We have briefly outlined some of the problems concerning the Commission’s 2017 proposal for a new ePrivacy Regulation in an earlier post. The main point made then was that the rules are unnecessarily complicated and not always in sync with the forthcoming GDPR. On October 26, the EU Parliament voted to move forward to Trilogue on the basis of the present text, thus advancing it one step forward towards adoption. The debate about the text seems to have been simplified to such extremes that even EU officials are not immune from making emotional albeit misguided arguments.
The proposed text, however, is highly technical, and requires careful analysis. In this post, in order to underline the claim that the present text is inadequate, we will try to highlight three of the most pressing controversies that arise out of it.
- As is well known, the ePrivacy proposal, as was the case with the still-in-force 2002 ePrivacy Directive, is a text arising out and forming part of the Telecommunications Regulatory Framework. The present framework dates to 2009 and very comprehensive proposals for its reform in the form of the European Electronic Communications Code (EECC) have been tabled. As such, the Proposal is part of a set of laws which apply to the carrier layer of the Internet – the electromagnetic signals which move either through the wires or through the air. That Framework does not apply to content, for which an entirely different set of laws has been designed (the chief of which is the 2001 E-Commerce Directive but part of which is also the 1995 Data Protection Directive (“DPD”)). This is apparent from Articles 1, 2 and 4.1.b, which confirm that its field of application are networks and services,1 the same field of application as that in the Telecoms Regulatory Framework – not information society services, as is the case with E-Commerce. The Telecoms Regulatory Framework, by definition, does not regulate the content of electronic communications but only the modalities of their transfer (authorisation of, access and interconnection, universal services). In that sense, the ePrivacy Directive positioned itself as an instrument which complemented the 1995 Data Protection Directive (still in force today until GDPR replaces it in May 2018), albeit from the arsenal and with a toolbox of a completely different regulatory circle – that covering the content. In other words, the ePrivacy Directive relied on the DPD instruments (and referred to them directly) to address a set of specific issues which only arose in the telecommunications field. This was a neat trick which was relatively simple to perform in 2002. The Proposal still positions itself as part of the telecoms circle, expressly referring to EECC. The Proposal still relies on the (now) GDPR set of tools and declares its complementary role. But, the reality of the converged Internet which the Proposal now effectively applies to has moved it from the telecoms/carrier squarely into the contents field. In other words, the Proposal is a content-regulatory tool that passes itself of as a telecoms law and uses telecoms tools for content regulation. The result is highly confusing – applying content-designed privacy concepts to the carrier layer and carrier-designed rules to content services.
- The Proposal extends its territorial scope of application to non-EU providers. Whereas the Directive applies within the scope of the application of DPD and the 2009 telecoms framework, the Proposal aligns itself with the GDPR’s extended scope: it applies to provision and use of all services to end-users in the Union (irrespective of the corporate seat of the provider) as well as terminal equipment of the end-users in the Union. This is the extension of its scope to entities located outside of the EU, which is similar in nature to Article 3 GDPR. The problem arises from the lack of precision which GDPR does not suffer from but ePrivacy proposal does. GDPR is specific in that it applies only to the provision of goods or services to EU subjects (deliberate targeting) and monitoring of behaviour. Recital 23 of GDPR requires an intention to target EU users. Recital 9 of the Proposal does not. This can only be interpreted to mean that all telecoms services reaching end-users in the EU, irrespective of whether such services were intended for these users, are covered – an unnecessary extension of scope and an unnecessary deviation from the GDPR’s more balanced approach.
- Whereas the Directive’s main idea was that telecoms communications should be confidential while they pass through the wires and while they are in telecoms operator’s hands, it never put obstacles on the processing itself. It rather sought to eliminate the situations in which telecoms operators might compromise the data privacy (by e.g. unwarranted surveillance) or where data or metadata might be misused. The Proposal’s starting point is that “listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data” (emphasis added) should be prohibited unless specifically allowed. The essence of any telecoms business model is the processing of telecoms data and metadata. The main position of the Proposal is that this activity is, in principle, prohibited. This position is both unsustainable and puzzling since it demonstrates the drafter’s lack of understanding of the nature of telecoms activities.The processing is allowed under some circumstances covered in Article 6. The Proposal suggests first that both content and metadata may be processed by providers or networks and services for achieving the transmission or for maintaining or restoring security. Metadata only may be processed in more situations by providers of services only, including when the users gave consent. Finally, content only (without data) can only be processed by providers of services only for the provision of a specific service to end users with their consent and where all end-users concerned have given their consent. The proposed division seems to be arbitrary in its distinction between providers of networks and providers of services. Equally confusing are the reasons under which content as opposed to metadata may be provided. More damagingly, the consent here is in contradiction with Articles 6 and 7 GDPR. The two sources – GDPR and Proposal – say different things about consent, with the Proposal imposing significantly stricter requirements.
Some of criticism outlined above is not new. A study published on October 19, 2017, highlighted a number of controversies as have other sources. We believe that the confusion which arises from the present text is a sign that the convergence of content and carrier cannot be dealt with by bundling the issues into a single legal container. The present Proposal attempts to do too much by relying on tools from two legal frameworks while not being fully committed to either. Equally damagingly, the Proposal duplicates and/or confuses issues already covered in GDPR. Nowhere is this more apparent than in the provisions on ‘cookies’. Article 8, which replaced the much-maligned and ineffective cookie requirement of Article 5(3) of the ePrivacy Directive, is long, confusing and replicates some parts of Recitals 26, 30 and 32 of GDPR while contradicting others.
A sensible approach is to keep the content and carrier layers separate by transferring content-related issues to GDPR while keeping the telecoms ones strictly within the telecoms framework. While this would require a thorough rethinking of the proposed texts and a redrafting of GDPR, the ultimate result would be the added protection in those areas where it is really needed.
- “Electronic communications” are an official EU replacement for the old term “telecommunications”. In reality, they are synonyms. ↩