12 Apr The draft ePrivacy Regulation gets a “grey” approval from privacy authorities
The draft ePrivacy Regulation obtained an opinion from the Article 29 Working Party which emphasises a number of positive aspects, but also some privacy related matters of concern.
I already discussed in the past about the draft ePrivacy Regulation that should complement the EU General Data Protection Regulation in relation to matters concerning electronic communications. The process that will lead towards the approval of the ePrivacy Regulation is moving forward and here is an outline of the opinion of the Article 29 Working Party (Art29WP), an advisory board made of the European privacy authorities, on the current draft.
The extension of scope to OTTs and IoT communications
The Article 29 Working Party expressed a positive opinion on the proposed extension of the scope of the ePrivacy Regulation to
- Over-The-Top (OTT) providers,
- Machine to Machine communications such as those typical of Internet of Things technologies,
- Associated metadata, and in particular the privacy authority called for a clear indication that electronic communications fall under the scope of the regulation and
- Device fingerprinting that was already subject of a previous opinion of the Art29WP.
I already expressed my concerns about the broad reference in the draft ePrivacy Regulation to machine to machine communications which in a number of cases might not include any personal data, but just machine related data. This issue shall be carefully assessed since it might further limit the growth of the IoT in the European Union which is not in the current intention of the European regulator that is on the contrary working on an European plan for the data economy. It seems that the privacy regulator is going beyond the territory of privacy to cover areas that fall under the scope of other rights, such as intellectual property rights.
The broad inclusion to data of legal entities
While the GDPR clearly excludes from its scope data relating to legal entities, the draft ePrivacy Regulation also applies to such categories of data and therefore legal entities will be in the same position as individuals when it comes to electronic communications.
This “intermediate” approach might be in practice of difficult implementation also with reference to the modalities in which consent has to be given by a legal entity. As mentioned in the previous paragraph, it seems that there is a tendency also on this matter to extend data protection regulations to activities that are no privacy related.
The areas of concern of the draft ePrivacy Regulation
The opinion of the Article 29 Working Party was not fully positive and indeed they challenged the approach adopted in relation to the following topics:
- Tracking of location of terminal equipment without the individual’s consent should be prohibited and shall comply with the restrictions imposed by the GDPR, while the draft ePrivacy Regulation aimed at introducing some flexibility, limiting the obligation to the mere display of a privacy information notice and the implementation of security measures. The solution identified in the draft ePrivacy Regulation would have fostered the growth of, among others, IoT technologies, through solutions that have already been adopted for instance by the Italian data protection authority with reference to cookies. But the European privacy authorities seem to call for a more “formal” approach to privacy consent;
- Analysis of content and metadata without the individual’s consent should be allowed in very specific circumstances that shall be better described such as the analysis of electronic communications data for customer service purposes or to provide a service requested by end users. On the contrary, the analysis of content and/or metadata for analytics, profiling, behavioural advertising or other purposes for the (commercial) benefit of the provider, requires consent from all end-users whose data would be processed. Such issue is linked to the one of point 1 above and relates to the modalities in which such consent can be given to avoid a limitation to the usage of these technologies, also because the Art29WP is of the opinion that it is not possible to just rely on browser settings to imply consent;
- Terminal equipment and software must by default discourage, prevent and prohibit unlawful interference with it and provide information about the options, while the draft ePrivacy Regulation merely refers to the obligation to “offer the option” to prevent a limited form of interference with terminal equipment. It will be necessary to identify the right balance between information and consent also on such issue;
- The ePrivacy Regulation should explicitly prohibit tracking walls, i.e.the practice whereby access to a website or service is denied unless individuals agree to be tracked on other websites or services. The problem with this approach is that for some websites the tracking of users is necessary also to ensure a higher level of security and limit the risk of potential fraudulent activities. This is for instance the case of home banking or gambling sites, but the Art29WP does not clarify whether in such scenario their position would still apply;
- The scope of direct marketing is too limited as it refers to “any form of advertising, whether written or oral, sent to one or more identified or identifiable end-users of electronic communications services“, where the word “sent” seems to limit its scope. The Art29WP believes that the reference should be made on the contrary “to all advertising sent, directed or presented to one or more identified or identifiable end-users“, which seems in line with the technological development of new advertising methodologies;
The timing of the draft ePrivacy Regulation
The Art29WP is of the opinion that the ePrivacy Regulation should ideally come into force in May 2018 at the same time as the GDPR. However, it believes that such goal is ambitious. Therefore, the issue is that in May 2018 we might have a privacy framework that relies on old principles as implemented by each EU Member State in relation to electronic communications for at least a transitional period.
This might be an issue for companies that are currently running a privacy audit in order to get compliant with the GDRP. The risk is that, given the current uncertainty on the ePrivacy Regulation, a conservative approach will be taken also on ePrivacy issues, without having the possibility to rely on the higher flexibility that is granted in the current version of the ePrivacy regulation with reference for instance to privacy consent.
What is your view on the above? If you found this article interesting, please share it on your favourite social media!