Recent Posts

Copyright Giulio Coraggio 2018

ePrivacy draft regulation gets stricter after European approval

eprivacy

ePrivacy draft regulation gets stricter after European approval

The ePrivacy draft regulation is turning towards a more stringent regime with after the approval by European Parliament of the latest draft. 

As previously discussed, the European ePrivacy Regulation is meant to integrate the European General Data Protection Regulation when it comes to “electronic communications data“. It is still in a draft stage and apparently the plan is to speed up the approval process so that it will be effective from the 25th of May 2018 as the GDPR.

And a major step forward was made with the approval by the European Parliament of an amended text of the draft ePrivacy Regulation which seems to meet the requests from the European data protection authority for more stringent provisions in the opinion of the Article 29 Working Party on the topic. This does not mean that the ePrivacy Regulation will be eventually approved in its current wording, but just means that the European Parliament gave a mandate to start negotiations with the European Council on the current text.

The main chages that were introduced can be summarized as follows:

Broader scope for the ePrivacy regulation

The ePrivacy regulation now provides at recital 4 that

electronic communications data are generally personal data as defined in the Regulation (EU) 2016/679

The subsequent recital clarifies that the regulation applies only to “electronic communications data that qualify as personal data” which appears in contradiction with the previous recital. But in general terms the recital 4 seems to create a presumption that any electronic communication data falls within the scope of the GDPR. This is confirmed by the changes to the provisions relating to the material scope of the regulation whose applicability

  • is now clearly extended to the processing of any electronic communication data both online and offline by means of users terminals;
  • includes any content transmitted, distributed or exchanged by means of electronic communications services, including metadata;
  • applies to any type of direct marketing communication; and
  • any machine to machine service, which therefore would include Industrial Internet of Things communications.

Finally, the applicability to non-EU entities processing data of individuals located in the European Union (regardless of where the processing takes place) has been further expanded.

More reliance on users’ prior consent

The ePrivacy draft regulation relies on the users’ consent more than the GDPR which provides a wider number of alternative solutions, including the legitimate interest. On the contrary, the latest draft of the regulation emphasizes that

The provider of the electronic communications service may process electronic communications data solely for the provision of an explicitly requested service, for purely individual usage, only for the duration necessary for that purpose and without the consent of all users only where such requested processing does not adversely affect the fundamental rights and interests of another user or users.

This position seems confirmed also in relation to communications for direct marketing purposes whose provision of the ePrivacy regulation refers to the need of a prior consent, only providing for the “soft spam exemption” and without mentioning the possibility to rely on the legitimate interest which on the contrary is expressly provided by the GDPR.

Likewise any interception of electronic communications, also by means of wireless networks and for traffic analytics, shall occur with the prior consent of the relevant individuals.

Cookie walls and banners are banned

The ePrivacy draft regulation takes a strong position agains cookie walls and banners which on the contrary are the solution provided by the guidelines of the Italian data protection authority. On the contrary, more control shall be given to users by means for instance of browser settings. This solution is aimed at avoiding a sort of unknown approval by users that are just bothered by cookie walls and accept it without reading the terms of the applicable cookies policy. But the draft regulation also adds that
  • in compliance with the principle of privacy by default, the default settings of the browser or software to be used to control cookies shall be set so that the storing of information on the terminal equipment by third parties is prohibited. This might have a massive negative effective on all the applications aimed at tracking users’ behaviour on the Internet and
  • users shall be given sufficient granular options as to the categories of consent to be given in order to have a better control on them. 

Strong limitations to web analytics

No consent is required for cookies that are technically necessary for measuring the reach of an information society service requested by the user provided that such measurement is carried out by the provider or on behalf of the provider and

  1. data is aggregated;
  2. user is given a possibility to object;
  3. no personal data is made accessible to any third party and
  4. data is kept separate from the data collected in the course of audience measuring on behalf of other providers.

Broader applicability of fines

The scenarios in which the highest fine of 4% of the global turnover or € 20 million is applicable have been extended to include for instance the breach of the provisions on consent and on privacy settings for cookies. Also, it has been clarified that if the same conduct represents a breach both under the GDPR and the ePrivacy regulation, the highest fine will apply.
My impression is that the European regulators are setting a regime that is excessively restrictive and might render the European market less attractive in a period when there is a strong tendency towards digitalization and the usage of tools of machine learning, artificial intelligence and IoT. The goal is to protect consumers, but I am concerned that the European Union is currently in an economic condition to be able to “set the path“, while a more balanced approach might encourge investments.

What is your view on the above?Happy to discuss and you may find also interesting my series of blog posts on the most relevant issues addressed by the GDPR

#1 Which companies shall care about it?

#2 Will fines be really massive?

#3 Did you run a privacy impact assessment?

#4 New risks for tech suppliers

#5 What changes with the one stop shop rule?

#6 How the new privacy data portability right impacts your industry

#7 What issues for Artificial Intelligence?

#8 How to get the best out of data?

#9 Are you able to monitor your suppliers, agents and shops?

#10 What liabilities for the data protection officer?

#11 Are you able to handle a data breach?

#12 Privacy by design, how to do it?

#13 How data on criminal convictions of employees become a privacy risk

#14 Red flag from privacy authorities on technologies at work

#15 Need a GDPR compliant data processing agreement?

#16 Is your customers’ data protected from your employees?

#18 Data retention periods, an intrigued rebus under the GDPR

#19 Legitimate interest and privacy consent, how to use them?

#20 How privacy consent changes with the GDPR?

#21 Privacy information notice: how to make it transparent when it’s complex?

#22 How direct marketing changes wih the GDPR?

As usual, if you found this article interesting please share it on your favourite social media.

@GiulioCoraggio

Follow me on LinkedIn – Facebook Page – Twitter – Telegram – YouTube  Google+

Giulio Coraggio
giulio.coraggio@gmail.com

I am the head of the Italian Technology sector and the global head of the IoT and Gaming and Gambling groups at the world leading law firm DLA Piper. Top global IoT influencer and FinTech lover, finding solutions to what's next for our clients' success.