We are only eight months away from the new EU data protection regime entering into force. In addition to the General Data Protection Regulation (“GDPR”), which includes the general data protection provisions, the ePrivacy Regulation shall provide specific rules for electronic communications. However, the legislative process of the ePrivacy Regulation is still in its early stages. The European Commission published the draft ePrivacy Regulation on 10 January 2017 (“ePrivacy Regulation”), and the European Council has weighed in with its first revisions on 8 September 2017 (read more on our blog here). Now, European Data Protection Supervisor Giovanni Buttarelli (“EDPS”) has provided some further guidance, issuing a list of recommendations (“Recommendations”) on 5 October 2017. Some of the key messages of the Recommendations relate to consent, legal grounds for processing, and exceptions to the processing of data relating to terminal equipment.
The EDPS notes that the definition of consent in the ePrivacy Regulation must be identical with the provisions relating to consent in the GDPR. Thus, Article 9 of the ePrivacy Regulation should refer to all relevant provisions (Articles 4 (11), 7 and 8 GDPR). The EDPS also highlights the requirement that consent must be “freely given”. He calls for clarification that the processing of personal data must not be a condition to the access to services and functionalities, or the use of terminal equipment. With regard to the requirement that consent must be “specific”, the EDPS calls for an amendment to Article 9 (2) of the ePrivacy Regulation that technical settings that may be used for expressing consent must “allow for sufficient granularity”. It must be easy for users to update their privacy settings (e.g., adding or deleting an organization). Further, software placed on the market permitting electronic communications shall require privacy protective settings by default.
The EDPS demands that justifications for the processing of communications data should not be too broad. Thus, he rejects a legal ground to process electronic communication data based on legitimate interests. He notes that this would risk creating a back door to the high level of protection of the confidentiality of communications.
Exceptions to the processing of data relating to terminal equipment
Further, the EDPS calls for exceptions to the consent requirement for the processing of data related to the terminal equipment to be narrow to avoid loopholes:
- With regard to people-counting, the purpose of processing shall be limited to mere statistical counting, data shall be anonymised as soon as possible, processing shall be limited to a limited geographical area, and users must be able to opt-out.
- With regard to web audience measuring, the exception must be narrowly tailored.
- With regard to security updates, the updates must be strictly necessary, and users must be informed before the updates, and may turn off the automatic updates.
- With regard to an exception in the employment context, it must be limited to what is strictly necessary and shall not be used to monitor employees.
While the EDPS reiterates that the Recommendations shall “focus on the need to ensure legal certainty and a high level of protection of the fundamental rights to privacy and data protection” – and these clearly are two interests that should be achieved by the ePrivacy Regulation – the Recommendations are too restrictive in our opinion. The regulation envisaged by the EDPS would not mirror today’s realities and would not support innovation of technology and EU tech organizations.
The Recommendations of the EDPS (in addition to the 800 amendments to the ePrivacy Regulation that were suggested by the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament in July) show that there still is a lot of work to be done before the ePrivacy Regulation will cross the finish line. Some other important issues must still be tackled, e.g., clarification if the consent requirement for direct marketing in Article 16 (1) of the ePrivacy Regulation shall apply only in B2C or also in B2B scenarios.
The timeline for the ePrivacy Regulation is unclear at the moment, in particular (i) if the ePrivacy Regulation will enter into force in tandem with the GDPR on 25 May 2018, and (ii) how long the grace period for organizations to comply with the ePrivacy Regulation will be. Organizations should thus already have the ePrivacy Regulation in mind in their GDPR readiness projects.