Part I
Introduction
As well as the current wide sweeping reforms being proposed to the existing European data protection framework (and in particular the introduction of a new Regulation[1] to replace the Data Protection Directive[2]), another area which will need reviewing in the near future is the regulation of the electronic communications sector and the e-Privacy Directive[3] .
The e-Privacy Directive which forms part of the Regulatory Framework for Electronic Communications was first adopted in 2002 and, amongst other things, specifies how some of the principles in the Data Protection Directive apply to the electronic communications sector. The e-Privacy Directive was further amended in 2009[4] as part of a package updating the Regulatory Framework and by January 2013, all Member States had notified the necessary measures to implement the e-Privacy Directive into their national laws.
The European Commission has recognised in its proposal to reform the existing data protection framework that changes will be needed to reconcile the application of this new Regulation with the e-Privacy Directive. Indeed, the proposed Regulation makes a limited number of technical adjustments to the e-Privacy Directive to take account of the fact that the Data Protection Directive is being transformed into a Regulation and the Commission has undertaken to carry out a further review in this area once the Regulation has been published.
In order to prepare for this review, the Commission asked a team of consultants to undertake a study of the transposition and effectiveness of the specifically privacy related articles of the e-Privacy Directive and also to consider the relationship of the e-Privacy Directive to the proposed Regulation. The outcome of the study was published as a report in June 2015[5] (the “Report’) and raises interesting questions for the fate of the e-Privacy Directive. It is a lengthy document (122 pages) with additional detailed supporting material in the Annexes. This article (which is in two parts) seeks to summarise the scope of the Report, focussing particularly on the consultants’ recommendations for legislative changes. Part 1 below covers their conclusions and recommendations on the structure and scope of regulation and on confidentiality.
The Report
The Report does not deal with the entire e-Privacy Directive but looks in detail at the following five specific topics, providing evidence of how they have been implemented and enforced in practice, suggesting gaps and potential areas for change and examining how the Directive should operate with the Regulation:
Scope of the e-Privacy Directive (Articles 1 to 3);
Confidentiality of communications (Article 5(1));
Cookies, spyware and similar techniques (Article 5(3));
Traffic and location data(Article 6 and 9); and
Unsolicited commercial communications (Article 13).
Scope of the e-Privacy Directive (Articles 1-3)
2. The provisions of the e-Privacy Directive are applicable to “the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices.”[6]
3. The Report takes a detailed look at the definitions which make up this statement which highlights how complex it can be to work out whether the e-Privacy Directive is applicable to particular services and also how it can result in artificial distinctions being drawn where services that are very similar from a functional perspective are in fact regulated by different legal regimes. For instance, broadcasting services which are intended for a potentially unlimited audience are not covered (e.g. near video on demand services) but when the individual subscriber or user who is receiving that information that is part of the broadcasting service, can be identified, then it will be covered (e.g. video on demand services). Information society services are also excluded from the definition of “electronic communications services” and yet certain provisions in the e-Privacy Directive such as those dealing with cookies are almost certainly applicable to such services. This confusion is further compounded by the fact that the e-Privacy Directive has also not been transposed into the national legislation of the Member States on a consistent basis with certain provisions being transposed into legislation dealing with general data protection laws or other laws dealing with information society services or consumer protection. This means that different services can therefore be treated differently in each Member State.
4. The Report goes on to note that in contrast to the Data Protection Directive there are no applicable law provisions in the e-Privacy Directive. In the authors’ view, which is perhaps controversial, in the absence of such an explicit provision, the same principles should currently be applied as to the rest of the European Regulatory Framework for Electronic Communications, namely the place where the services are provided and they conclude that the applicable laws rules in the Data Protection Directive (which look to where the operator is established) would not be applicable to the e-Privacy Directive.
5. In the authors’ view, given growing convergence and technological developments, it no longer makes sense to distinguish technologically between information technology services, telecommunications services and media services. Indeed, they have the greatest doubts about whether the regulation of these activities in three separate sectors is sustainable. However, they highlight that this is an issue which goes beyond the e-Privacy Directive because it is a distinction which is underpinning all European regulation dealing with the online environment. As such, it is unlikely to change in the short term, so the Report therefore recommends instead, looking at what changes can be made to the existing e-Privacy Directive to help ensure consistency.
Report Recommendation
6. The recommendation is to amend Article 3 of the e-Privacy Directive (as set out in Para 2 above) to ‘make its provisions applicable to the protection of privacy and the processing of personal data “in connection with the provision of publicly available services in public or publicly accessible private communications networks in the Union”.’
7. The Report suggests that this amendment “would put an end to the discussion about the applicability of the provisions of the ePrivacy Directive to information society services and other value-added services provided via public electronic communications networks.’ and ‘ remedy the currently perceived distortion in which very similar services are subject to different regimes and the consequent uneven playing field.”
Confidentiality of communications (Article 5.1)
8. The Report next turns to the duties in Article 5.1 to keep communications confidential. This Article states that: “Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services through national legislation” and that “in particular, [the member states] shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users”.
9. The Report notes that Member States have all had legislation for many years protecting the confidentiality of private communications (together with national exemptions for security and criminal investigation purposes) and that therefore the transposition of Article 5.1 did not have a harmonising effect in this regard. Nor do the consultants believe that this will change with the new draft Law Enforcement Directive[7]. These elements are so deeply integrated in matters within the jurisdiction of Member States that harmonisation is unrealistic. Nevertheless, the consultants propose changes to reflect their general approach of widening the scope of the e-Privacy Directive beyond public electronic communications systems.
Report recommendation
10. Consistent with the proposed changes to Article 3 (see para 6 above) the Report suggests making the provision applicable to “confidentiality of communications and the related use of traffic data by means of a public or publicly accessible private communications network”.
11. Secondly, in the authors’ view, it is uncertain what the current drafting of this provision means for technologies which are fully automated and which register electronic communications (such as deep packet inspection systems used to detect malware or mobile apps which access contact lists or SIM card data). The Report questions whether such intrusions are justified and that even with the consent of the user under Article 5.3 (i.e. the cookie rules as discussed further in Part 2 of this Article) whether they are incompatible with the proportionality principle applicable to the processing of personal data. The Report concludes that a recital should be added which clarifies that the confidentiality of electronic communications should be protected against “automatic” intrusions without human intervention.
12. Thirdly, the exception in Art. 5.2 for “technical storage which is necessary for the conveyance of a communication” should probably be broadened to “storage as far as necessary for ensuring the functioning of the network or the provision of the service on that network”. This is consistent with the Report’s proposed extension of scope of Article 5.1 to information society services.
13. Finally in this chapter, the Report considers in some detail the lawful business exemption in Article 5.2. This states that the protection of confidentiality “shall not affect any legally authorised recording of a communication and the related traffic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication.”
14. Again this exemption has been transposed by Member States in very different ways: The United Kingdom and Belgium are notable for their extensive use of the exemption, but some Member States have made no such provision at all seemingly because it is thought to be too prejudicial to general rights to the privacy of communications. The consultants suggest that the scope of this exemptionbe clarified to allow further harmonisation in this area. They propose widening it to other situations such as the recording of communications in an employment context for quality control or legitimate supervision of work performance. However, a careful assessment of the impact of such change on stakeholders would be needed to assess its feasibility, taking into account the diversity of rules currently applicable to the processing of personal data in the employment context.
Footnotes:
[1] Commission’s Proposal for a Regulation on the protection of individuals with regards to the processing of personal data and on the free movement of such data.
[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[3] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.
[4] The e-Privacy Directive was amended in 2009 by the Citizen’s Rights Directive 2009/136/EC.
[5] http://ec.europa.eu/digital-agenda/en/news/eprivacy-directive-assessment-transposition-effectiveness-and-compatibility-proposed-data
[6] Article 3 e-Privacy Directive (as amended).
[7] Draft Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.
Part II
Part 1 of this article reported the publication in June 2015 of a Report on the implementation and effectiveness of the privacy-focussed articles in the e-Privacy Directive and their relationship to the proposed general Data Protection Regulation prepared for the Commission. Part 2 of this article looks particularly at the Report’s recommendations for legislative change in the provisions relating to cookies, traffic and location data and unsolicited marketing.
Cookies and consent (Article 5.3)
1. Under Article 5.3 (following the amendments made to the e-Privacy Directive in 2009), Member states are required to ensure that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent…”.
2. The Report looks in some detail at the historical background to the introduction of this consent requirement and takes the view that this provision does require “prior consent” (which is interesting to note in the light of arguments to the contrary by advertising interests). The consultants note that Article 5.3 regulates any information stored on terminal equipment and not just personal data, and they point out that it was pressure from the European Parliament which gave rise to the ‘consent’ requirement. The Commission, reacting to the widespread objection to the distribution of a tool called Mediamax by Sony as a Digital Rights Management measure which installed a rootkit onto the terminal equipment of the user, had merely proposed to widen the scope of the article to include distribution of ‘spyware’ by means other than an electronic communications network (now Recital 24).
3. The Report also highlights both the seemingly inconsistent wording of Recital 66[1] of the Citizens Rights Directive (which amends the e-Privacy Directive), which speaks of the ‘right to refuse’ and the use of browser settings to give consent, and also the declaration by 13 Member States that a right to object is sufficient ‘consent’ in the case of legitimate cookies. As practitioners well know this new law is surrounded with confusion, not least because some states (such as Germany and Estonia) have not yet transposed the revised Article 5.3 into Member State law.
Report recommendation
4. Much of the authors’ discussion is consequently directed to the issue of obtaining consent by browser settings and they propose that the Directive be amended by a Recital to make it clear that this will only be effective if the default settings reject third-party cookies and require the user to engage in an affirmative action to accept both the setting of and continued transmission of information contained in the cookies. The authors are concerned by the proliferation of warning messages generated by the new rules and propose that such warnings should be restricted to third-party cookies, those used for direct marketing and those not related to the purpose for which the user has visited a web site.
5. Article 5.3 also includes exemptions from the need for consent either in the case of ‘any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’ The Report proposes widening these exemptions by removing the ‘strictly necessary’ condition and by providing a specific exemption for cookies used to obtain web-site usage statistics. On the other hand, the authors suggest an amendment requiring the explicit collection of ‘specific, active and prior consent in all cases where cookies or similar techniques are used for direct marketing.’
6. In concluding their discussion of cookies, the authors also mention briefly the unclear territorial scope of application of Article 5.3 and conclude that the most logical solution would be to use the rules in the general data protection framework. They mention in passing the fact that new server-side techniques of identification have been developed not requiring any storage on or access to terminal equipment. More substantially they raise doubts about the appropriateness of ‘consent’ to legitimise tracking activities which might be extensive or unlimited. They recognise that this question is part of the current debate on the proposed general data protection Regulation around the topic of ‘profiling’. The authors raise questions concerning their considerable misgivings as to whether ‘consent’ is ‘effective and logically plausible’ in this context, but give no answer to their question.
Traffic & Location Data (Articles 5 and 9)
7. Next, the Report considers the provisions relating to traffic and location data. Traffic data are “any data processed for the purpose of a conveyance of a communication on an electronic communications network or for the billing thereof”.
8. In principle, traffic data are to be deleted after their use for the transmission of the communication, but they may be retained for billing purposes and Member States can require their retention for national security and law enforcement purposes. Article 6.3 also permits providers of publicly available electronic communications services to process traffic data for the purpose of marketing electronic communications services as well as for the provision of value added services although this is only allowed where the subscriber or user has given her prior consent, which may be withdrawn at any time. In practice this means that traffic data, unlike other categories of personal data cannot be processed for direct marketing purposes based on an organisation’s legitimate interests.
9. The Report expresses some concern at the state of compliance with this provision and comments on the practice of obtaining consent in the general terms and conditions of a communications supplier and in some cases obtaining the right to use the data for two years after the end of the contract.
The Report also examines the rules for the use of location data which are not traffic data which are set out in Article 9 (although it recognises that some traffic data will also be location data and vice versa). Location data are defined as “any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.”
11. Article 9 requires that these data can only be used for value-added services (commonly known as location based services) if they are anonymised or with the consent of the subscriber or user. There is scope for retention of the data for national security and law enforcement purposes and the need for consent can be over-ridden by the emergency services.
12. There is an extensive discussion of the problems created by this Article in requiring consent of either subscriber or user and in providing information in advance of consent. The Report is particularly conscious that Article 9 applies only to electronic communications service providers and not to information society service providers. Consequently, innumerable mobile apps providing location based services are outside its scope. Neither does the Article cover location data that are transmitted via enterprise networks aimed at a private user group.
Report recommendation
13. Consistent with the Report’s general approach to extending the scope of the e-Privacy Directive, it proposes ‘to make the rules with regard to the processing of traffic and location data applicable to all services provided via public or publicly available private communications networks that collect and further process traffic and location data. As a result, the processing of location data in the context of information society services provided via all kinds of mobile apps would be subject to the application of Art. 6 and Art. 9 …’
14. Finally the Report suggests that the actual processing of traffic data and location data in Member States should continue to be closely monitored and that the solution for determining applicable law should also be brought in line with the solution adopted in the general data protection framework.
Unsolicited Direct Marketing (Article 13)
15. The anti-spam Article 13.1, which prohibits the use of the use of automated calling and communication systems, fax and e-mail for direct marketing without the prior consent of the subscriber or user, has, according to the Report, been reasonably transposed in a variety of ways into Member State laws.
16. The principal concern expressed is that the restriction to electronic communications systems has been strictly interpreted leaving unregulated direct marketing by information society services such as Facebook, LinkedIn, Skype or Twitter even though the message might ultimately be delivered over an electronic communications system and notwithstanding the fact that the Article applies to messages sent by anyone and not just communications service providers. The Report suggests that such a narrow interpretation might not be correct and that messages sent by a communications service, but finally delivered by, for example, a webmail service should be treated as falling within Article 13.1.
17. The Report considers at some length the ‘soft opt-in’ provisions (namely the exception to the consent rule) which have not been uniformly transposed and they express doubt about whether this exception is properly consistent with the notion of consent. When discussing means of giving consent, the Report is critical of what it describes as the ‘flexible’ UK approach and the advice given by the UK Information Commissioner. The Report notes the different approaches adopted by Member States in relation to direct marketing by other types of marketing medium and to the protection of legal persons.
Report recommendation
18. The Report makes recommendations consistent with its general approach to the scope of the Directive. Accordingly, it proposes that ‘the opt-in rule of Article 13.1 should also apply to e-mail messages transmitted via information society services.’ The choice of opt-in or opt-out under Article 13.3 should continue to be in the discretion of the Member States, partly because some states have already adopted an opt-in rule and partly to examine the success of systems such as the Telephone Preference Service. As a consequence of the different ways in which Member States have transposed Article 13, direct marketing can be subject to multiple and potentially inconsistent regulation. Consequently, the Report also calls for greater harmonisation of the rules on applicable law.
Relationship to Proposed General Data Protection Regulation
19. The Report in its final section refers to Article 89 of the draft Regulation which recognises the need to ensure the integration with the e-Privacy Directive. Article 89 reads thus:
‘This Regulation shall not impose additional obligations on natural or legal persons in relation to the processing of personal data in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.‘Article 1(2) of Directive 2002/58/EC shall be deleted[2]’
20. The Report is content that this article would provide a workable relationship between the proposed Regulation and the articles in the e-Privacy Directive which are the subject of the Report.
Report recommendation
21. However, the authors note, ‘if… the scope of application of the ePrivacy Directive were to be modified, the text of Article 89(1) should be amended as well… This should be changed into “obligations on natural and legal persons in relation to the processing of personal data in connection with the provision of publicly available services in public or publicly accessible private communications networks in the Union”.
22. Finally, the Report proposes that ‘the Commission should consider transforming the Directive into a Regulation for three reasons.’ That would first reduce the complexity of the relationship between the provisions of the two legislative instruments; secondly, apply to the topics of the study the supervisory and enforcement mechanism introduced by the proposed Data Protection Regulation and thirdly, provide the technical basis for the amendment of Art. 89 of the general Data Protection Regulation (once adopted) if it were no longer consistent with any future “ePrivacy Regulation”.
Conclusions
23. Clearly, something must be done with the e-Privacy Directive. This Report gives the Commission a basis for dealing with the parts of that Directive which are specifically privacy related. The Commission has an opportunity, if it so wishes, to propose a further Regulation to deal with these topics and to extend its scope to information society service providers.
24. Beyond that political value, the Report provides a valuable survey and analysis. It clearly demonstrates that we are faced with public policy and legislative incoherence, graphically illustrating the inconsistencies generated by seeking to regulate such matters as location-based services and direct marketing on the basis of the three sectoral silos of electronic communication, information services and audio/visual media.
Francis Aldhouse & Liz Upton
Bird & Bird
Footnotes:
[1] Recital 66 states: “Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.”
[2] Article 1(2) currently states “The provision of this Directive particularise and complement Directive 95/46/EC for the purposes mentioned in paragraph 1. Moreover, they provide for the protection of the legitimate interests of subscribers who are legal persons”.