In April, we reported that the European Commission had opened a public consultation seeking the views of various stakeholders on the current wording of, and possible changes to, the Privacy and Electronic Communications Directive (2002/58/EC as amended) (“ePrivacy Directive”). The retrospective evaluation was necessary to ensure the ePrivacy Directive is fit for the digital age, and remains valuable and effective once the General Data Protection Regulation (2016/679) (“GDPR”) is introduced. The Information Commissioner’s Office (“ICO”) published its response to the consultation, outlining its view that the ePrivacy Directive has achieved its objectives to a “moderate” degree, and providing feedback on a range of specific points. The response revealed the following ICO opinions: 

  • Having specific rules for the electronic communications sector for the confidentiality of communications, unsolicited electronic marketing communications, itemised billing invoices, and presentation and restriction of calling and connected lines, adds value.
  • Having specific rules for the electronic communications sector for personal data breaches and traffic and location data will not add value, as these areas will be dealt with by the GDPR.
  • The definitions contained in the ePrivacy Directive often lacked clarity.
  • The scope of the ePrivacy Directive should be broadened, in part, to include Over-The-Top services, such as Voice over IP, instant messaging, and emailing over social networks, but only if accompanied by a clear definition of such services.
  • Strong protections for individuals’ privacy rights (such as requiring manufacturers to ship products with strong privacy settings as the default) should be introduced with great care, and should be balanced with the legitimate interests of business so as not to stifle innovation.
  • A requirement to obtain opt-in consent should be applied to all instances of direct marketing on the basis that one consistent rule is “simpler to understand and to enforce”. The ICO does, however, recognise the inevitable challenges that occur with this approach. Amending the provisions on confidentiality of communications and of the terminal equipment, unsolicited communications, and governance (competent national authorities, cooperation, fines, etc.), were highlighted as priorities when revising the ePrivacy Directive.

The ICO confirmed that EU data protection laws will still be relevant after the UK’s withdrawal from the European Union, validating its contribution to the ePrivacy Directive consultation.