On September 11, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on the Proposal for an ePrivacy Regulation (the “White Paper”). The White Paper comments on the European Commission’s proposal to replace and modernize the privacy framework for electronic communications contained in the current ePrivacy Directive and to align it with the EU General Data Protection Regulation (“GDPR”).
The White Paper highlights CIPL’s concerns with several aspects of the proposal and puts forward key recommendations to address these concerns:
The Scope of the Regulation Should Be Significantly Limited
- The proposed Regulation’s over-reliance on consent and its broad scope will undermine the GDPR, as well as legitimate, necessary and beneficial processing of data and business practices within the Digital Single Market (for example, digital data processing relating to electronic communications and use of data on and about devices).
- The proposal should be limited to core communications services and electronic communications data within the GDPR’s definition of personal data.
- The rules on confidentiality should only apply during transmission of communications, targeting genuine surveillance of individuals and communications.
- The need for a specific provision for collection of personal data via cookies should be reconsidered as information about and emitted by devices should not be subject to the Regulation.
- The proposal should add to the protections of the GDPR only where there is evidence that the relevant GDPR provisions do not offer sufficient protection.
The Consent Approach of the Proposal Must Be Reassessed
- Consent should be required only where appropriate, i.e., the processing is intrusive or harmful with potentially high risks to an individual’s privacy that cannot be effectively mitigated and where the provider can provide meaningful information and choice to the user.
The Concept of Legitimate Interest Must Be Included in the ePrivacy Regulation
- Legitimate interest should be recognized as a ground for processing (consistent with the GDPR) to ensure the ePrivacy rules are future proof.
More Exceptions to Consent Are Needed
- Exceptions to end user’s consent in Articles 6 and 8 of the proposal should be widened to cover entities other than providers of electronic communications networks/services and to include a wide household exemption, as well as other exemptions where a specified public interest or business continuity or development would require processing without consent.
Add Flexibility to Make the ePrivacy Regulation Future Proof
- Flexible tools incorporating industry input should be included to make the ePrivacy Regulation future proof. For example, codes of conduct, empowering the Commission to further extend the list of exemptions as well as authorization of the European Data Protection Board to issue guidance on the exemptions to consent.
Postpone the Application of the Regulation
- The adoption of the ePrivacy Regulation should be postponed with a transitional period, similar to the GDPR, put in place.
The legislative procedure on the ePrivacy Regulation in the European Parliament and the Council of Ministers is progressing. On September 8, 2017, the Estonian Council Presidency presented a revised text. The revisions do not affect the recommendations of the White Paper.