On July 25, 2016, the Article 29 Working Party (the “Working Party”) and the European Data Protection Supervisor (“EDPS”) released their respective Opinions regarding the review of Directive 2002/58/EC on privacy and electronic communications (the “ePrivacy Directive"). Both the Working Party and the EDPS stressed that new rules should complement the protections available under the EU General Data Protection Regulation (“GDPR”).
These opinions are non-binding, but nevertheless indicate how regulators will seek to interpret the existing legal framework and influence the reformation of the future legal framework on ePrivacy matters.
The main recommendations of the Working Party with regard to the review of the ePrivacy Directive include:
- Extended scope. The scope of the ePrivacy Directive should be extended from the traditional telecom providers to cover new types of Voice over IP services, including instant messaging, webmail and messaging in social networks. In addition, the Working Party recommends clarifying the definitions of “public electronic communications network” and “electronic communications services” to reflect the infrastructure of today’s communication networks. In addition, the Working Party recommends clarifying the term “publicly accessible private communication networks” to expand the application of the confidentiality protections of the ePrivacy Directive to all publicly available networks and services such as Wi-Fi services in hotels and shops, networks offered by universities and hotspots.
- Confidentiality. According to the Working Party, the confidentiality protections of the ePrivacy Directive should be improved to protect users against interception of the content of their communication, regardless of whether it concerns direct electronic communications between users or within a defined users group (e.g., a conference call or webcast). Furthermore, interception should be interpreted broadly to include the injection of unique identifiers. Moreover, the Working Party recommends merging the currently separate provisions on traffic and location data to create a harmonized consent requirement for the processing of metadata.
- Consent. Given the sensitive nature of communications data, the Working Party believes that prior user consent should remain a key principle in the ePrivacy context regarding the collection of metadata, content data and tracking techniques. To ensure consistency with the GDPR, the future ePrivacy framework should clearly refer to the GDPR provisions, specifying the definition, conditions and forms of the consent. According to the Working Party, “take it or leave it” approaches that do not give users free choice regarding processing rarely meet the requirements for freely given consent. Therefore, forced consent should be prohibited (e.g., tracking by unidentified third parties for unspecified purposes and non-granular consent bundled with multiple purposes). The Working Party recommends that instead of relying on website operators to obtain consent on behalf of third parties (such as advertising and social networks), manufacturers of browsers and other software or operating systems should be encouraged to offer Do Not Track controls to allow users to withdraw consent.
- Cookies. According to the Working Party, the cookie rules should be rephrased to be as technologically neutral as possible in order to capture tracking techniques used on smartphones and Internet of Things applications, including 'passive tracking.' The Working Party seeks to ensure that the rules governing the collection of information from user devices do not depend on the kind of device owned by the user nor on the technology employed by an organization, especially with respect to the use of information for marketing and market analysis purposes. The cookie consent requirements should also apply when the data is not stored on the terminal equipment, but made available through the device and processed elsewhere. The Working Party nevertheless invites the European Commission to consider circumstances in which cookie consent will not be required due to the minor impact on the rights of users, such as when anonymization techniques are used to immediately and irreversibly anonymize data during collection on the device, or on the endpoints of the network or sensors.
- Direct marketing. The Working Party recommends updating the rules on unsolicited communications to require prior consent of the user for sending any type of unsolicited communications independent of the means (e.g., electronic mail, behavioral advertising, voice or video calls, fax, text and direct-messaging). In addition, users must be able to revoke their consent easily and free of charge, without stating a reason, via simple means that have to be indicated in each subsequent communication. The commercial purpose of the communication should be clearly identified at the beginning of the communication. According to the Working Party, the currently applicable opt-out exception for sending marketing communications to existing customers for similar products and services should be limited to a reasonable amount of marketing communications so that senders do not bombard users with an excessive number of marketing calls or messages.
- Deletion of specific data breach notification. The ePrivacy Directive contains sector-specific breach notification requirements applicable to telecom providers and Internet service providers. To avoid duplicative notifications, the Working Party recommends simplifying the process to require the notification of supervisory authorities under the GDPR regarding all data breaches involving personal data.
- Enforcement. The Working Party believes it should be clarified that the supervisory authorities under the GDPR will also have jurisdiction on ePrivacy matters involving personal data to ensure consistent enforcement and harmonization of sanctions.
The EDPS makes similar recommendations as the Working Party with respect to the review of the ePrivacy Directive. In particular, the EDPS recommends that:
- the scope of the ePrivacy Directive be extended to all forms of electronic communications irrespective of network or service used;
- the updated rules should ensure that the confidentiality of users is protected on all publicly accessible networks;
- no communications should be subject to unlawful tracking and monitoring without freely given consent, whether by cookies, device-fingerprinting or other technological means;
- communications should not be tracked or monitored, except with users’ freely given consent;
- the current consent requirement for traffic and location data should be strengthened;
- the existing rules on unsolicited communications should be updated to strengthen the consent requirements; and
- the future ePrivacy Directive provide specific rules enhancing transparency regarding government access requests, such as a requirement for organizations to periodically issue transparency reports on the amount of the law enforcement requests they receive in aggregate form.
Read the Opinion of the Article 29 Working Party.
Read the Opinion of the EDPS.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code