On 10 January this year, the European Commission published the draft text of the ePrivacy Regulation. In our
Why the ePrivacy Regulation?
The ePrivacy Regulation is part of the larger initiative that can be described as the ‘Digital Single Market’. The Digital Single Market is the aspect of the European Single Market which focuses on electronic communications, e-commerce and digital marketing. The ePrivacy Regulation aims to reconcile the ePrivacy legislation with the privacy legislation as laid down in the
The assessment of the WP29
The WP29 praises the scope of the ePrivacy Regulation: whereas the ePrivacy Directive only applied to traditional means of communication, the ePrivacy Regulation will also be applicable to its modern sisters, such as WhatsApp, Facebook Messenger and Gmail. In addition, the WP29 is content that the topic of metadata is explicitly addressed in the ePrivacy Regulation. The ePrivacy Regulation is intended as a
- The prohibitions in the ePrivacy Regulation take precedence over the permissions under the Privacy Regulation;
- When processing is allowed under any exception to the prohibitions under the ePrivacy Regulation, such processing, where it concerns personal data, still needs to comply with all relevant provisions of the Privacy Regulation.
At the same time, the WP29 concludes that the ePrivacy Regulation, in its current form, undermines the level of protection offered under the Privacy Regulation. In particular, the WP29 expressed its (grave) concern with regards to four topics:
- Wifitracking. Under the Privacy Regulation, wifitracking -localising individuals on the basis of the information emitted by their phones or other devices- is only permitted in case of (i) explicit consent by the user; or (ii) anonymized data. The ePrivacy Regulation, on the other hand, appears to allow wifitracking without consent. The draft text only requires the display of a notice and the implementation of security measures in order for the collection of information emitted by terminal equipment. Moreover, the ePrivacy Regulation does not explicitly or concretely limit the scope of such data collection or subsequent processing; whereas the Privacy Regulation requires such collection and processing to be proportional, legitimate and transparent.
- Confidentiality of both content and metadata. The WP29 criticizes the legislative choice to make a distinction between the content and metadata of communication when it comes to the required level of protection. The WP29 states that both types of data should require the consent of all end users (both the sender and the receiver); and that any exceptions thereto should be concrete and explicitly motivated.
- Default settings of terminal equipment. The ePrivacy Regulation requires the providers of software to offer their users the option to choose a high level of protection; and to force their users to actually do so. As such, the regime of the ePrivacy Regulation does not adhere to the principle of ‘privacy by default’, the idea that the default settings of terminal equipment offer the highest level of protection. The reason behind the concept is to make it as easy as possible for users to protect their data; and consequently curb the unlawful -e.g., without consent- processing of personal data. The WP29 concludes that the ePrivacy Regulation offers less protection in this regard than the Privacy Regulation does.
- Prohibition on tracking walls. Tracking walls are the practice whereby access to a website or service is denied unless individuals agree to be tracked on other websites or services. The WP29 has, in previous opinions and recommendations, stated that this practice is rarely allowed, because the consent of those individuals is considered to be invalid. The WP29 had hoped the ePrivacy Regulation would explicitly prohibit the practice and calls for the European legislator to do so.
In addition to the points of grave concern described above, the WP29 addresses a number of other issues that should be taken into account in the draft text. The WP29 also suggest to clarify certain clauses to allow for a smooth(er) implementation thereof.
Back to the drawing board?
In short, the WP29 concludes the ePrivacy Regulation in its current form does not suffice and needs substantial redrafts to make it a workable instrument. The critique puts even more pressure on the legislative schedule with the deadline of 25 May 2018, which was already tight to begin with. It will have to be seen whether the WP29’s criticism will be taken into account. Ovidius will keep you updated.