LawBytes #37 deals this week with the upcoming ePrivacy Regulation which will complement the GDPR and introduce new rules on cookies, IoT and M2M communications.
The current negotiations on the future of privacy in the EU
During 2018 companies have been busy implementing the various changes required by the GDPR and many are still struggling with privacy compliance. Meanwhile, the European legislator has been busy negotiating the draft of the new ePrivacy Regulation which will introduce important changes for the digital and electronic communications sector.
The EU ePrivacy Regulation will complement the rules introduced by the GDPR replacing the current ePrivacy Directive and introducing a uniform and directly applicable legislation in all Member States aimed at ensuring the protection of the end user’s privacy at every online interaction.
However, due to the wide scope of application (ranging from cookies to Over the Top communication services) and the innovative changes introduced, the ePrivacy legislative train is late on the roadmap. EU institutions are still negotiating in search of a balance between the competitiveness of companies and consumer protection.
The new Regulation will indeed be applicable not only towards the traditional electronic communication service providers, such as mobile and landline telephone operators, but will also cover the Web and the Internet (email, apps, etc.) impacting spam, direct marketing, instant messaging companies as well as app developers and the Internet of Things (IoT).
The ambitious goal of the European legislator is therefore to ensure the widest protection of citizens’ privacy and confidentiality of communications and – at the same time – to set up a regulatory framework applicable in all member states and suitable to favor the use – and enrichment – of data, which is the backbone of the European Digital Single Market strategy as one of the main objectives of the Horizon 2020 program (and of the forthcoming Horizon Europe 2021-2027 program).
As covered in a previous post on LawBytes, the initial draft proposal raised serious concerns regarding the impacts of the new cookie related rules on existing business models based on data driven advertising and the burdensome obligations posed on web browser providers.
Following the text adopted by the European Parliament, which incorporated the changes proposed by the LIBE Committee, the EU Council has now published several revision proposals which appear to be more favorable to the digital business.
The ePrivacy Regulation is opening to a cookie revolution?
The latest draft of the ePrivacy Regulation simplifies the rules on cookies in an attempt to overcome the so called “cookie banner fatigue”. According to the European Commission users are currently overwhelmed with pop-up windows requesting consent for cookies. The original draft proposal of the ePrivacy Regulation therefore adopted a privacy by design approach, requiring providers of browsers and similar software to provide users with user-friendly cookie and tracking controls to easily manage every information or data stored on their devices, without having to click on a banner every time they visit a website. However, this text has been removed from the most recent draft of the text.
The latest proposal of the ePrivacy Regulation presented by the Romanian Presidency introduces new amendments providing that users shall give consent to the use of certain types of cookies by inserting specific cookie providers in a whitelist while browser providers should ensure that users can easily set up and modify these whitelists and withdraw consent easily and transparently.
Furthermore the latest draft of the ePrivacy Regulation sets out a much higher threshold for obtaining consent than under the current ePrivacy Directive. Indeed, the proposed text endorses the provisions on consent that are set out in the GDPR. Consent is therefore required to be a freely given, specific, informed and unambiguous indication of the natural or legal person’s agreement to what is being proposed. This new approach might impact the way in which cookie consent is obtained for third party cookies, such as advertising tracking cookies, very challenging for website operators and third party advertisers.
Finally, the Romanian Presidency confirmed that access to certain websites, in the absence of direct payment methods, may be based on the user’s consent to cookies, but under specific conditions.
The European Data Protection Board statement on ePrivacy and GDPR interplay
Another hot topic of the current legislative proposal is the relationship between the current ePrivacy Directive and the GDPR, as well as with the new European Electronic Communications Code .
The European Data Protection Board (EDPB) recently expressed its point of view on the relationship with the Privacy Regulation in an opinion highlighting the issues relating to the competence, tasks and powers of the supervisory authorities and the applicability of the cooperation and coherence mechanisms provided by the GDPR in cases where both the GDPR and the ePrivacy Directive (which is still fully applicable) are applied.
In addition the Board stresses that the ePrivacy Directive contains “special rules” in relation to the processing of personal data in the electronic communications sector. These rules include provisions that require user consent for the storage of information, including personal data, in their device or for the access to such information (for example through cookies) and rules that explicitly limit the conditions under which traffic data, including personal data, of subscribers and users of an electronic communication service can be processed .
These specific provisions of the ePrivacy Directive therefore prevail over the (more general) provisions of the GDPR which, for example, provides a wider range of legal bases for data processing. In the other cases, in which the processing of personal data is not specifically regulated by the ePrivacy Directive (or where the ePrivacy Directive does not contain a special rule) the GDPR applies, as in the case of the exercise of rights by the data subjects.
With reference to the supervisory authorities, although the Board clarified that the opinion does not refer to the provisions of the draft ePrivacy Regulation, it stresses that in the case of data processing falling within the scope of both the GDPR and the ePrivacy Directive, data protection authorities are competent in relation to the processing activities governed by the national regulations transposing the Directive, only if national legislation confers them this power, as such competence could be given also to the communication authorities (e.g. AgCom in Italy).
In any case, the competence of EU data protection authorities within the GDPR extends to data processing operations not subject to special rules contained in the ePrivacy Directive. This approach is in line with the latest version of the draft ePrivacy Regulation, which leaves to the Member States the task of identifying an independent competent authority to monitor and guarantee compliance with the provisions contained in the Regulation.
Finally, with reference to the consistency mechanisms for the data protection authorities cooperation, the EDPB clarifies that it remains fully applicable exclusively with reference to the processing operations subject to the general provisions of the GDPR and not to a special rule contained in the ePrivacy Directive.
The ePrivacy Regulation at this point represents the last missing piece to complete the EU framework for data protection and the confidentiality of electronic communications which will complement the GDPR and provide additional safeguards for all types of electronic communications.
In addition to the opinion, the Committee issued a statement calling on EU Member States to finalize their positions on the ePrivacy Regulation, which could be reached during this Romanian Presidency, so that negotiations with the European Parliament can begin as soon as possible, but probably after the conclusion of the European elections in May 2019.
If you are interested in this topic don’t miss our previous posts: “ePrivacy regulation latest version gets harder” and “Internet services and IoT impacted by the draft EU ePrivacy Regulation“.