WP29: the ePrivacy Regulation undermines the Privacy Regulation

On 10 January this year, the European Commission published the draft text of the ePrivacy Regulation. In ourupdate thereon of 24 January 2017, we mentioned that the proposal will have to be adopted by both the European Parliament and the Council of the European Union; and that we expected the Article 29 Working Party (“WP29”) to also offer its opinion on the legislative proposal. On 10 April last, the WP29 did indeed publish an opinion on the ePrivacy Regulation, in which the draft text was severely criticized. The critique of the WP29 was not entirely unexpected, given the fact that the WP29 already made recommendations with regards to the Privacy Directive in July 2016, which recommendations were not addressed in the draft text. In this update, we discuss the four major concerns brought forward by the WP29.

Why the ePrivacy Regulation?

The ePrivacy Regulation is part of the larger initiative that can be described as the ‘Digital Single Market’. The Digital Single Market is the aspect of the European Single Market which focuses on electronic communications, e-commerce and digital marketing. The ePrivacy Regulation aims to reconcile the ePrivacy legislation with the privacy legislation as laid down in the General Data Protection Regulation (the “Privacy Regulation”). The European Commission’s intention is for the ePrivacy Regulation to enter into force on 25 May 2018, simultaneously with the timeframe of the General Data Protection Regulation.

The assessment of the WP29

The WP29 praises the scope of the ePrivacy Regulation: whereas the ePrivacy Directive only applied to traditional means of communication, the ePrivacy Regulation will also be applicable to its modern sisters, such as WhatsApp, Facebook Messenger and Gmail. In addition, the WP29 is content that the topic of metadata is explicitly addressed in the ePrivacy Regulation. The ePrivacy Regulation is intended as a lex specialis of the Privacy Regulation. As such, the WP29 advises to include specific clauses in the ePrivacy Regulation that address the relationship between the two regulations, such as:

  • The prohibitions in the ePrivacy Regulation take precedence over the permissions under the Privacy Regulation;
  • When processing is allowed under any exception to the prohibitions under the ePrivacy Regulation, such processing, where it concerns personal data, still needs to comply with all relevant provisions of the Privacy Regulation.

At the same time, the WP29 concludes that the ePrivacy Regulation, in its current form, undermines the level of protection offered under the Privacy Regulation. In particular, the WP29 expressed its (grave) concern with regards to four topics:

  • Wifitracking. Under the Privacy Regulation, wifitracking -localising individuals on the basis of the information emitted by their phones or other devices- is only permitted in case of (i) explicit consent by the user; or (ii) anonymized data. The ePrivacy Regulation, on the other hand, appears to allow wifitracking without consent. The draft text only requires the display of a notice and the implementation of security measures in order for the collection of information emitted by terminal equipment. Moreover, the ePrivacy Regulation does not explicitly or concretely limit the scope of such data collection or subsequent processing; whereas the Privacy Regulation requires such collection and processing to be proportional, legitimate and transparent.
  • Confidentiality of both content and metadata. The WP29 criticizes the legislative choice to make a distinction between the content and metadata of communication when it comes to the required level of protection. The WP29 states that both types of data should require the consent of all end users (both the sender and the receiver); and that any exceptions thereto should be concrete and explicitly motivated.
  • Default settings of terminal equipment. The ePrivacy Regulation requires the providers of software to offer their users the option to choose a high level of protection; and to force their users to actually do so. As such, the regime of the ePrivacy Regulation does not adhere to the principle of ‘privacy by default’, the idea that the default settings of terminal equipment offer the highest level of protection. The reason behind the concept is to make it as easy as possible for users to protect their data; and consequently curb the unlawful -e.g., without consent- processing of personal data. The WP29 concludes that the ePrivacy Regulation offers less protection in this regard than the Privacy Regulation does.
  • Prohibition on tracking walls. Tracking walls are the practice whereby access to a website or service is denied unless individuals agree to be tracked on other websites or services. The WP29 has, in previous opinions and recommendations, stated that this practice is rarely allowed, because the consent of those individuals is considered to be invalid. The WP29 had hoped the ePrivacy Regulation would explicitly prohibit the practice and calls for the European legislator to do so.

In addition to the points of grave concern described above, the WP29 addresses a number of other issues that should be taken into account in the draft text. The WP29 also suggest to clarify certain clauses to allow for a smooth(er) implementation thereof.

Back to the drawing board?

In short, the WP29 concludes the ePrivacy Regulation in its current form does not suffice and needs substantial redrafts to make it a workable instrument. The critique puts even more pressure on the legislative schedule with the deadline of 25 May 2018, which was already tight to begin with. It will have to be seen whether the WP29’s criticism will be taken into account. Ovidius will keep you updated.

Source: WP29 Opinion 1/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC)



Follow our team and the latest news

This error message is only visible to WordPress admins

Error: No feed found.

Please go to the Instagram Feed settings page to create a feed.