The draft EU ePrivacy Regulation might have a considerable impact on privacy compliance obligations relating to new technologies.
What is the draft ePrivacy Regulation?
I already discussed about the ongoing review of the European rules applicable to electronic communication services which will lead to a new ePrivacy Regulation that will complement the already in place EU General Data Protection Regulation. This is still a draft subject to review by EU institutions and you may find the main changes summarised in this blog post. Also, I have already discussed about its broad scope and the potential applicability even to Industrial Internet of Things technologies. However, I want to focus on how it impacts privacy consents required for the collection of data through different types of technologies.
How privacy consent required for different technologies might change?
Here is a short outline of the new consent rules set out by the ePrivacy Regulation as they are likely to apply, based on an initial review of the draft regulation:
1. Cookies and fingerprinting
The general rule is that prior consent is necessary, save for
- technical cookies that are necessary to provide a service requested by a user (e.g. tracking him when fills in an online form);
- first party (and not third parties) cookies necessary for web audience measuring (e.g. counting the number of views on a website or social media).
The draft ePrivacy Regulation emphasises that when consent is requested, it should be given in a user friendly manner e.g. by using the appropriate settings of a browser or other application. However, such settings shall be arranged so that users need to give their express and unambiguous consent to cookies. This is interesting as we need to evaluate whether decisions such as the of the one Italian data protection authority on cookies will still require the same level of compliance under the ePrivacy Regulation.
2. Internet of Things technologies
The draft ePrivacy Regulation makes a broad reference to its applicability to machine to machine communications leaving open the question on whether it includes any type of M2M transmission or just those involving personal data.
Also, it provides that
- consent is not needed, if the data processing is necessary to provide a service to the user e.g. in case of eHealth or fitness technologies necessary to monitor the health conditions of a user or services tracking the location of users in order to provide services expressly requested by them; while
- consent is needed, if data processing is for marketing purposes or other purposes not expressly requested by the user e.g. in order to track the location of users as part of mapping services that show advertisements or send push notifications.
The wording of the provisions referred above is broad and shall be adapted to the specific scenarios. For instance in the case of geolocation systems installed on an ambulance in order to enable them to be notified of emergencies close to their location, it shall be assessed whether this is necessary for the performance of a service. Also, such scenario would have employment law implications and it can be arguable whether national legislation, such as the Italian Jobs Act, will still be considered compliant with EU data protection rules.
3. Telephone and messaging communications
No consent is necessary under such scenario since the data processing activity “is necessary for the sole purpose of carrying out the transmission of an electronic communication over an electronic communications network“.
Likewise, when a data processing activity is necessary to establish a connection between a user’s device and another device (e.g. a wifi hotspot), no consent is necessary. But the language is ambiguous as to the other scenarios when the information from a device can be collected to connect it with other devices (e.g. beacons) since the ePrivacy Regulation seems to require in such case only the provision of a privacy information notice, with no consent needed, save for cases when data is used for marketing purposes.
What to expect in the coming months?
My personal impression is that the current draft of the ePrivacy regulation is still quite far from the final version. There are still sections whose concrete impact on technologies shall be reassessed in order to avoid to create a barrier to the entrance in the European market. This is also because the breach of the provisions of the ePrivacy Regulation will be sanctioned with
- fines up to 2 % of the total worldwide annual turnover of the preceding financial year of the breaching entity,
- which are increased to € 20 million, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, in case of breach of the principles of confidentiality of communications, permitted processing of electronic communications data, time limits for erasure.
We will follow the matter in the coming months. In the meantime, if you found this article interesting, please share it on your favourite social media!