Privacy & Information Security Law Blog

On October 19, 2017, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) narrowly voted to approve an amended version of the e-Privacy Regulation (“Regulation”). The committee vote is an important step in the process within the European Parliament. This vote will be followed by a vote of the European Parliament in its plenary session on October 23-26. If the plenary also votes in favor, the European Parliament will have a mandate to begin negotiations with the Member States in the Council. If these negotiations (commonly known as “trilogue”) succeed, the Regulation will be adopted.

Also on October 19, 2017, the Centre for Information Policy Leadership at Hunton & Williams (“CIPL”) published a study on the impact of the proposed Regulation (the “Study”). The Study was prepared by Professor Niko Haerting of Haerting Rechtsanwaelte, Berlin, whom CIPL had asked for an independent expert opinion on the proposal.

The Study examines in detail the European Commission’s January 10, 2017 proposal on the Regulation. The Commission’s stated goal is to replace the existing ePrivacy Directive (”Directive”) with the Regulation at the same time the EU General Data Protection Regulation (“GDPR”) comes into effect on May 25, 2018.

Main Conclusions of the Study

• The Regulation focuses on protecting individuals’ privacy mainly through its consent requirements. It would therefore be up to individuals to protect their own privacy by providing or refusing consent. Shifting the responsibility from businesses to individual consumers cannot be regarded as enhancing privacy protections. Moreover, this would ultimately undermine digital services in Europe.
• In many cases, the Regulation’s rules deviate from the GDPR. This is bound to lead to legal uncertainty and will be harmful to European businesses. There is a direct conflict between the Regulation’s consent requirements and the more flexible approach in Art. 6 of the GDPR that requires consent in some cases but also allows for data processing without consent, such as when processing is necessary for the performance of a contract or when the service provider or a third party has a legitimate interest that outweighs the interests of data subjects.

Background

The Study is published against the backdrop of today’s LIBE Committee vote. The vote was 31 votes in favor, 24 votes against and 1 abstention. The outcome of the plenary of the European Parliament (in a vote which is expected on October 26, 2017) is not clear and the negotiations with the Member States in the Council have yet to begin.

The main focus of both the GDPR and the Regulation/Directive is the protection of European citizens’ privacy. While the Regulation, like the Directive, is rooted in data protection for the telecommunications sector, it has a significantly wider impact.

The Regulation contains numerous references to the GDPR. According to Art. 1(3), the provisions of the Regulation are intended to “particularise and complement” the GDPR (“lex specialis”). At the same time, the Regulation aims to protect “fundamental rights and freedoms of natural and legal persons in the provision and use of electronic communications services” (Art. 1(1)) while ensuring “free movement of electronic communications data and electronic communications services” in the EU (Art. 1 (2)).

The Study focuses on the proposed new “cookie provisions” (Art. 8, 9 and 10) and on the proposed “interference provisions” (Art. 5, 6 and 7), including the “wiretapping provisions” of Art. 11. It also addresses some of the Regulation’s consequences for connected and autonomous cars.

In particular, the Study seeks to answer the following questions:

• Practicability: Are the proposed provisions coherent and do their application on standard business models lead to reasonable results?
• Overlap: Are the proposed provisions in line with the provisions of the GDPR? Are there contradictions?
• Freedom of Communication: Do the proposed provisions foster the free flow of communication data in Europe, or do they, unintendedly, impose obstacles on communication?
• User-Friendliness: Do the proposed provisions meet the expectations of reasonable users?

The Study’s Key Findings

• With the prohibition on “processing” communications data, the Regulation would be a serious obstacle to digital innovations in Europe and to the development of new beneficial services based on data use and machine learning. The prohibition on “processing” would constitute a substantial setback to the European digital economy.
• Excessive consent requirements would lead to red tape and tick boxes, which are likely to irritate consumers. This will negatively impact their online experience.
• Art. 5 of the Regulation introduces a new prohibition on the “processing” of communications data. However, it is exactly the “processing” of communications data that that the customer pays for (as opposed to “interception” or “surveillance”). The prohibition should be limited to interception and surveillance of messages.
• With respect to metadata, it is unclear why IP addresses and other “online identifiers” clearly covered by the GDPR need to be regulated in the Regulation as well.
• Art. 6 of the Regulation does not work for machine-to-machine communication, wearables, connected cars and the Internet of Things (“IoT”). In machine-to-machine-communication, raw data are transmitted that qualify neither as “content” nor metadata.
• When customers use digital communications services (e.g., email, messenger), they will expect their messages to be stored by the provider. Moreover, they will expect to be in control when it comes to the erasure of messages. Therefore, the provider’s duty to erase content is against the user’s interests and contrary to the user’s expectations.
• Given that “online identifiers” cookies are covered by the GDPR, it is unclear why additional provisions are needed in the Regulation.
• Web analytics tools are, on the one hand, recognized as “legitimate and useful”. On the other hand, hardly any analytics tool will be covered by the exception from the consent requirement, because the exception is applicable only when a website operator is using his or her own analytics tool. This is contradictory.
• Fingerprinting falls under the “cookie provision” of Art. 8 of the Regulation and requires consent. For the time being, it does not appear to be realistic to expect that there will soon be browser settings on the market that meet the requirements of consent for fingerprinting. There are presently no standards for such settings on the market, and the standards that can be found in the Regulation focus exclusively on cookies and neglect fingerprinting and other non-cookie tracking technologies.
• WI-FI and Bluetooth tracking are prohibited by Art. 8 (2) of the Regulation and no consent exception is provided. This is not in line with the intention of making consent the “central legal ground” of the Regulation.
• The obligation to display “prominent notices” limits the lawfulness of WI-FI and Bluetooth tracking to tools that monitor a building or a pre-defined area.
• The over reliance on consent is based on false assumptions when it comes to legal persons. The Regulation aims at protecting privacy and extending such protection to legal persons. However, it is unclear whose consent is relevant.
• Art. 10 of the Regulation obliges app providers to enable users to prevent the storing of “information.” However, it is such storage that often will be a fundamental function of the app. There is no reason why the provider of a messenger app should be obliged to enable his or her customers to prevent the storing of messages, pictures and voice files on their smartphones given that the receipt and (temporary) storage of content is the main purpose of the app.