A look at the proposal for the ePrivacy Regulation


Former Guest Kat Valentina Torelli, now associated with FJF Legal in Madrid, has graciously continued her coverage and commentary on EU developments in the area of privacy, this time in connection with the ePrivacy Regulation.

"As the use of digital services and Internet-based communications has become well-nigh ubiquitous, the underlying technology continues to evolve. Nevertheless, users
still have generic concerns about the inherent risks, especially those associated with security and privacy issues. Against that backdrop, the European Commission has established that increasing trust and security in digital services must be among the main objectives of the Digital Single Market Strategy. Accordingly, the long term goal for the reform of the EU data protection legal framework, which commenced in 2012, culminated last year in the adoption of the General Data Protection Regulation (GDPR), reported here and here, which will apply throughout the EU from 25 May 2018. However, in order to complement this new system with the right of individuals to data protection, the European Commission has also been engaged in updating the legal framework set forth in the Directive 2002/58/EC with respect to the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), whose last revision dates back to 2009.

As a result, on January 10, 2017, the European Commission published a proposal for a Regulation (ePrivacy Regulation), in view of the economic and social importance of digital services, the development of Internet of Things (i.e. connected devices and machines communicating through electronic communications networks, also known in literature as “Enchanted Objects”) and the rise of the so-called Over-the-Top communications services (i.e. services provided in the form of applications running over an internet access service, such as Skype, WhatsApp, Facebook Messenger, Imessage, and Telegram; Gmail, Facetime and Viber), all of which currently fall outside of Directive 2002/58/EC [for more details on OTT services and the scope of protection of the ePrivacy Regulation, see WP240, Article 29 Data Protection Working Party's opinion 3/2016 on the evaluation and review of the ePrivacy Directive (2002/58/EC)].

The purpose of these efforts has been to fashion a technologically neutral legal instrument, which can keep pace with future technological developments as well as to fully harmonize the privacy issues in all the EU Member States. (Regulations are secondary law having general application and are binding in their entirety and directly applicable in all European Union countries.) The published proposal has been modified from the version that was leaked in mid-December 2016. The main issues that the reform is meant to address can be summarized as follows.

1. EU wide application

As for the GDPR, the scope of protection of the ePrivacy Regulation covers any publicly available electronic communications services, either provided to or used by end-users in the EU, regardless of whether the end-user pays for them or not, as well as the information associated with the EU end-user's terminal equipment (see Article 1(1) of Directive 2008/63/EC for definition of terminal equipment). For the purposes of the ePrivacy Regulation, end-users can be either natural or legal persons, especially insofar as the consent to the processing of end-user's electronic communications metadata (traffic/location data) is concerned.

2. Scope of protection

The ePrivacy Regulation affords protection to fundamental rights and freedoms, such as the right to data protection and the freedom of expression, information, thought, conscience and religion, of natural and legal persons, regarding the provision and use of electronic communications services. In particular, it covers these rights with respect to one’s private life and communications and an individual's personal data protection. All the foregoing is directed towards ensuring the free movement of electronic communications data and services within the EU.

3. Confidentiality

The ePrivacy Regulation rests on the principle of secrecy of communications. Electronic communications must be confidential and interference therewith is prohibited, without the consent of the end-user concerned. The principle of confidentiality also applies to devices and machines that communicate with each other by using electronic communications networks. However, since the ePrivacy Regulation does not apply to activity falling outside the scope of the Union law, Member States may derogate its provision for the purposes of State security, defence, public security and crime enforcement.

4. Information stored on /retrieved from terminal equipment – Cookies

An end-user's consent for transparent purposes, about which the end-user has been informed, is the basic requirement for the use of a terminal equipment’s processing capabilities, as well as the storage thereon, for the retrieval of information from the equipment and the remote collection of information for identification purposes. Otherwise, the use of cookies and information collected from an end users' terminal equipment should be necessary in order to carry out the transmission of the communication over an electronic communication network or to provide an information society service requested by the end-users. This may be the case of cookies for remembering language preferences or tracking an end-user's input when filling online forms. Also, it seems that, as set out in Article 29 Data Protection Working Party's W240 above mentioned, (first party analytic) cookies applied to measure web traffic to a site are also legitimate.

5. Direct marketing opt-in/opt-out

End-users must give their opt-in consent in order for a natural or legal person to transmit direct marketing communications (i.e. for any advertising, whether written or oral), sent to one or more identified or identifiable end-users of electronic communications services, such as automated calling, an email, or a SMS message. Natural and legal persons are permitted to direct marketing of similar goods and services to those already sold to end-users, using their emails already collected in the course of those previous sales, provided that end-users have been clearly, distinctly and freely given the opportunity to object to such further use of their data.

Regarding direct marketing calls, the electronic communications services providers must supply a contact line to the end-user targeted and must use a code/prefix identifying that this is a marketing call. Finally, Member States may implement opt-out rules for regulating the expression of an end-user's consent in the context of voice-to-voice marketing calls, e.g. registering their number on a do-not-call list.

6. Privacy by design

By default, software permitting electronic communications, including web browsers, must be configured to impede third party cookies from being stored on an end-user's terminal equipment and to process information already stored on the equipment. Once the software has been installed, the end-user will be informed of the privacy settings options so to provide the consent to the installation.

7. Liabilities

Users of electronic communications services will be granted compensation for both material and non-material damage incurred by virtue of infringement of the ePrivacy regulation, unless the alleged infringer can otherwise exclude his liability. Also, the scheme of administrative fines set forth under the GDPR applies, namely up to a maximum of 20 million euros or 4% of the total worldwide turnover, whichever is higher, with respect to a breach of the rules of confidentiality, the processing of electronic communications content and metadata, as well as the erasure and anonymity of electronic communications data; or up to 10 million euros or 2% of the total worldwide turnover, whichever is higher, where rules on cookies are infringed, software providers do not fulfil their obligations of privacy by default or the providers of publicly available directories do not comply with their obligations towards end users.

8. Remedies

In view of the above, end-users of electronic communications services have the right both to commence a judicial actions before the courts of a EU Member State of her/his habitual residence and to lodge complaints before the Supervisory Authority of the place of residence, work, or alleged infringement of her/his rights under the ePrivacy Regulation.It is immediately apparent that the proposed ePrivacy Regulation is meant to be consistent with the GDPR. Both legal texts are to be read in conjunction with respect to an end-user’s privacy and confidentiality, where personal data are processed in the electronic communication sector. It is noted that the GDPR will apply to matters not specifically covered by the prospective ePrivacy Regulation, such as is the case for an individual's access, rectification, cancellation and opposition of an individual's personal data rights (A.R.C.O.) and the obligations on controllers and processors.

Finally, while the ISP's liability framework set out in the e-Commerce Directive will remain intact, the contemplated ePrivacy Regulation will be associated with the prospective European Electronic Communications Code (The European Commission's proposal was published on 14 September 2016 and the new legal text will recast the four Directives comprised in the EU regulatory framework of electronic communications: the Framework, Access, Authorization and Universal Service Directives) and will maintain synergies with the Radio Equipment Directive 2014/53/EU, providing that radio equipment should incorporate safeguards to ensure that the personal data and privacy of users and subscribers are protected.

As the ultimate objective is to make the ePrivacy Regulation applicable along with the GDPR, as of 25 May 2018, it seems that we can expect that the final text of the ePrivacy Regulation will be published during the next twelve months; IPKat will certainly monitor this."
A look at the proposal for the ePrivacy Regulation A look at the proposal for the ePrivacy Regulation Reviewed by Neil Wilkof on Thursday, January 19, 2017 Rating: 5

No comments:

All comments must be moderated by a member of the IPKat team before they appear on the blog. Comments will not be allowed if the contravene the IPKat policy that readers' comments should not be obscene or defamatory; they should not consist of ad hominem attacks on members of the blog team or other comment-posters and they should make a constructive contribution to the discussion of the post on which they purport to comment.

It is also the IPKat policy that comments should not be made completely anonymously, and users should use a consistent name or pseudonym (which should not itself be defamatory or obscene, or that of another real person), either in the "identity" field, or at the beginning of the comment. Current practice is to, however, allow a limited number of comments that contravene this policy, provided that the comment has a high degree of relevance and the comment chain does not become too difficult to follow.

Learn more here: http://ipkitten.blogspot.com/p/want-to-complain.html

Powered by Blogger.