The European Commission reviewed the ePrivacy Directive to replace it with ePrivacy Regulation. Two key reasons: the alignment with the General Data Protection Regulation (GDPR) and OTT services as the new telecoms reality.
I highlighted some key aspects of the new ePrivacy Regulation to discover how they provide answers to the privacy challenges of the EU Digital Single Market.
Scope of application
Privacy in electronic communications clearly deserves special attention. Remember the stir caused by the previous EU and some Member State traffic data retention rules? Despite convergence of IT and telecoms, there seems to be a broad agreement within the industry that the area requires regulations beyond general data protection rules of the GDPR. When applied in the electronic communications sector, general concepts such as ‘consent’ would be aligned with those of the GDPR.
The proposed ePrivacy Regulation follows the pending proposal for the European Electronic Communications Code in terms of explicitly including interpersonal communications services, including those provided as OTT. The proposed ePrivacy Regulation goes further though, regulating even those services that enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service, such as e-gaming.
As the current Directive, the proposal applies to both content of communications and the data pertaining to these communications. However, the concept of traffic data has been replaced with a broader concept of ‘electronic communications metadata’ i.e. data about communications.
A revised cookie rule
The famous ‘cookie rule’ has been better adapted to commercial realities. The present ePrivacy Directive requires, unless consent has been given, cookies to be strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service. This has prompted website owners across Europe to introduce highly annoying cookie pop-ups.
According to the ePrivacy Regulation Proposal, ‘strictly necessary’ standard is to be replaced with the need for regular own website analytics requirements. Cookies could accordingly be placed if this is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user, not a third party.
Consent can also be given at the browser level. Browsers and other communications software shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment. Upon installation, such software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting. In the case of software which has already been installed on 25 May 2018, these requirements shall be complied with at the time of the first update of the software, but no later than 25 August 2018.
The processing of end-user equipment emitted data
Whereas cookies may have seemed like a considerable threat to privacy in 2009, the interception and processing of data emitted from end-user smartphones and other devices now seems way more relevant. This is reflected in a new set of rules of the ePrivacy Regulation Proposal.
Unless necessary for the sole purpose of establishing a connection, the collection of information emitted by terminal equipment to enable it to connect to another device or a network shall be prohibited, except if a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it, and other information required under the GDPR, as well as any measure the end-user of the terminal equipment can take to stop or minimise the collection.
The collection of such information shall be conditional on the application of appropriate technical and organisational security measures that may be appropriate under the GDPR, such as pseudonymisation or encryption.