How can data privacy rights in the online world be made future proof? That was the question posed by the recent review of the Privacy and Electronic Communications Directive 2002 (e-Privacy Directive) by the European Commission.
The Commission published a summary report on 4 August 2016 setting out its initial analysis of the responses received to the public consultation launched in April. A full report will be published in autumn 2016, followed by a new e-privacy legislative proposal, expected by the end of 2016.
The ICO published its response to the consultation at the beginning of July. It considers that the e-Privacy Directive has gone some way to protecting the privacy and confidentiality of communications, but full protection is difficult to guarantee in a changing technological landscape.
The ICO makes the point that there is no need for new rules to cover notification of personal data breaches and traffic/location data since these issues are already addressed by the GDPR. But it considers that there would be value in having specific rules on confidentiality of electronic communications, unsolicited e-marketing and itemised billing invoices. It also considers that the scope of the Directive should be broadened to cover Over-The-Top (OTT) services, for example, unmanaged Voice over IP, instant messaging, web mail and messaging in social networks.
On the issue of requesting users' consent to the storage/access of information in their devices (in particular tracking cookies), the ICO states that it would be a 'powerful' option to place obligations on the manufacturers of terminal equipment to include privacy by default settings, for example, third party cookies off by default. But the definition of terminal equipment would need careful consideration, otherwise it could include equipment such as connected cars and IoT devices. The ICO's view is that a proportionate balance must be achieved between the legitimate interest of businesses and the privacy rights of individuals; onerous requirements should not be imposed where the privacy impact is minimal.
The European Data Protection Supervisor (EDPS) has also published its opinion on the review and broadly concurs with the views of the ICO. The EDPS agrees that a new legal framework for e-privacy is required, but it must be a ‘smarter, clearer and stronger one’, with more clarity and better enforcement.
The EDPS considers that the scope of the new legal framework must be extended to take account of changes in society and technology. The same level of protection should be afforded to individuals for all functionally equivalent services, irrespective of how they are provided (for example, by Voice over IP services or via mobile phone messaging apps as well as by traditional phone providers).
The Article 29 Working Party (WP29) has also recently published its opinion and agrees there remains a need for free-standing e-privacy legislation to complement the GDPR. WP29 emphasise that consent is key: a revised Directive should maintain and reinforce the principle that the collation of online communications, traffic data and location data should be consent-based. The need for consent should be treated as prevailing over any other considerations, such as the legitimate interests of the data controller.
It will be interesting to see how these opinions are reflected in the new legislative proposals due later this year. The summary report by the Commission certainly indicates that new rules will be welcomed.
While 83% of responding citizens believe that special privacy rules for the electronic communications sector are necessary, industry was much more sceptical with only 31% seeing a need for rules on confidentiality and 26% for rules on traffic data. On the issue of cookies, 77% of citizens believe that information service providers should not have the right to prevent access to their service if users refuse to store cookies. Unsurprisingly, three quarters of industry responses disagreed with this statement.
It looks like the Commission has a balancing act to perform. In the light of Brexit, the UK will obviously be watching with interest, to determine whether we will be required to, or whether we would wish to, adopt the new proposals.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.