The New ePrivacy Regulation – Complex and Obscure Rules

In December 2016, a proposal for the new ePrivacy Directive was leaked. The final proposal was published on January 10, 2017 (text and impact assessment, Commission’s summary) The important document, which has an impact on a wide range of issues (cookies, spam, advertising and metadata, for example) is already causing the Internet to resonate with comments (see here, here, here and here).

The original 2002 Directive (see consolidated version) has always been a peculiar instrument. It is technically part of the 2009 telecommunications package (see the proposed 2016 reform), and therefore also part of the carrier layer of regulation1. On the other hand, it always also had an impact on the content of the Internet, since it regulated spam and cookies, and general security of electronic data. In addition to that, the ePrivacy Directive is a bolt-on instrument to the 1995 Data Protection Directive, which is the main instrument regulating privacy of individuals on the net (itself reformed with the proposal for a General Data Protection Regulation – GDPR). The 2002 Directive was meant to complement the 1995 Directive and “refresh” it for the digital age and the 2017 Regulation continues this connection with the GDPR.

The Proposal does not fundamentally change the setup provided in the ePrivacy Directive but brings in a number of significant changes, somewhat increasing privacy protection.

The basic rule is confidentiality of communications (Article 5). This rule is then subject to various modifications and exceptions scattered trhoughout the Regulation. Article 10 requires privacy-by-design for software, meaning that new software ought to default to increased privacy settings upon installation.

In terms of the type of instrument used, the Directive becomes a Regulation, thus reducing the manoeuvring space that Member States might have (for transposition problems with the existing Directive and inconsistencies in Member States’ implementation, see here).

The scope of the Regulation is wider than that of the Directive and matches GDPR. Article 3 of the Proposal specifies that it applies “in connection with the provision of electronic communications services” in the EU, irrespective of whether they are processed in the Union or not. In addition to this, it applies to all services located out of the EU but targeting end-user in the EU. This is consistent with the extended scope of application of GDPR.

The Regulation prohibits collection of metadata but contains a full page of exceptions. It does not directly address the high-profile problem of state-mandated ‘snooping’ (for that, see C-203/15 Tele2).

In terms of cookies, the Directive (Article 5(3)) had drawn a lot of criticism in respect of its demand that clear prior consent be given for all ‘cookies’ stored on the machine. In practice, this resulted in annoying popups alerting the users of ‘cookies’. The info was mostly ignored and the Proposal now has what the Commission calls a more sensible approach (Article 8) but what is, in effect, a markedly more complicated one. The article has two basic rules, with six basic exceptions and other modifying rules elsewhere in the text. In addition to that, Article 9(2) says that “consent may be expressed by using the appropriate technical settings of a software application”. This means that a software setting (e.g. in a browser) ought to be interpreted as consent or lack thereof.

Article 16 reinforces the rule that unsolicited communication could only be received by those who have given their consent (opt-in). The article applies to any “services, i.e. email, SMS, instant messaging, etc, a change compared to Article 13 of the ePrivacy Directive which only applied to electronic mail.

While it is true that the Regulation is a result of the REFIT simplification process, the end product is anything but simple. This is for four reasons. First, the Regulation must be read in conjunction with GDPR, itself a lengthy and complex instrument. Frequent cross-references do not make things easier and neither does the obsure technical language. Second, the Regulation is still standing with one foot in the carrier and the other in the content world, each of which is subject to different rules. Third, the interplay of various issues it regulates (data, metadata, different types of consent, lots of exceptions) makes interpreting it a difficult task even for experts. Fourth, the lack of clarity on fundamental issues (metadata collection is prohibited – except when it is allowed, cookies may or may not require consent, metadata should not be collected – unless one of the broad exceptions exist, unsolicited communication is banned but the reality of advertising is not taken into consideration…)

In view of this author, the new Regulation will intensify the problems, not eliminate them.

  1. Content vs carrier: the laws applying to the carrier layer regulate the networks and telecommunications services (cables, wires, spectrum, etc). The laws applying to the content layer regulate the content that flows on these wires (media rules, e-commerce, copyright, etc.)