The first draft of the EU’s ePrivacy law reform has been leaked. According to sources, the leaked version is still under discussion on some points and a final version is expected in early January 2017.
“The main objective of the review of the ePrivacy Directive is to adapt the current rules which apply to electronic communications services to the new General Data Protection Regulation (GDPR),” reported a European Commission spokesperson. “The new instrument will ensure a high level of privacy and confidentiality for users. While the intention would be to broaden the possibilities for communications providers to process communications data, this would only be possible with the agreement of users in the spirit of the GDPR. While the scope of the Directive currently applies to providers such as traditional telecoms companies, another key objective of the review is to cover similar services in the same manner in line with our recent proposals to set a European Electronic Communication Code. The proposal would also simplify the provisions for cookies giving more choice to users.”
Given the big aim of aligning the ePrivacy law with the GDPR, The Privacy Advisor spoke with MEP Jan Philipp Albrecht, GDPR rapporteur, about the draft to sort out the good, the bad and the missing.
The “Good”: Consistency with GDPR, Do Not Track
“The very good side is that it’s a Regulation and not a directive anymore,” said Albrecht.
An EU regulation applies directly in national law and gives national governments less room for maneuver than a directive. This is not really a surprise given the “r” in GDPR also stands for regulation.
“This draft is indeed very much brought in line with the GDPR, which is not only a necessity, it makes sense not to open up all the discussions again and create a fragmented framework,” added Albrecht, describing the aim of the proposed regulation as a “level playing field.”
As with the GDPR, the proposal has a broad territorial scope and applies to communications data processed in conjunction with service provisions from outside the EU to users inside the EU. Sanctions are likewise increased to up to €20 million or 4 percent total worldwide annual turnover. That liability applies to hardware and software manufacturers as well as service providers.
Unsurprisingly, the law will apply to “over-the-top” (often shortened to “OTT”) service providers such as Facebook Messenger, WhatsApp, and Skype as well as traditional telecommunications services providers. The Commission had clearly indicated it was heading in this direction despite heavy lobbying from the tech industry.
The law could potentially even apply to machine-to-machine communication, if the information or metadata exchanged between two devices is deemed to contain personal data.
As promised, the draft also seeks to simplify Europe’s convoluted cookies rules. Under the old law, specific consent must be sought before placing a cookie on a user’s computer. In practice this has led to constant annoying pop-up windows that users click without reading.
The new Regulation proposes that when cookies are used just for “configuration purposes” — i.e., are technically necessary, to keep a shopping cart stable, for example — there is no need to inform users. When cookies are for tracking purposes, Article 9 says that consent may be given by the use of “appropriate technical settings for software products that enable access to the Internet” — in other words, “Do Not Track.”
How this will work in practice remains to be seen, although DNT should be enabled by default.
The “Bad”: Direct Marketing Carve Out, Six-Month Consent?
“There are big weaknesses on tracking,” however, said Albrecht, noting that where the leaked proposal strays from the GDPR it strays in a way he doesn’t like. “On the tracking of communications and metadata, we would expect that metadata of electronic communications should be rated as more sensitive. With metadata, you can read more patterns of behavior, networks of people, where they are with location data, and so on. We have not only the right to privacy, but the right to confidential communications, so I would have thought you treat these as more sensitive.”
“There are also opt outs for direct marketing,” he continued. “I think that is going way too far and there should be more protection for individuals from this sort of tracking.” Article 16 of the draft allows “natural or legal persons” to use electronic contact details for direct marketing purposes if they have acquired those contact details in the context of a sale of a product or service, provided customers are “clearly and distinctly” given the chance to object.
“There should be a more consent-like situation,” said Albrecht. He believes it need not be as cumbersome as the cookies consent became, “but we can think about technical means to enact privacy by default.”
Meanwhile, Article 6 of the draft says: “Providers of telecommunications services may process electronic communications metadata if the end-user has given prior consent to the provider for one or more specific services, including the provision of value-added services.” Telecom companies have been traditionally barred from using customer data to provide additional services.
“Another bad point is the general provision that you should be able to withdraw your consent only every six months,” said Albrecht referring to Article 9(3). “This falls behind the GDPR and that is a no go,” he said. In the GDPR it is clear you can withdraw your consent in the same easy way that you gave it.
However, “End-users who have agreed to the processing of electronic communications data … shall be given the possibility to withdraw their consent at any time set forth under Art 7(3) of Regulation (EU)2016/679/EU and on periodic intervals of six months, as long as the processing continues,” reads Article 9(3) of the draft, seemingly muddying the more straightforward GDPR rules.
The “Missing”: Data Retention Rules, Encryption Standards
The leaked draft does not provide any clear rules on data retention. Despite the overturning of the EU Data Retention Directive by the European Court of Justice in 2014, many national governments have re-introduced laws requiring telecommunications providers to store data for law enforcement purposes. Indeed, Article 11 essentially allows national authorities to disregard many of the protections for the purposes of safeguarding “national security, defence, public security, and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.”
Albrecht pointed out that there will be a ruling by the European Court of Justice in the DRIPA (the UK’s Data Retention and Investigatory Powers Act) case next week (December 21) and after that the rules around data retention will have to be addressed again.
Nor is there anything on encryption in the draft, said Albrecht: “There should be something on the necessity for encryption,” he said. “We should discuss if it’s possible to get some sort of standard for end-to-end encryption.”
Will these kinds of criticisms be recognized by the Commission drafters? The ePrivacy proposal is set to be unveiled in January and may still undergo changes before the Commission makes its official announcement — likely on January 11. At which point the Parliament will begin to grapple with it. Unlike the two-year transition period for the GDPR, this draft of the ePrivacy Regulation reads that it will be applicable just six months after it enters into force (Article 31), meaning that, if there is a particularly quick reading of the ePrivacy law, both could potentially become enforceable at the same time.