Changes to the European Union E-Privacy Directive

The European Parliament approved the long-awaited amendments to the Directive on Privacy and Electronic Communications (e-Privacy Directive) In November 2009. The amendments, which are causing a stir in the world of online advertising, will be implemented in the 27 EU Member States by mid-2011.

The amendments include:

The general rule under the amended Article 5 (3) of the e-Privacy Directive is that the use of cookies or other software or devices enabling the storing or accessing of information already stored on the user’s terminal equipment, such as a computer or a smart phone, is only allowed on condition that the concerned user has given his or her consent, having been provided with clear and comprehensive information in accordance with the Data Protection Directive 96/46/EC, for example, about the purposes of the processing and the identity of the entity placing the cookie in the terminal equipment.

As an exception to the general rule, technical storage or access would be lawful without notice and consent for the sole purpose of carrying out the transmission of a communication over an electronic communications network, such as establishing an Internet connection, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service, such as directing a user’s shopping cart to the checkout in an online store. The placing of third-party cookies, such as those of third-party advertisers and Web traffic analysis tools, would nearly always require notice and consent because these are neither stored for the purpose of carrying out the transmission of a communication, nor strictly necessary to provide a service.

Whether this means the end of online advertising as we know it in the EU will depend upon how the requirements of clear and comprehensive notice and consent are implemented into Member State law. In this respect, the amended recital 66 of the e-Privacy Directive discussing cookies states that “the methods of providing information and offering the right to refuse should be as user-friendly as possible” and that the “user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”

In its opinion on the amendments to the e-Privacy Directive, the Article 29 Working Party, the advisory body consisting of the Member State data protection authorities, strongly objected to the use of browser settings as means of giving consent, stating that “most browsers use default settings that do not allow the users to be informed about any tentative storage or access to their terminal equipment…default browser settings cannot be a means to collect free, specific, and informed consent as required in Article 2 (h) of the Data Protection Directive.” Consequently, once the Member States have implemented the directive, their data protection authorities may take a stricter approach to consent in line with the Article 29 Working Party opinion if the implementing laws are worded in a manner that leaves room for a stricter interpretation. However, following the adoption of the amendments, Austria, Belgium, Estonia, Finland, Germany, Ireland, Latvia, Malta, Poland, Romania, Slovakia, Spain, and the United Kingdom issued a statement according to which “amended Article 5(3) is not intended to alter the existing requirement that such consent be exercised as a right to refuse the use of cookies or similar technologies used for legitimate purposes,” stressing that the methods of providing information and offering the right to refuse should be as user-friendly as possible. It remains to be seen whether the commission will agree with this statement, for if there was no intent to alter the existing requirement, why was the e-Privacy Directive amended in the first place?

According to Article 29 Working Party, “persistent cookies containing a unique user ID are personal data and therefore subject to applicable data protection legislation.” Thus, session cookies aside, the general requirements of the Data Protection Directive, such as fair and lawful processing, notice and consent, and restrictions on transfers of personal data outside the EU, apply to cookie data alongside the specific requirements set out in the e-Privacy Directive. Processing of cookie data in violation of the e-Privacy Directive, without notice and consent, would clearly violate the fair and lawful processing requirement of the Data Protection Directive, making the processing illegal not only under the amended e-Privacy Directive, but also under the generally applicable Member State data protection laws, and would therefore also make transfers of such data outside the EU illegal.

Following a lengthy debate where, for example, the Article 29 Working Party and the European Data Protection Supervisor argued for a broader scope of application for a data breach notification obligation, the amended e-Privacy Directive imposes a data breach notification requirement on telecommunications providers and ISPs.

The amended Article 2 c) h) of the e-Privacy Directive defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed in connection with the provision of a publicly available electronic communications service in the community.” Some EU Member State legislatures, such as those of France and Germany, are in the process of introducing or have already introduced data breach notification obligations with a scope that is broader than that adopted in the e-Privacy Directive, thereby making EU-wide breach notification compliance complex and opening a door for broadening the scope of the e-Privacy Directive’s notification obligation in the future.

Pursuant to the amended Article 4 (3) of the e-Privacy Directive, communications service providers must notify data breaches to a “competent national authority,” such as a Member State data protection authority, to be defined in the implementing Member State legislation. With respect to notifying individuals, communications service providers have to make a judgment call. If the data breach is “likely to adversely affect the personal data or privacy of a subscriber or individual,” the providers must also notify the subscriber or individual of the breach without “undue delay,” unless the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures which are applied to the data affected by the breach and render them unintelligible.

According to the European Data Protection Supervisor, examples of circumstances where individual notification is required would include those where the loss could result in identity theft, fraud, humiliation or damage to reputation. Even if a provider does not notify the affected individuals or subscribers, the competent national authority may force it to do so.

The breach notification must, at a minimum, describe the nature of the personal data breach and the contact points where more information can be obtained, and must recommend measures that the recipients of such a notification can take to mitigate the possible adverse effects of the personal data breach. The competent national authorities may adopt guidelines and instructions concerning the circumstances under which providers are required to notify, the format of such notification, and the manner in which the notification is to be made. Member State authorities will also have the right to audit whether providers have complied with the breach notification obligation, and can impose sanctions in the event of non-compliance with the obligation.

(

)

By incorporating a reference to the so-called E-Commerce Directive, the amended e-Privacy Directive clarifies the content requirements for direct marketing e-mail communications. All e-mails (including SMS and MMS) sent for the purposes of direct marketing must fulfill the following conditions:

The sending of direct marketing e-mail communications that do not meet these requirements is prohibited

Pursuant to the new Article 13 (6) of the e-Privacy Directive, any natural or legal person that is “adversely affected” by violations of the Member State laws implementing the amended electronic direct marketing requirements will be entitled to bring legal proceedings for such violations if the person has “a legitimate interest in the cessation or prohibition of such infringements.” Thus, in addition to recipients of spam, for example corporations whose e-mail traffic is affected by spam as well as ISPs and telecommunications providers, would be able to sue the spammers in a Member State court.

In addition to the existing powers of the national data protection and communications authorities, the amended e-Privacy Directive gives them the power to order an immediate cessation of the infringements of the Member State laws that implement the directive. Such cessation powers will exist alongside more traditional administrative and criminal fines and penalties. Moreover, the amendments also call for Member States to ensure that the competent national authorities have the necessary investigative powers and resources, including the power to obtain any relevant information they might need to monitor and enforce national provisions adopted pursuant to the amended e-Privacy Directive. Finally, the Member State authorities can adopt measures to ensure effective cross-border cooperation in the enforcement of the national laws adopted pursuant to the amended e-Privacy Directive and to create harmonized conditions for the provision of services involving cross-

border data flows.

Entities whose activities fall within the ambit of the e-Privacy Directive are well advised to keep an eye on how the EU Member States implement the amendments, and should enlist knowledgeable local counsel to assist in this process. Particular attention should be paid, for example, on the following issues: