The Working Party recently issued its first Opinion for 2017, focusing on the EU Commission’s proposed ePrivacy Regulation (WP 247, Opinion 01/2017). The Commission’s proposal, which was published in January this year, aims to modernize the existing ePrivacy Directive (2002/58/EC as amended by 2009/136/EC) which concerns the protection of personal data in the context of electronic communication services. In its Opinion, the Working Party overall welcomed the proposed regulation, yet expressed several points of concern and suggested amendments.
In welcoming the regulation, the Working Party embraced the choice of a regulation as legal instrument since this ensures uniformity and clarity across the EU, and facilitates consistency with the General Data Protection Regulation (GDPR). The choice of making the same authority responsible for monitoring compliance as with the GDPR, and the alignment of fines with the ones provided in the GDPR, further reinforce consistency. Equally, this complementary instrument is required to protect confidential communication and terminal equipment that have characteristics not addressed in the GDPR.
The Working Party further agreed with the approach found in the proposed regulation, one of broad prohibitions and narrow exceptions, and also the targeted application of the concept of consent. Finally, the Working Party is satisfied with the clear coverage of content and metadata, the inclusion of Over-The-Top (OTT) providers and legal persons in the material scope, and the recognition of the importance of anonymization.
…and the grave concerns
Despite the general support to the proposal, the Working Party raises four serious concerns, and several supplementary ones: tracking of the location of terminal equipment; the conditions under which the analysis of content and metadata is allowed; tracking walls; and the default settings of terminal equipment and software. The Working Party warns that the proposed regulation, if adopted as is, will lower the level of protection enshrined in the GDPR.
With regard to WiFi-tracking, the proposed regulation does not offer adequate protection. Conversely, the GDPR provides a solid level of protection since such practices are possible only when valid consent is obtained, or if the personal data collected is anonymized. In case of anonymization, the purpose of data collection is restricted to statistical counting, the tracking is limited in time and space only when necessary for this purpose, the data is deleted or anonymized immediately afterwards, and there are opt-out possibilities. The Working Party suggests that the proposed regulation complies with the GDPR requirements through including a technical standard for mobile devices to automatically signal an objection to such tracking.
As for content and metadata, the Working Party suggests that it should be prohibited to process communications data without the consent of all end-users (i.e. sender and recipient). This means that the analysis of content and/or metadata for purposes such as analytics, profiling, or behavioral advertising requires consent from all end-users whose data would be processed. There should also be a domestic exception for the processing of content and metadata for purely personal purposes of the user.
The Working Party also calls for an explicit prohibition on tracking walls. This type of walls offer take-it or leave-it choices to users, forcing them to consent to tracking if they want to access a specific service.
Lastly, the Working Party endorses by default privacy protective settings, and clear options to users to confirm or change these default settings during installation. The settings need to be easily accessible during use whereas privacy preferences should be wider, and not only limited to interference by third parties or to cookies. These changes will assist in a truly by default approach to privacy.
The Working Party also identified other issues of concern. For instance, it suggested that the term “metadata” is too narrowly defined (current wording appears to suggest only data generated in the course of the provision of services in the lower layer of the network would qualify as metadata) and that the territorial scope with regard to organizations without an establishment in the EU only addresses electronic communications service providers. Also, the scope of direct marketing is considered too limited (currently only covers “sent” advertisements whereas the suggestion is “sent, directed or presented”) and the withdrawal of consent is not explicitly free of charge, nor as easy as to give consent.
The Working Party overall suggested several amendments to the proposed regulation. The expectation is that the European Commission, along with the European Parliament and the European Council, will address these concerns and incorporate the changes they deem fit.
Alston & Bird is closely following the progress of the proposed ePrivacy Regulation along with other significant developments like the implementation of the GDPR. For more information, contact Jan Dhont, Jim Harvey, or David Keating.