The Draft ePrivacy Regulation – Confidentiality of Communication

1. Introduction

The fuss about the GDPR (the English name that is often used for the General Data Protection Regulation) has hardly disappeared there is a new European law in the making, namely the Regulation concerning the respect for private life and the protection of personal data in electronic communications, also called the ePrivacy Regulation, for the time being only a proposal (COM (2017) 10 final, 2017/003 (COD)).

The objective of the ePrivacy Regulation proposal is to increase citizens' confidence in the offer of digital (online) services, simplify the rules about cookies and make the marketing of companies more transparent.

This ePrivacy Regulation proposal will replace the ePrivacy Directive 2002/58/EC (also called Cookie Directive) and its intention is to harmonize the different national ePrivacy legislations and bring  them into line with the General Data Protection Regulation (or GDPR).

Preference has been given to a regulation and not a directive.

The advantage of a regulation is that it is a European law that is effective in all countries at the same time and without adaptations. On the other hand, a directive must be transposed into national laws by national legislators and this often led to major differences in the interpretation of the text of the directive among the 28 Member States and complicated matters for companies operating in the different Member States.

This regulation proposal seeks to guarantee the confidentiality of all electronic communications, targeting all communication, both the traditional (already regulated under the old ePrivacy directive) and the new electronic communication tools (Skype, WhatsApp, Facebook Messenger, Gmail, iMessage,  in-platform messages, e.g. Facebook and Twitter), regardless of the technology used.

This regulation also aims at simplifying the provisions on cookies by giving more choice to users.

The confidentiality of metadata is also guaranteed by the new regulation. Metadata is for instance data that discloses your location, the date and time of communication, and the type of phone (android or apple) that you used. The regulation will also apply to machine-to-machine communication if the information or metadata exchanged by the machines is related to personal data. These metadata is considered to be sensitive personal data and must always  be removed or anonymised under the ePrivacy Regulation if the users have not given their consent for their use, unless such data is required for invoicing, and also then they may only be used for invoicing purposes.

2. Scope

The draft text of the ePrivacy Regulation applies to the processing of electronic communication data in connection with the offer and use of electronic communication services and to the information relating to the terminal equipment of end users.

"Electronic communication data" is the content exchanged by means of electronic communication services, such as text, speech, video, image, sound, as well as electronic communication metadata

"Electronic communication data" is the content exchanged by means of electronic communication services, such as text, speech, video, image, sound, as well as electronic communication metadata. These are data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication;

Electronic communications data may also reveal information concerning legal entities, such as business secrets or other sensitive information that has economic value.

Therefore, the provisions of the ePrivacy Regulation apply to both natural persons and legal entities.

"Electronic communication services" are not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services.

Devices also communicate with each other today by using electronic communications networks (Internet of Things). The exchange of machine-to-machine communications constitutes an electronic communications service and is part of the ePrivacy Regulation.

Hotspots (internet access via a wireless network) also fall within the scope of the regulation insofar as this service is provided to an indefinite group of end users. If it is a closed intra-network, for instance a company, the regulation does not apply.

3. Important expected changes

The Privacy Regulation proposal has been brought into line with the GDPR, as a result of which a large number of the definitions and concepts of the Privacy Regulation must be read and interpreted in line with the GDPR regulation, inter alia the concept of consent would in principle have the same strict content as under the GDPR.

As is the case with the GDPR, this proposal has a broad territorial scope and will be applied to all communication data processed in relation to services from outside the EU to users in the EU. Sanctions, like those under the GDPR, may amount to a 20 million Euro fine or 4% of the worldwide annual turnover. This responsibility applies to both hardware and/or software manufacturers as well as service providers.

This new regulation proposes that when cookies are only used for "configuration", so technical purposes (e.g. remembering your digital shopping basket for instance), the user’s consent to place cookies should no longer be requested. But if the intention is to trace by means of cookies, it can no longer be unsolicited. Prior consent must be given  by using appropriate technical settings of a software application that makes internet access possible (e.g. by a default setting in your browser, where you must explicitly opt-in for cookies). Cookies are used to track users during their internet use across websites. Companies that have access to that information then use it for profiling, advertising and other commercial purposes. This constant tracking implies great privacy risks, and as a result the user  completely relinquish control over his personal data.

The legislator also wants to get rid of tracking walls. Tracking walls means that for users who do not consent to be traced through cookies across further websites, access to the websites they search for will be denied. That is what tracking walls do. You are required to give permission  to be tracked by third-party cookies, while these cookies are mostly not needed for the provision of services. The legislator found it crucial that users are able to use the service without being tracked, and certainly not by third parties and in situations where the user is dependent on the service, for lack of alternative, for instance.

Consequently, a service provider will no longer be able to refuse its service because the user has not given his or her consent (paragraph 18 of the ePrivacy Regulation proposal). "Consent for processing data from internet or voice communication usage will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment." "Consent" under the GDPR is only valid if it has been given freely. This means that consent will not be free if the provision of service is made dependent upon the individual's consent.

What if users do not give their consent for tracking cookies. The European Parliament has already indicated that it does not want a choice between today's free content that is given in exchange for personal data and the same content for which you will also be able to pay, but which is then offered without tracking. If consent is not necessary for service performance,  you still have to provide service if the consumer refuses to give his consent.

Personal data is no merchandise.

The current ePrivacy Regulation proposal leaves companies with many questions and uncertainties and especially how companies can comply with this new legislation in a cost-effective and for consumers still attractive way. This will be a challenge for many companies and especially for the business models based on behavioural advertising, namely business models that monitor and collect online behaviour of website visitors in order to better align advertisements and website content

Direct marketing is subject to a prior opt-in and then an easy opt-out system. Those involved must have given their consent. A system needs to be worked out that will hopefully not lead again to annoying pop-up windows asking for consent The privacy by default rule presupposes that all systems (browsers for instance) are defaulted to do not track, so there is no tracking or direct marketing, only with consent. And consent will have to be such consent as provided under the GDPR.

Bear in mind that as from 26 May 2018 the GDPR consent requirement will in principle also apply to the existing ePrivacy legislation.