Many voices and perspectives — from consumer groups to industry associations to regulators — have weighed in on the terms of the European Union’s proposed ePrivacy Regulation (referenced as ePR here going forward) since it was released by the Commission Jan. 10, 2017. To explore the potential impact of the ePR, this article examines where the draft of the ePR presently stands and how its provisions are being contested.

The five most hotly-contested issues are:

  • Regulatory scope
  • Data subject consent
  • Cookies and tracking walls
  • WiFi tracking
  • Privacy by design/default

Tracing how relevant provisions of the ePR have evolved in response to negotiation, lobbying, and advocacy efforts, we include here not only a narrative discussion of the concerns raised, but also accompanying comparisons of the texts proposed by the Commission in January 2017, the redrafts submitted by the Council in September and December 2017, and the amendments proposed by the Parliament in October 2017 to Articles 2, 8, 9, and 10.

Scope

According to the Commission, one of the key features of the proposed regulation is that its scope extends to cover commonly used, “over-the-top” internet-based electronic communications services, such as WhatsApp, Facebook Messenger, Viber, and Skype (commonly referred to as "OTT providers"), to ensure they provide the same level of protection as traditional telecommunications operators. As described in Recital 11, the ePR defines “electronic communications services” as “not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, Voice over IP, messaging services and web-based e-mail services.” The ePR would also apply to “interpersonal communications services that are ancillary to another service” as well as machine-to-machine and internet-of-things communications. These changes represent a vast expansion in the scope of the law, which has traditionally been applicable strictly to telecom operators.

Parliament further clarified the scope of the ePR laid out in Article 2, in line with a recommendation from a study in May it commissioned from researchers at the Institute for Information Law, which remarked that the wording of the Commission’s proposal “seems to be too narrow.” Indeed, bringing internet-based communication service providers within the regulatory orbit of the ePR has been one of its most-discussed changes.

Not all stakeholders, however, have been supportive of the ePR’s widened reach. For example, Digital Europe, an organization that represents the digital technology industry in Europe, has argued that the ePR “captures a disproportionately broad range of services,” and should avoid becoming “catch-all” legislation. The Centre for Information Policy Leadership (CIPL) has warned that the broad scope of the ePR will have unintended consequences, such as “undermining the GDPR, as well as legitimate, necessary and beneficial processing of data and business practices within the Digital Single Market.”

At the same time, several groups have applauded the ePR’s expanded scope. In particular, European Digital Rights (known as EDRi) and the European Consumer Organization (known as BEUC) both announced their support for extending the scope of the rules to include OTTs. The Article 29 Working Party also welcomed the ePR’s expansion to OTT providers, which it likened as “functionally equivalent” to tradition telecommunications providers and argued “have a similar potential to impact on the privacy and right to secrecy of communications of people in the EU."

See the comparison of drafts regarding SCOPE here.

Consent

Consumer consent to data processing is at the core of several articles in the draft ePR. In 2009, the Cookie Directive, amending the ePrivacy Directive, included the language that “consent … must be informed, specific, freely given and must constitute a real indication of the individual’s wishes,” subject to some exemptions.

The ex-post evaluation carried out through the REFIT Platform, which is geared toward advising the Commission on making EU regulations “more efficient and effective while reducing burden and without undermining policy objectives,” sought to update the ePrivacy framework to align with the new rules established by the General Data Protection Regulation 2016/679. It found the ePR consent rule to be both “over-inclusive, as it also covers non-privacy intrusive practices, and under-inclusive, as it does not clearly cover some tracking techniques (e.g. device fingerprinting).”

Article 9 of the Commission’s ePR proposal adopted the definition of and conditions for consent provided in the GDPR. It added that end-users “shall be given the possibility to withdraw their consent at any time [in accordance with the GDPR] … and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues.”

The CIPL has argued that the ePR relies too much on consent, which “will have the unintended consequence of undermining the GDPR, as well as legitimate, necessary and beneficial processing of data and business practices within the Digital Single Market.” Representing the view of businesses, Digital Europe has argued for greater flexibility on how communications data is used “through a greater reliance on legal basis’ for processing other than end-user consent, such as ‘legitimate interest,’” arguing that “[i]t is unclear from whom consent needs to be obtained and who is responsible for obtaining it.”

Countering arguments about “consent fatigue” at the IAPP’s Data Protection Congress in November, German MEP Birgit Sippel, who recently replaced MEP Marju Lauristin as the European Parliament’s Special Rapporteur for the ePrivacy Regulation, argued that “businesses are innovative and should be able to create ways of obtaining meaningful consent without causing consumer fatigue.”

See the comparison of drafts regarding CONSENT here.

Cookies and Tracking Walls

Article 8(1) prohibits “[t]he use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware” except on certain grounds. In addition to consent, there are three main exceptions that involve various necessities for providing electronic communication and information society services:

  1. When it is “necessary” to transmit an electronic communication.
  2. When it is “necessary” to provide an information society service requested by the user.
  3. When it is “necessary” to measure the reach of an information society service requested by the user.

Notably, legitimate interest is not one of the exceptions. Although this has been a point of contention for some observers, others have recommended for it not to be included.

In its proposed amendments to Article 8(1), the Parliament forbids so-called “tracking walls,” which present users with a “take-it-or-leave-it” choice between privacy and access to a service. These amendments respond to many concerns raised about the Commission’s proposal throughout the year. EDRi, for example, has criticized it for still enabling the use of cookie walls and suggested it is important for users to “be able to use a service without being tracked by third parties, especially if the user depends on, and has no real alternative to, this service.” In the same vein, the Article 29 Working Party expressed support for an explicit prohibition on tracking walls, which they characterized as “take it or leave it choices that force users to consent to tracking if they want to have access to the service.”

The Centre for Information Policy, meanwhile, has questioned the need for the ePR to regulate the use of cookies, as the topic is already “extensively regulated” by the GDPR. Moreover, it has argued that, if Article 8 remains, it is crucial to limit its scope in such a way so that it does not extend beyond “the protection of individuals against cookies and other tracking technologies.”

In response to other concerns about tracking, Parliament’s amendments to Article 8(1) also more clearly defined analytics tools for web audience measuring “to ensure that this information is exclusively used for this specific purpose.” For example, in March, MEP Jan Philipp Albrecht argued that the exemption for being able to use cookies on a website after consent is given for another purpose, such as for web-audience measurement, would mean that people will be “constantly … tracked and monitored.” EDRi also suggested the exemption for using tracking technologies for web-audience measuring should be subject to additional conditions, so that it “not be merged with other information to build a profile of a user … or be used to target the end-user in any way other than personalisation of a service that the end-user has explicitly selected.”

See the comparison of drafts regarding COOKIES AND TRACKING WALLS here.

Wi-Fi Tracking

MEP Albrecht has suggested the Commission’s proposal improperly failed to protect people using public Wi-Fi spots from being tracked. Similarly, the Article 29 Working Party suggested that Article 8(2)(b) of the Commission’s proposal “gives the impression that organisations may collect information emitted by terminal equipment to track the physical movements of individuals (such as 'Wi-Fi-tracking' or 'Bluetooth-tracking') without the consent of the individual concerned.”

In response to these concerns, Parliament proposed several amendments to Article 8(2) of the ePR on the tracking of the location of the terminal equipment, such as by using Wi-Fi or Bluetooth signals, to bring it into line with the GDPR.

At the same time, as the Article 29 Working Party has stressed, WiFi-tracking under the GDPR “is likely either to be subject to consent, or may only be performed if the personal data collected is anonymised.” While some have also held “legitimate interest” to be legal grounds for tracking under the GDPR, Special Rapporteur Sippel has argued “that cannot include sensitive data” such as communications data and metadata.

Yet, concerns have been raised about the practicality of the requirement of Article 8(2)(b) that, to engage in lawful WiFi and Bluetooth tracking, a service provider must display a “clear and prominent notice.” As explained by Professor Niko Härting in a study on the impact of the proposed ePR, when traffic data is being tracked through sensors embedded in lights or roads, for instance, “there is no (limited) area, at the edges of which ‘prominent notices’ could be placed.” Other applications that rely on Bluetooth technology, such as Tile, which embeds sensors on objects such as keys and wallets to allow the owner to keep track of them, operate by putting a “(potentially global) tracking network” in place.

See the comparison of drafts regarding WIFI TRACKING here.

Privacy by Design/Default

The Commission’s proposal has also been criticized by advocacy groups such as EDRi for failing to “enforce a high level of privacy protection by default.” For example, BEUC argued specifically that “Article 10 of the proposal should be amended to guarantee such ‘privacy by default.’” These recommendations are in line with the WP29’s suggestion that “terminal equipment and software must by default offer privacy protective settings” that give “clear options to users to confirm or change these default settings during installation” and that are “easily accessible during use.” WP29 also strongly recommended that that users be “enabled to signal specific consent through their browser,” and that adherence to the Do Not Track standard be made mandatory.

Echoing these concerns, then-LIBE Rapporteur Lauristin agreed that Article 10 “must be amended” to reflect “privacy by design and by default,” which were “not efficiently integrated in the ePrivacy proposal of the Commission.” To fix these issues, MEP Lauristin made two suggestions: first, that Do Not Track standards be made “technologically neutral to cover different kinds of technical equipment and software;” and, second, that they by default prevent parties from storing or processing information stored on the terminal equipment of end users without their consent. Lauristin also advised that users “should be granted the possibility to change or confirm the default privacy settings options at any moment upon installation.” In other words, DNT mechanisms “should allow for granulation of consent by the user,” and “send signals to the other parties informing them of the user’s privacy settings.”

See the comparison of drafts regarding PRIVACY BY DESIGN AND BY DEFAULT here.

Conclusion

The European Commission’s proposal for an ePrivacy Regulation has sparked substantial debate and mobilized advocacy and lobbying efforts around a variety of issues, including its scope, the role and function of consent, the permissibility of tracking walls and Wi-Fi tracking, and privacy by default/design. Each of these issues has been contested, subject to negotiation, and amended in various ways throughout the process of legislative review.

While this overview has not provided an exhaustive account of all critical issues at stake in the ePR, it may serve as a starting point for further reflection on the potential trajectory and eventual impact of the ePrivacy Regulation on businesses and consumers when it comes into force. What is almost certain is that debate amongst privacy regulators, advocates, and industry will continue as final negotiations between the Parliament, the Council, and the Commission, which are expected to occur in early 2018, draw near.

Photo credit: mhaw shredded via photopin (license)

A brief ePrivacy history

The EU’s Directive on Privacy and Electronic Communications (ePrivacy Directive) was adopted in 2002 to harmonize Member States’ laws and policies to ensure the right to privacy and other fundamental rights and freedoms in relation to data processing in the electronic communication sector. But, according to the European Commission, the ePrivacy Directive needs updating in light of recent technological developments and the adoption of the GDPR.

The EC first addressed the need to update the ePrivacy Directive in 2015, and on January 10, 2017, adopted a proposal for an ePrivacy Regulation that will apply automatically in all EU member states.

In September 2017, the Council of the European Union released its first redraft of the ePR, focusing on the articles, and promising to examine the recitals in the future. That following month, the Plenary of the European Parliament adopted—by a vote of 318 to 280, with 20 abstaining—a legislative resolution containing a series of suggested amendments (168 in total) based on a report put together by the Committee on Civil Liberties, Justice and Home Affairs (LIBE). The LIBE inquiry had concluded that some aspects of the ePrivacy Regulation “must be strengthened in order to guarantee a high level of protection as afforded by Regulation (EU) 2016/679, the Charter of Fundamental Rights and the ECHR.” In crafting these amendments, the LIBE committee solicited the opinions of four other committees (ENVI, ITRE, IMCO, and JURI), and received input from over 70 entities, including information, technology, and software companies; trade associations; telecommunications firms; data protection authorities; industry trade groups; and consumer and advocacy organizations.