On October 19, 2017, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) narrowly voted to approve an amended version of the e-Privacy Regulation (“Regulation”). The committee vote is an important step in the process within the European Parliament. This vote will be followed by a vote of the European Parliament in its plenary session on October 23-26. If the plenary also votes in favor, the European Parliament will have a mandate to begin negotiations with the Member States in the Council. If these negotiations (commonly known as “trilogue”) succeed, the Regulation will be adopted.
Also on October 19, 2017, the Centre for Information Policy Leadership at Hunton & Williams (“CIPL”) published a study on the impact of the proposed Regulation (the “Study”). The Study was prepared by Professor Niko Haerting of Haerting Rechtsanwaelte, Berlin, whom CIPL had asked for an independent expert opinion on the proposal.
The Study examines in detail the European Commission’s January 10, 2017 proposal on the Regulation. The Commission’s stated goal is to replace the existing ePrivacy Directive (”Directive”) with the Regulation at the same time the EU General Data Protection Regulation (“GDPR”) comes into effect on May 25, 2018.
Main Conclusions of the Study
- The Regulation focuses on protecting individuals’ privacy mainly through its consent requirements. It would therefore be up to individuals to protect their own privacy by providing or refusing consent. Shifting the responsibility from businesses to individual consumers cannot be regarded as enhancing privacy protections. Moreover, this would ultimately undermine digital services in Europe.
- In many cases, the Regulation’s rules deviate from the GDPR. This is bound to lead to legal uncertainty and will be harmful to European businesses. There is a direct conflict between the Regulation’s consent requirements and the more flexible approach in Art. 6 of the GDPR that requires consent in some cases but also allows for data processing without consent, such as when processing is necessary for the performance of a contract or when the service provider or a third party has a legitimate interest that outweighs the interests of data subjects.
Background
The Study is published against the backdrop of today’s LIBE Committee vote. The vote was 31 votes in favor, 24 votes against and 1 abstention. The outcome of the plenary of the European Parliament (in a vote which is expected on October 26, 2017) is not clear and the negotiations with the Member States in the Council have yet to begin.
The main focus of both the GDPR and the Regulation/Directive is the protection of European citizens’ privacy. While the Regulation, like the Directive, is rooted in data protection for the telecommunications sector, it has a significantly wider impact.
The Regulation contains numerous references to the GDPR. According to Art. 1(3), the provisions of the Regulation are intended to “particularise and complement” the GDPR (“lex specialis”). At the same time, the Regulation aims to protect “fundamental rights and freedoms of natural and legal persons in the provision and use of electronic communications services” (Art. 1(1)) while ensuring “free movement of electronic communications data and electronic communications services” in the EU (Art. 1 (2)).
The Study focuses on the proposed new “cookie provisions” (Art. 8, 9 and 10) and on the proposed “interference provisions” (Art. 5, 6 and 7), including the “wiretapping provisions” of Art. 11. It also addresses some of the Regulation’s consequences for connected and autonomous cars.
In particular, the Study seeks to answer the following questions:
- Practicability: Are the proposed provisions coherent and do their application on standard business models lead to reasonable results?
- Overlap: Are the proposed provisions in line with the provisions of the GDPR? Are there contradictions?
- Freedom of Communication: Do the proposed provisions foster the free flow of communication data in Europe, or do they, unintendedly, impose obstacles on communication?
- User-Friendliness: Do the proposed provisions meet the expectations of reasonable users?
The Study’s Key Findings
- With the prohibition on “processing” communications data, the Regulation would be a serious obstacle to digital innovations in Europe and to the development of new beneficial services based on data use and machine learning. The prohibition on “processing” would constitute a substantial setback to the European digital economy.
- Excessive consent requirements would lead to red tape and tick boxes, which are likely to irritate consumers. This will negatively impact their online experience.
- Art. 5 of the Regulation introduces a new prohibition on the “processing” of communications data. However, it is exactly the “processing” of communications data that that the customer pays for (as opposed to “interception” or “surveillance”). The prohibition should be limited to interception and surveillance of messages.
- With respect to metadata, it is unclear why IP addresses and other “online identifiers” clearly covered by the GDPR need to be regulated in the Regulation as well.
- Art. 6 of the Regulation does not work for machine-to-machine communication, wearables, connected cars and the Internet of Things (“IoT”). In machine-to-machine-communication, raw data are transmitted that qualify neither as “content” nor metadata.
- When customers use digital communications services (e.g., email, messenger), they will expect their messages to be stored by the provider. Moreover, they will expect to be in control when it comes to the erasure of messages. Therefore, the provider’s duty to erase content is against the user’s interests and contrary to the user’s expectations.
- Given that “online identifiers” cookies are covered by the GDPR, it is unclear why additional provisions are needed in the Regulation.
- Web analytics tools are, on the one hand, recognized as “legitimate and useful”. On the other hand, hardly any analytics tool will be covered by the exception from the consent requirement, because the exception is applicable only when a website operator is using his or her own analytics tool. This is contradictory.
- Fingerprinting falls under the “cookie provision” of Art. 8 of the Regulation and requires consent. For the time being, it does not appear to be realistic to expect that there will soon be browser settings on the market that meet the requirements of consent for fingerprinting. There are presently no standards for such settings on the market, and the standards that can be found in the Regulation focus exclusively on cookies and neglect fingerprinting and other non-cookie tracking technologies.
- WI-FI and Bluetooth tracking are prohibited by Art. 8 (2) of the Regulation and no consent exception is provided. This is not in line with the intention of making consent the “central legal ground” of the Regulation.
- The obligation to display “prominent notices” limits the lawfulness of WI-FI and Bluetooth tracking to tools that monitor a building or a pre-defined area.
- The over reliance on consent is based on false assumptions when it comes to legal persons. The Regulation aims at protecting privacy and extending such protection to legal persons. However, it is unclear whose consent is relevant.
- Art. 10 of the Regulation obliges app providers to enable users to prevent the storing of “information.” However, it is such storage that often will be a fundamental function of the app. There is no reason why the provider of a messenger app should be obliged to enable his or her customers to prevent the storing of messages, pictures and voice files on their smartphones given that the receipt and (temporary) storage of content is the main purpose of the app.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code