ETNO ThinkDigital Blog Post - ePrivacy Directive called into question: time to move forward
Global law firm DLA Piper takes a deeper look into to the arguments supporting the long term goal of repealing the ePrivacy Directive to the benefit of consumers. #ThinkDigital
Setting the Scene
Regulation 2016/6791 - formally approved in April 2016 and set to apply from May 2018 - needs to be respected by all players offering services to European citizens, regardless of the sector they are active in. It aims to achieve a full and horizontal harmonisation in the area of privacy, based on the principle of technology-neutrality and adapted to the needs of our digital society.
While ETNO, the association representing Europe’s main telecom operators fully supports this idea, it is convinced that such harmonised privacy will not be achieved as long as the Directive 2002/58/EC on privacy and electronic communications (the "ePrivacy Directive") continues to exist alongside the GDPR. The ePrivacy Directive sets out sector-specific rules with regard to the processing of, amongst others, location data, traffic data and data breaches in the telecom sector,
The co-existence of the two legal instruments will likely lead to legal uncertainty and confusion regarding the scope of the ePrivacy Directive and the competent regulatory bodies. Telecom providers are subject, not only to the GDPR, but also to the sector-specific rules of the ePrivacy Directive, while functionally equivalent services provided by "over-the-top" players (such as Whatsapp and Skype) are only subject to the GDPR. This creates legal uncertainty for consumers and telecom providers, an unlevel playing field between market players, and also leaves space for confusion for consumers who would be confronted with inconsistent privacy standards and experiences.
Taking into account the above and against the background of the upcoming revision of the ePrivacy Directive, ETNO has requested that we further investigate arguments supporting the long term goal of repealing the ePrivacy Directive in a new study with the aim of (i) building consumer trust by reducing regulatory complexity, (ii) restoring the level playing field between all market players and (iii) ensuring consistency within the regulatory framework applicable to telecom providers and other entities processing personal data. This study further builds on the results of a previous feasibility study conducted for ETNO, a copy of which can be downloaded here.
Relevance of the ePrivacy Directive
The co-existence of the GDPR, which creates a horizontal data protection regime, and the ePrivacy Directive, which regulates sector-specific data protection issues, leads to in inconsistencies and unjustified differences between sectors and technologies. Indeed, most dispositions in the ePrivacy Directive overlap with the newer GDPR.
The following provisions overlap with the GDPR and should therefore be repealed:
- Security of processing and data breach notifications: both the ePrivacy Directive and the GDPR require that appropriate technical and organisational measures be taken to safeguard the security of personal data. Both instruments contain comparable data breach notification regimes. The clear overlap between the two instruments suggest that only one should be retained. The GDPR offers a similar or even higher level of protection than the ePrivacy Directive as well a more advanced and horizontal regime. Logically, the latter instrument should be retained.
- Location data and traffic data: the European Commission is of the opinion that location and traffic data processed by telecom providers should benefit from more "enhanced" protection considering that, if stored over time, it allows very precise conclusions to be drawn on the private lives of individuals. The GDPR already contains a high level of protection and appropriate safeguards to protect the interests of individuals however. Both location data and traffic data qualify as personal data in the GDPR and the process of such data already falls under the GDPR scope. Furthermore, more precise location and traffic data are often processed through information society services, which are only subject to the GDPR. There is therefore no longer a justification to treat telecom providers processing such data differently.
- Cookies and other tracking mechanisms: cookies and other identifiers that are uniquely linked to a device and are capable of identifying a natural person can be considered personal data and are therefore subject to the GDPR. The mere application of the GDPR remedies the existing difficulties with the consent rule and prevents website visitors from being confronted with cookie banners on every single website while still providing for appropriate safeguards, notably when third party advertising cookies and cookies for profiling purposes are placed.
- Unsolicited communications: the GDPR contains specific rules on direct marketing, including a right to object, that allow individuals to keep control of the use of their personal data for direct marketing purposes. There is therefore no longer an absolute need for a specific and diverging regime for certain types of direct marketing when making use of specific technologies.
The confidentiality of communication principle is slightly more delicate to deal with in this context, as it remains a cornerstone of privacy and data protection. Although it is also protected by national constitutions and international instruments, deleting this principle raises questions, and requires further reflection. If the legislator considers it is still required, given that the confidentially of communications principle concerns all sectors, and not only telecommunications services, it should be technology-neutral and would benefit from being transferred to a more horizontal legislation covering all services which allow interpersonal communications.
Finally, there are provisions in the ePrivacy Directive which are telecom-specific, such as itemised billing, control over call line identification, automatic call forwarding and subscribers' directories. Given today's digital society and the current state of the market, these provisions have become outdated and are no longer relevant. However, should the European legislator still deem them relevant, they should be transferred to a more horizontal legislation covering all services that allow interpersonal communication.
The arguments set out above make it clear that the ePrivacy Directive is outdated and no longer needed. Most of its provisions, if not all, should therefore be repealed. Should the confidentiality of communications principle and/or the non-privacy related provisions be deemed relevant by the European legislator, they should be updated and moved to a more horizontal legislation covering all services that allow interpersonal communications.
Repealing the ePrivacy Directive would contribute to harmonising privacy rules across Europe. All data protection rules would be contained in one instrument, notably the GDPR. This instrument applies to the processing of personal data, irrespective of the applied technology and the sector in which the data controller is active. Retaining the GDPR only, would restore the level playing field amongst all market players as they would all be subject to the same rules. It would also reduce the regulatory complexity, improve consumers’ understanding of the way in which their privacy is protected and facilitate a consistent and uniform application of the rules throughout the EU.
For the sake of completeness it should be added that if the European legislator considers that a separate ePrivacy instrument should be maintained for certain topics despite the above arguments against it, then this instrument should respect a number of minimum guidelines that are further detailed in the study.
Please liaise with ETNO or the authors of this blog post for more information on the study. A copy of the full study can be found here.
1 Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("General Data Protection Regulation" or "GDPR")
By Patrick Van Eecke and Raf Schoefs for ETNO #ThinkDigital, 01.09.2016
Prof. Dr. Patrick Van Eecke is a partner at the global law firm DLA Piper UK LLP (Brussels office) and professor of European Information Technology and Communications Law at the law faculty of the University of Antwerp. Raf Schoefs is a lawyer at DLA Piper UK LLP (Brussels office). E-mail addresses: firstname.lastname@example.org and email@example.comTweet