The ePrivacy Directive (formally ‘Directive 2002/58/EC’) establishes specific rules on privacy for the electronic communications sector, such as limiting the use of traffic and location data and prohibiting listening to communications.

As of Dec. 21, 2020, the obligations of the current ePrivacy Directive will apply to instant messaging applications, email, internet phone calls and personal messaging provided through social media — collectively, over-the-top services — in addition to traditional telecom providers.

Why has the scope of application of the ePrivacy Directive been broadened?

Dec. 4, 2018, the Council of the EU formally adopted the directive establishing the European Electronic Communications Code concluding updating the EU’s rules for telecom/electronic communication services. It was published in the Official Journal Dec. 17, 2018.

While the definition of ECS in the existing EU rules for telecom/electronic communication services only covers traditional telecommunication services (transmission of telephone signals — voice and data — and the provision of access to the internet), the EECC also covers OTT services. Recital 15 of the EECC explains the rationale that "The services used for communications purposes, and the technical means of their delivery, have evolved considerably. End-users increasingly substitute traditional voice telephony, text messages and electronic mail conveyance services by functionally equivalent online services such as Voice over IP, messaging services and web-based e-mail services."

Similarly, the scope of application of the current ePD is also limited to traditional telecommunication services. Indeed, pursuant to Articles 2 and 3, the scope of the ePD is the same as under the existing rules for telecom/electronic communication services — meaning the principle of confidentiality of communications and the limitations to use traffic data only apply to such services.

There are two reasons for the change in scope: First, Article 2 of ePD cross-refers to the definitions of ECS services contained in the EU telecoms/electronic communications framework; and second, because the combination of Art. 125 and Annex XII of the EECC specifically require that any cross-reference to the repealed framework is construed to refer to the new EECC. Therefore, the change in the definition of ECS in the EECC translates into a change of scope of the ePD, and once the EECC is transposed into national laws and becomes enforceable, the ePD will apply to OTT services.

Andrus Ansip, commission vice-president for the digital single market, commented in a recent meeting of the Telecommunications Council (See web cast) on the application of the ePD to OTTs, after the EECC comes into force, saying, “it will involve applying an extremely constraining regime to the processing of personal data by OTTs.”

What are the main obligations that OTTs will face?

The main new obligations include the following:

Confidentiality Art 5 of the ePD prohibits the listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users without the consent of the users concerned.

This obligation has implications on OTT services such as web mail services that engage in email scanning, for example, to show personalized or targeted ads. The ePD will prohibit these practices unless the provider has obtained the prior consent of all the users concerned.

Limitations on the use of traffic and location data – Traffic data includes information about the timing of a phone call, a message or email, the sender and recipient of these communications, location of the sender and the recipient, etc. Pursuant to Art 6 and 9 of the ePD, traffic data must be erased or made anonymous unless it is needed for billing purposes (and only for the period during which the bill may be challenged). The ePD allows the provider to process traffic data for the purposes of marketing electronic communication services or providing a “value added service” only if the user has given prior informed consent.

These articles are relevant if OTT services use traffic and location data generated by or in relation to their users for any purpose beyond billing — for example, to provide them with targeted ads in related services. The ePD will limit the type of services for which such data can be used (only ‘value added services’) and only with prior consent.

It is also important and worth noting that the definition of consent under the ePD has been automatically upgraded by the General Data Protection Regulation to require specific, unbundled and freely given consent.

Can OTTs use the legal grounds of the GDPR for processing rather than the more limited grounds of the ePD?

The ePD complements and particularizes the GDPR (lex specialis), meaning that for matters specifically governed by the ePrivacy Directive, the ePrivacy Directive should apply instead of the GDPR provisions. For example, if the legal grounds for processing are specifically covered by the ePD, then ECS providers must rely on the specific grounds set forth by the ePD (and not on the GDPR’s legal grounds). In all other cases concerning the processing of personal data, the GDPR will apply (e.g, the rights of the data subjects).

What practical steps should OTTs undertake to bring their services into compliance with the ePD?

OTT service providers should consider first whether they are covered by the new rules and, second, they should assess how they will meet the requirements of the ePD. This should be done before the EECC becomes applicable.

Are the specific services you provide covered? The case of “ancillary services”: While, as explained above, the ePD will apply to OTT services, there is a significant carve-out from the definition of ECS under the EECC, excluding “ancillary services” from the definition.

Recital 17 of the EECC suggest that these ancillary services are typically thought to cover messaging services in dating apps and computer games; it also suggests a strict interpretation of such exception: “In exceptional circumstances a service should not be considered to be an interpersonal communications service if the interpersonal and interactive communication facility is a minor and purely ancillary feature to another service and for objective technical reasons cannot be used without that principal service, and its integration is not a means to circumvent the applicability of the rules governing electronic communications services. As elements of an exemption from the definition the terms ‘minor’ and ‘purely ancillary’ should be interpreted narrowly and from an objective end-user’s perspective.”

Thus, the exact scope of the carve-out will need to be interpreted on a case-by-case basis and regulators in each member state may take different views. This carve-out for ancillary services is also brought into the ePD, again by virtue of drawing the definition of ECS.

Do your services meet the requirements of the ePD? What else is needed? This will involve an analysis of the data that the OTT services are processing and a determination of whether the processing is permitted under the ePD or whether they will need consent of the relevant parties.

As mentioned above, if consent is required then it must be GDPR-grade consent.

When will these new obligations apply?

These obligations will be applicable as of Dec. 21, 2020 (ex. Art 124.2 of the EECC). By the same day, member states must publish national implementing laws transposing the EECC.

What about the proposed ePrivacy Regulation?

In 2017, the Commission presented a proposal repealing the ePrivacy Directive and replacing it by a regulation on ePrivacy, or the ePR. The proposal is making its way through the legislative process. If and when the proposed regulation is adopted, its rules and scope of application will entirely replace the ePD and the specific rules contained therein.