On January 10, 2017, the European Commission published a Proposal for a Regulation (Proposal) relating to privacy rules for the electronic communications sector. The Proposal will impose new, more rigorous privacy regulatory obligations on nearly all companies doing business in the EU over the Internet. It will address a host of important issues including the processing of communications content and metadata, and the use of Wi-Fi and Bluetooth tracking for Internet-based services and technology providers. Once enacted, the Proposal will replace the e-Privacy Directive and will complement the EU General Data Protection Regulation (GDPR).
As part of the legislative process, the European Parliament Committee (one of two legislative bodies charged with reviewing the Proposal) issued a Draft Report in June 2017 and is reviewing more than 800 proposed amendments to the Proposal. In addition, the Article 29 Working Party (WP29)—the body of EU data protection authorities—published a non-binding opinion (the Opinion) on the Proposal in April 2017, urging a number of revisions that would impose even more obligations on covered companies.
This article provides a status update about the Proposal, including the main requirements currently under discussion at the European Parliament and an overview of the next steps. Read our previous WSGR Alert for more information about the Proposal and the Draft Report.
What Is the e-Privacy Regulation Proposal?
The Proposal will replace the e-Privacy Directive, the rule that currently regulates the data protection aspects of the electronic communications sector. The e-Privacy Directive is a lex specialis of the EU Data Protection Directive which will be replaced by the GDPR as of May 25, 2018. Like the GDPR, the Proposal is a “regulation.” Unlike “directives” that need to be implemented into national laws, regulations apply directly in all EU countries. The objective is to improve the harmonization of the e-Privacy rules across the EU.
The Proposal will apply to EU and non-EU companies providing services in the EU and will be backed up by substantial enforcement powers — fines of up to four percent of a company’s global turnover, the same as under the GDPR. As a lex specialis, the rules of the Proposal would prevail over the GDPR for issues relating to electronic communications.
What Are the Key Provisions Generating the Most Controversy?
The Proposal aims to modernize the current e-privacy rules and align them with the more stringent GDPR requirements. With some notable exceptions discussed below, the Draft Report suggests amendments to the Proposal that generally support this effort. The WP29 Opinion, however, expresses various concerns that certain provisions of the Proposal may be inconsistent with or set a lower level of privacy protection than that set by the GDPR.
The main issues currently under discussion are:
Broader Scope of Application. The Proposal expands the scope of the e-Privacy rules to all electronic communications providers including Internet-based services enabling “inter-personal communications” (e.g., instant messaging, VOIP services, web-based email, and Internet of Things devices). The Draft Report explicitly covers machine-to-machine interactions, which is also endorsed by the WP29 in its Opinion. All stakeholders seem aligned to ensure that the Proposal applies broadly to today’s communications services and Internet of Things devices.
Legal Grounds for Processing Content and Metadata. The Proposal permits the processing of electronic communications data that include content data (e.g., text, voice, sound, images, and videos) and metadata (e.g., location, date, time, duration, and type of the communication) on only a limited number of legal grounds.
The Draft Report proposes to further limit those legal grounds, as suggested by the WP29 in its non-binding Opinion. In particular, the Opinion recommends requiring mandatory consent for purposes such as analytics, profiling, behavioral advertising, or other commercial purposes. When consent is the legal ground for the processing, the Draft Report proposes requiring companies to obtain consent from both parties of the communication (i.e., both the sender and recipient). Since the publication of the Draft Report, the 800 amendments submitted by Members of the European Parliament suggest introducing the company’s “legitimate interest” as a legal ground for processing metadata, as provided in the GDPR.
WiFi and Bluetooth Tracking. The Proposal allows the collection of data emitted by users’ devices, such as MAC addresses and IMEI, to take place without the user’s prior opt-in consent if the user received a clear and prominent notice that explains the measures individuals can take to minimize or stop the data collection.
According to the Draft Report, this collection must be based on the individual’s prior opt-in consent, particularly when it is used to track individuals’ location. The WP29 advocates that rules for tracking device location must comply with GDPR standards and always must require consent. The Opinion also recommends the adoption of a technical standard for mobile devices to automatically signal an objection against tracking and permit individuals to withdraw previously provided consent.
Prohibition of “Tracking Walls.” Tracking walls—that is, denial of access to a website or service unless the user consents to tracking on other websites or services—is not prohibited by the Proposal. This was roundly criticized by the WP29 in its Opinion. The Draft Report follows the Opinion’s recommendation and includes amendments to prohibit the use of tracking walls. The ongoing political debate regarding this prohibition will ultimately determine the ability of websites to decide the conditions under which they provide their services.
Browser Settings and Do-Not-Track Systems. Like the GDPR, the Proposal establishes a privacy-by-design principle to provide users with certain privacy settings, without requiring that these settings be implemented by default. The Draft Report and the Opinion, however, depart from the Proposal on this point.
The Draft Report requires mandatory browser settings by default to prevent other parties from storing or processing information without the user’s consent, and to legally bind third parties to respect these settings. Both the Draft Report and the Opinion support a Do-Not-Track system. The Opinion recommends mandatory technical mechanisms (including the “do-not-track” mechanism) to ensure that when a user declines to provide consent, no further consent requests can be made by the same organization for at least 6 months.
Stricter Direct Marketing Rules. The Proposal retains the current regime of prior opt-in consent for sending direct electronic marketing communications. It applies this regime to all means of communications (e.g., automated phone calls, instant messaging application, social media messaging, SMS, MMS, Bluetooth, or emails), unless the communications are sent to existing customers and relate to the company’s own similar products or services, and the customers are given a means to opt-out at the time of data collection and in each marketing communication. The Draft Report advocates for mandatory national Do-Not-Call lists, which will mean that companies will need to check their marketing lists against the Do-Not-Call lists before engaging in unsolicited marketing calls, much like in the U.S.
The Proposal will continue to move through the EU law-making process, including the adoption of the European Parliament’s and the Council of the EU’s own versions of the rules. The e-Privacy Regulation is set to be one of the most lobbied texts in the EU. After that, trilogues between the European Parliament, the European Commission, and the Council of the EU will take place to find a compromise among their three versions of the text.
The road to adoption of the Proposal is expected to be long; most likely several years from the date of publication of a proposal. The Proposal continues to be worth monitoring as it develops given its likely immense impact on all companies doing business in the EU.