Proposed ePrivacy Regulation: In-Depth Study for Parliament and EDPS Opinion

In May 2017, the European Parliament's Policy Department for Citizens' Rights and Constitutional Affairs has released the in-depth study of the proposed ePrivacy Regulation "An Assessment of the Commission's Proposal on Privacy and Electronic Communications" (for comparisons see Bender/Jones/Young/Wulfert-Markert, "Recent Developments and Future Changes to Internet Privacy Rules in the EU, the UK and the U.S.", CRi 2017, pp. 68-74).

On 26 April 2017, the European Data Protection Supervisor (EDPS) published his Opinion on the ePrivacy Regulation proposed by the European Commission.

In-Depth Study: Key Findings and Recommendations

The in-depth study was requested by the Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) and prepared by Dr. Frederik Zuiderveen Borgesius (project leader) as well as Dr. Joris Van Hoboken, Ronan Fahy, Dr. Kristina Irion and Max Rozendaal.(all authors of IViR Institute for Information Law, University of Amsterdam). According to its abstract, the study "assesses whether the proposal would ensure that the right to the protection of personal data, the right to respect for private life and communications, and related rights enjoy a high standard of protection," while highlighting "the proposal's potential benefits and drawbacks more generally."

On its page 14, the study for the LIBE Committee presents its key findings and recommendations:

• "The ePrivacy proposal has good elements, but should be significantly amended to protect the right to privacy and confidentiality of communications.
• Location tracking, such as Wi-Fi tracking, should only be allowed after people give their consent (with possibly a limited exception for anonymous people counting, if
  thee are sufficient safeguards for privacy).
• Browsers and similar software should be set to privacy by default. It should be made easier for people to give or refuse consent to online tracking, for instance by requiring
  companies to comply with the Do Not Track standard.
• Tracking walls and similar take-it-or-leave-it choices regarding privacy should be banned, or banned in certain circumstances.
• Companies should only be allowed to analyse people’s communications, such as emails, phone conversation, or chats, or the related metadata, when all end-users give meaningful informed consent, subject to limited, narrow, and specific exceptions.
• The definition of metadata should be amended.
• Other provisions should also be clarified and amended."

The vote in the LIBE Committee is tentatively scheduled for October 2017.

EDPS Opinion on ePrivacy Regulation

In his Opinion on the ePrivacy Regulation, the EDPS supports the Commission’s aim to provide for comprehensive protection of electronic communications and views the extension of confidentiality obligations to a broader range of providers and services as a particularly important step forward. However, the EDPS finds that certain improvements are necessary if the ePrivacy Regulation is to deliver on the promise of a high level of protection for electronic communications.

In particular, the EDPS lists in his Conclusion (pages 22-23) the following key concerns:

• "the definitions under the Proposal must not depend on the separate legislative procedure concerning the Directive establishing the European Electronic Communications Code53 (the EECC Proposal);
• the provisions on end-user consent need to be strengthened. Consent must be requested from the individuals who are using the services, whether or not they have subscribed for them and from all parties to a communication. In addition, data subjects who are not parties to the communications must also be protected;
• it must be ensured that the relationship between the GDPR and the ePrivacy Regulation does not leave loopholes for the protection of personal data. Personal data collected based on end-user consent or another legal ground under the ePrivacy Regulation must not be subsequently further processed outside the scope of such consent or exception on a legal ground which might otherwise be available under the GDPR, but not under the ePrivacy Regulation;
• the Proposal lacks ambition with regard to the so-called ‘tracking walls’ (also known as ‘cookie walls’). Access to websites must not be made conditional upon the individual being forced to ‘consent’ to being tracked across websites. In other words, the EDPS calls on the legislators to ensure that consent will be genuinely freely given;
• Standard browser setting: the Proposal fails to ensure that browsers (and other software placed on the market permitting electronic communications) will by default be set to prevent tracking individuals’ digital footsteps;
• the exceptions regarding tracking of location of terminal equipment are too broad and lack adequate safeguards;
• the Proposal includes the possibility for Member States to introduce restrictions; these call for specific safeguards.

These main concerns -along with recommendations how to address them- are outlined in this Opinion."

The EDPS also "provides further -and sometimes more technical- comments and recommendations on the Proposal in an Annex, in particular, to facilitate the work of legislators and other stakeholders who wish to further improve the text during the legislative process."

(ga)

European Parliament, Policy Department for Citizens' Rights and Constitutional Affairs, "Assessment of the Commission's Proposal on Privacy and Electronic Communications", Study, May 2017

EDPS, EDPS Opinion on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation), Opinion 6/2017, 24 April 2017