The New ePrivacy Regulation – Complex and Obscure Rules

In December 2016, a proposal for the new ePrivacy Directive was leaked. The final proposal was published on January 10, 2017 (text and impact assessment, Commission’s summary) The important document, which has an impact on a wide range of issues (cookies, spam, advertising and metadata, for example) is already causing the Internet to resonate with comments (see here, here, here and here).

The original 2002 Directive (see consolidated version) has always been a peculiar instrument. It is technically part of the 2009 telecommunications package (see the proposed 2016 reform), and therefore also part of the carrier layer of regulation1. On the other hand, it always also had an impact on the content of the Internet, since it regulated spam and cookies, and general security of electronic data. In addition to that, the ePrivacy Directive is a bolt-on instrument to the 1995 Data Protection Directive, which is the main instrument regulating privacy of individuals on the net (itself reformed with the proposal for a General Data Protection Regulation – GDPR). The 2002 Directive was meant to complement the 1995 Directive and “refresh” it for the digital age and the 2017 Regulation continues this connection with the GDPR.

The Proposal does not fundamentally change the setup provided in the ePrivacy Directive but brings in a number of significant changes, somewhat increasing privacy protection.

The basic rule is confidentiality of communications (Article 5). This rule is then subject to various modifications and exceptions scattered trhoughout the Regulation. Article 10 requires privacy-by-design for software, meaning that new software ought to default to increased privacy settings upon installation.

In terms of the type of instrument used, the Directive becomes a Regulation, thus reducing the manoeuvring space that Member States might have (for transposition problems with the existing Directive and inconsistencies in Member States’ implementation, see here).

The scope of the Regulation is wider than that of the Directive and matches GDPR. Article 3 of the Proposal specifies that it applies “in connection with the provision of electronic communications services” in the EU, irrespective of whether they are processed in the Union or not. In addition to this, it applies to all services located out of the EU but targeting end-user in the EU. This is consistent with the extended scope of application of GDPR.

The Regulation prohibits collection of metadata but contains a full page of exceptions. It does not directly address the high-profile problem of state-mandated ‘snooping’ (for that, see C-203/15 Tele2).

In terms of cookies, the Directive (Article 5(3)) had drawn a lot of criticism in respect of its demand that clear prior consent be given for all ‘cookies’ stored on the machine. In practice, this resulted in annoying popups alerting the users of ‘cookies’. The info was mostly ignored and the Proposal now has what the Commission calls a more sensible approach (Article 8) but what is, in effect, a markedly more complicated one. The article has two basic rules, with six basic exceptions and other modifying rules elsewhere in the text. In addition to that, Article 9(2) says that “consent may be expressed by using the appropriate technical settings of a software application”. This means that a software setting (e.g. in a browser) ought to be interpreted as consent or lack thereof.

Article 16 reinforces the rule that unsolicited communication could only be received by those who have given their consent (opt-in). The article applies to any “services, i.e. email, SMS, instant messaging, etc, a change compared to Article 13 of the ePrivacy Directive which only applied to electronic mail.

While it is true that the Regulation is a result of the REFIT simplification process, the end product is anything but simple. This is for four reasons. First, the Regulation must be read in conjunction with GDPR, itself a lengthy and complex instrument. Frequent cross-references do not make things easier and neither does the obsure technical language. Second, the Regulation is still standing with one foot in the carrier and the other in the content world, each of which is subject to different rules. Third, the interplay of various issues it regulates (data, metadata, different types of consent, lots of exceptions) makes interpreting it a difficult task even for experts. Fourth, the lack of clarity on fundamental issues (metadata collection is prohibited – except when it is allowed, cookies may or may not require consent, metadata should not be collected – unless one of the broad exceptions exist, unsolicited communication is banned but the reality of advertising is not taken into consideration…)

In view of this author, the new Regulation will intensify the problems, not eliminate them.

  1. Content vs carrier: the laws applying to the carrier layer regulate the networks and telecommunications services (cables, wires, spectrum, etc). The laws applying to the content layer regulate the content that flows on these wires (media rules, e-commerce, copyright, etc.)

CJEU Confirms – No General Data Retention Allowed

On 21 December 2016, an important decision came from the Court of Justice of the European Union (CJEU). In joined cases, C-203/15 Tele2 Sverige AB v Post-och telestyrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson and Others, (full case and press release) the court ruled against general data retention while allowing it in specific and controlled conditions. It said:

EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime, provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary. Access of the national authorities to the retained data must be subject to conditions, including prior review by an independent authority and the data being retained within the EU.

The present judgment is a continuation of a saga that goes back to September 11, 2001. In the wake of the attacks on the United States, the governments on both sides of the Atlantic introduced measures to combat the perceived threat of terror. Among these measures were the EU 2006 Data Retention Directive. The directive required storing of telecommunications data for a period between 6 and 24 months. The data stored was ‘metadata’, i.e. information on what was accessed on the Internet or what telephone numbers have been dialled and when, not the actual copies of information.

In joined cases C-293/12 and C-594/12 Press and Information Digital Rights Ireland and Seitlinger and Others (press release available here), the Court declared the Directive to be invalid, saying that it

entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary

The main argument for invalidation was that the Directive was not compatible with the European Convention on Human Rights (ECHR). The result was only that the 2006 Directive had been made invalid, but nothing specific was said about whether Member States’ data retention laws are incompatible with other EU laws.

Following the invalidation of the 2006 Directive, a number of Member States retained laws that operated, essentially, on the basis of the Directive. In Sweden, the law required operators of electronic communications services to retain traffic and location data while laws in the UK required data retention for periods up to 12 months. The two joined cases referred to here relate to Swedish and UK laws, respectively.

Since the directive which provided a basis for data retention had been made invalid, the fallback provision is Article 15 of the ePrivacy Directive, which allows for rules of the 1995 Data Protection Directive to be derogated from when required by “national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences”. The question referred to CJEU by the Swedish court asks, essentially, whether general data retention obligation (i.e. an obligation to retain all data, without a specific purpose of threat) is compatible with Article 15 and with Articles 7 and 8 and Article 52(1) of the Charter of Fundamental Rights. If the answer is no, the second question asks whether retention may be, nevertheless, permitted in certain specific cases (“targeted retention”). The UK court’s reference is conceptually slightly different. It is asking if the 2014 Digital Rights Ireland judgment (invalidating the 2006 Directive) also introduces “mandatory requirements of EU law applicable to a Member State’s domestic regime governing access to data retained in accordance with national legislation, in order to comply with Articles 7 and 8 of the Charter.”

The Court ruled that Article 15 of the ePrivacy Directive, read in light of Article 7, 8 and 11 of the Charter, precludes

general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.

Ruling on where and how such retention may still be legal, it said that this is so

where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union.

In other words, general data retention is illegal, specific data retention is allowed in cases where serious crime fighting requires so, where there is judicial oversight and where such data is not transferred out of the EU.

The main position of the Court is that, absent specific legislation on data retention, the provisions of the ePrivacy Directive must be interpreted narrowly. In analysing the case, the Court pointed out that the conditions of Article 15 of the ePrivacy Directive are exhaustive. Any derogations from the rules protecting privacy must apply only in so far as is strictly necessary. Only the objective of fighting serious crime justifies derogations from general data protection requirements and then only with proper court oversight. Since general data retention does not contain a proper link between data retained and a threat to public security, such retention does not satisfy the conditions. The Court does not preclude data retention in general but allows targeted retention under the conditions discussed.

There is no doubt that the most important point that the CJEU is making is that proper judicial oversight is needed in all cases where government proposes to undermine basic constitutional rights and EU-based privacy rules. As such, the decision is not surprising and is a continuation of the arguments put forward in the Digital Rights case. The decision will have significant impact on the just-adopted UK 2016 Investigatory Powers Bill, which has been heavily criticised.

Welcome to EU Internet Law and Policy Blog.

Over a number of years which I have spent both researching and teaching Information Technology (IT) law in Europe, one thing struck me as significant: it is often difficult for non-professionals to understand both how IT laws are made in the EU and what implications these laws might have. The purpose of this blog is to help bridge this gap for anybody who is not a lawyer but needs some understanding of the issues involved.

First, in a series of shorter posts, I will attempt to explain the basics of EU law and policymaking in the area that might tentatively be called EU Cyberlaw. These posts will explore the sources, the interplay between institutions, comparative perspectives and literature. Second, I will comment on current policy issues in the world of EU Cyberlaw. The EU has recently completed a number of law reforms in this area, including a revision of the EU Telecommunications package and of data protection rules. Many more are on their way, among them the reforms of the Audio Video Media Services framework, the copyright reform and the introduction of new contract rules for digital contracts.

Since cyberworld concerns both the carrier (broadband, mobile technology, fixed telephony, cable and satellite) and the content (media, web sites, TV programs, etc.), I will attempt to cover both. Traditionally, the former has been the subject of a discipline called Telecommunications Law. The second falls under a number of disciplines, most significant of which are electronic commerce law and media law. Links to relevant documents will be provided wherever they are available. Comments are welcome.