Cookies, Directories, Advertising and Personal Data: New EU Rules on Privacy in Electronic Communications
The Digital Single Market Strategy ("DSM Strategy") had, as an objective, to increase trust in and the security of digital services. In that context, the EC proposed a reform of the data protection framework across the EU, which materialised in the adoption of Regulation 2016/679, the General Data Protection Regulation ("GDPR"). The text will take effect in May 2018.
This overhaul of the European data privacy rules created the urgent need to review the Directive 2002/58/EC ("ePrivacy Directive"), which addressed the matters of privacy protection specifically for users of electronic communications services. A strong debate took place among stakeholders, consumer representatives and policy makers, regarding whether the GDPR was now enough, and the ePrivacy Directive could just be repealed; or whether a “lex specialis” was still needed in the specific field of telecommunications, improving the up to now defective EU harmonization, and extending its main rules to the new players, so as to create a level playing field for all market players. The debate (and the solid impact assessment evaluating the different legislative options, available here), resulted in the decision of transforming the essence of the ePrivacy Directive into a new Regulation, “concerning the respect for private life and the protection of personal data in electronic communications”, and modernizing its previous content, while ensuring its consistency with the GDPR.
It is worth recalling the larger regulatory context in which this new legal instrument must be read. That includes not only the GDPR, but also the future Directive establishing the European Electronic Communications Code ("EECC"), currently under its own legislative track. While the ePrivacy Regulation is not an integral part of the EECC, it partially relies on definitions provided therein, including that of 'electronic communications services'. And like the EECC, the ePrivacy proposal also brings the new market players (“Over the Top” or “OTT” providers) in its scope to reflect the market reality. <
Part of that context is also the Radio Equipment Directive 2014/53/EU, which ensures a single market for radio equipment. In particular, it requires that, before being placed on the market, radio equipment must incorporate safeguards to ensure that the personal data and privacy of the user are protected.
The Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end-users. It does not apply to electronic communications services which are not publicly available; nor to activities of competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
The geographical scope is clear: the Regulation applies to the provision of electronic communications services to end-users in the European Union, to the use of such services, and to the protection of information related to the terminal equipment of end-users located in the Union. It is irrelevant if a payment of the end-user is required or not.
Where the provider of an electronic communications service is not established in the Union it will be mandatory for it to designate a representative in the Union, established in one of the Member States where the end-users of such electronic communications services are located.
The Regulation, besides referring to the many concepts previously defined in the GDPR, includes a series of definitions of important and commonly used features such as electronic communications metadata, publicly available directory, electronic mail, direct marketing communications, etc.
Confidentiality and protection of private information in the terminal
Chapter II contains the key provisions ensuring the confidentiality of electronic communications and the limited permitted purposes and conditions of processing such communications data. It also addresses the protection of terminal equipment, by (i) guaranteeing the integrity of the information stored in it and (ii) protecting information emitted from terminal equipment, as it may enable the identification of its end-user. Finally, it details the consent of end-users, a central lawful ground of this Regulation, expressly referring to its definition and conditions as provided by the GDPR, while it imposes an obligation on providers of software permitting electronic communications to help end-users in making effective choices about privacy settings.
These rules depart from the current practice mainly in two points: the current “one-by-one” web consent to cookies by the user (the so called “cookies banner”, a burdensome and often useless practice all internet users are familiar with) is replaced by mandatory obligations imposed to the browser provider to establish a clear and understandable privacy regime to be expressly accepted by the user. Internet platforms and telecomms companies will be required to ask users every six months for permission to track and use their activity data, such as location and time when a text message is sent. On the other side, these rules will apply as well to the new market players or OTTs (Whatsapp, Twitter messaging, etc).
Even with this being a Regulation and not a Directive anymore, there may not be full harmonization in this matter across the EU: Member States are authorized to restrict the previous rules if necessary to safeguard public interest. In practice, this will require providers of electronic communication services to constantly check the regulatory framework at national level.Control of electronic communications by users
Chapter III refers to the rights of natural and legal persons to control electronic communications to protect their privacy. This includes the right of end-users to prevent the presentation of the calling line identification to guarantee anonymity, with some limitations; and the obligation for providers of publicly available number-based interpersonal communication to provide for the possibility to limit the reception of unwanted calls.
The Regulation also fixes here new conditions under which end-users may be included in publicly available directories: end-users will have the possibility not to be included in a publicly available directory, or to verify, correct and delete any data related to them, to be provided free of charge.
Conditions are set regarding when unsolicited communications for direct marketing may be conducted, including the possibility of blocking all ads. Indeed, some in the media industry are saying that the proposal “could mean the end of free news as we know it”, as it will create serious difficulties for targeted advertising without specific consent.
The Regulation provides for an obligation imposed upon providers of electronic communications services to alert end-users in case of a particular risk that may compromise the security of networks and services. The security obligations in the GDPR and in the EECC will also apply to the providers of electronic communications services.
Enforcement, remedies and penalties
The supervision and enforcement of this Regulation is entrusted to the same supervisory authorities in charge of the GDPR, the Data Protection Authorities or DPAs. The powers of the European Data Protection Board are extended and the cooperation and consistency mechanism foreseen under the GDPR will also apply in case of cross-border matters related to this Regulation.
Various remedies are made available to end-users, and not only to them: any natural or legal person adversely affected by infringements of the Regulation and having a legitimate interest, including a provider of electronic communications services protecting its legitimate business interests, shall have a right to bring legal proceedings in respect of such infringements.
In terms of penalties, the consequences for non-compliance may be heavy:
- Infringement of the rules regarding notice and consent, default privacy settings, publicly available directories and unsolicited communications may be punished with fines of up to EUR 10 million or 2% of the total worldwide annual turnover, whichever is higher.
- Infringements of the rules regarding confidentiality of communications, permitted processing of electronic communications data and the time limits for erasure of data may be punished with fines of up to EUR 20 million or 4% of the total worldwide annual turnover, whichever is higher. The same applies in case of non compliance with an order of a supervisory authority.
The proposed Regulation starts now its full legislative procedure. And although most electronic communication providers (and new market players) where vocal against it, there is general political consensus both in the Council and in the Parliament about the need for this specific law. That being said, there is still wide room for precisions and amendments in the months to come.
The Regulation may take at least a full year before it is approved by Parliament. But in any case, its entry into force has ben set to be coordinated with that of the GDPR, that is, it shall apply from 25 May 2018.