas of concern. The main concerns and recommendations of the EDPS and the WP29 are explored below.
The WP29 and the EDPS consider that the ability to access online content should not be made conditional upon the individuals' consent to be tracked across websites, devices or apps. While the WP29 argues for an explicit prohibition on tracking walls, regardless of the tracking technology used, the EDPS goes further by recommending an additional explicit ban on the exclusion of users who utilise ad-blocking systems or other applications to protect their information and terminal equipment.
Although the proposed regulation gives end-users the option to prevent interference with their device, the EDPS considers that this requirement does not provide the same standard of protection afforded by the 'Data protection by design and by default' provision of the GDPR (Article 25). It therefore recommends that the regulation imposes an obligation on hardware and software providers to put in place default privacy settings that safeguard end-users' devices from unauthorised interference with their devices. Similarly, the WP29 considers that terminal equipment and software must discourage and prevent such interference by default.
The EDPS praises the complementary relationship between the e-Privacy Regulation and the GDPR but expresses its concern over loopholes that may arise between the two legal instruments in relation to the protection of personal data. The EDPS notes in particular cases where the end-user has given consent to a service provider to transfer content data and/or metadata to a third party which will act as a data controller. In such cases, under the proposed rules it is unclear whether the processing of data by the third party will be governed by the e-Privacy Regulation or the GDPR. To ensure legal certainty, the EDPS recommends that the proposed rules include a substantive provision stating that "neither providers of electronic communications nor any third parties, shall process personal data collected on the basis of consent or any other legal ground under the e-Privacy Regulation, on any other legal basis not specifically provided for in the e-Privacy Regulation".
The WP29 has expressed its concerns about the scope of direct marketing suggesting that this should extend beyond traditional forms of marketing communication (such as SMS and email) to include behavioural advertisements (based on end-users' profiles) that appear on the web. It also considered that the proposed rules should clarify the requirements for the withdrawal of consent for direct marketing and for the opt-out for marketing calls.
The WP29 makes further recommendations including the following:
Although the opinions issued by the EU regulators are non-binding, they may influence the reformation of the existing legal framework, should they be taken on board by the Parliament and Council in the course of the legislative procedure.
The proposed regulation suggests that the Commission is aiming for the regulation to come into force on 25 May 2018 along with the GDPR. It remains to be seen whether the concerns raised by the EDPS and the WP29 will be addressed in the final regulation. Organisations should keep a close eye on the developments of the regulation to ensure that they are in the best position to comply once it is finalised.This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.