The future of the e-privacy directive: now is the time to have your say.

The e-Privacy Directive forms part of the Regulatory Framework for Electronic Communications which was first adopted in 2002 and, amongst other things, specifies how some of the principles in the Data Protection Directive 95/46/EC apply to the electronic communications sector. It was further amended in 2009² and by January 2013, all Member States had implemented the e-Privacy Directive into their national laws.

Political agreement on the GDPR was reached in December 2015 and the final draft text was approved by the EU Parliament and the Council on 14 April 2016.. It will be published in the Official Journal shortly and will come into force late Spring/Summer 2018.

The Commission started to prepare for this review last year and asked a team of consultants to look at the transposition and effectiveness of the specifically privacy related articles of the e-Privacy Directive as well as the relationship between the e-Privacy Directive and the GDPR. The outcome of the study was published in June 2015³ (the “Report’) and raised some interesting questions for the fate of the e-Privacy Directive. We published a two part article summarising this Report back in October 2015 which we have reproduced again below for further information.

The review of the e-Privacy Directive will be preceded by a Regulatory Fitness and Performance Programme (REFIT) which aims at evaluating the performance of the existing legislation against criteria such as efficiency, effectiveness and EU added value.

The Commission is now consulting stakeholders on both the retrospective evaluation and the possible change to the current e-Privacy Directive. The consultation period will last until 5 July 2016 and is open to all citizens, legal entities and public authorities. More details about the consultation and how to respond to the questionnaire are available here. All feedback will be publicly available and will be used by the Commission to prepare for a new legislative proposal which is expected by the end of 2016.

Some of the main questions that are being consulted on are as follows:

• Have the main objectives of the e-Privacy Directive been achieved?
• Are specific rules still necessary for the electronic communications sector?
• How does the e-Privacy Directive currently fit alongside other legal instruments such as the GDPR or the Network and Information Security Directive?
• Should there be different rules for different types of direct marketing activity?
• Should Member States be able to retain the possibility to choose between opt in or opt out regimes for direct marketing?
• Should messages sent by social media be covered by the direct marketing rules?
• To what extent did the e-Privacy Directive create additional costs for businesses?
• What should be the priorities for any future legal instrument covering privacy and data protection in the electronic communications sector?
• What kind of instrument should it be – Directive or Regulation?
• Should the scope be broadened to cover over the top service providers (eg instant messaging, webmail, unmanaged Voice over IP)?
• Should the legislation ensure the right of individuals to secure their communications, without prejudice to law enforcement needs?
• Should consent be obtained for use of cookies and other technologies?
• Should the exemptions to consent for processing traffic and location data be broadened?
• Are the provisions on non itemised bills, control over call line identification and subscribers directories still relevant?
• Who should be responsible for enforcement the e-Privacy Directive and what sanctions should be given for breaches?

Bird & Bird are following the consultation closely and are happy to assist clients who wish to participate in the consultation or who have broader questions about the implications of the e-Privacy Directive on their businesses. We plan to host a roundtable discussion on the Future of the e-Privacy Directive in the coming weeks.

Overview of the Report

1. The Report does not deal with the entire e-Privacy Directive but looks in detail at the following five specific topics, providing evidence of how they have been implemented and enforced in practice, suggesting gaps and potential areas for change and examining how the Directive should operate with the Regulation:

• Scope of the e-Privacy Directive (Articles 1 to 3);
• Confidentiality of communications (Article 5(1));
• Cookies, spyware and similar techniques (Article 5(3));
• Traffic and location data(Article 6 and 9); and
• Unsolicited commercial communications (Article 13).

Scope of the e-Privacy Directive (Articles 1-3)

2. The provisions of the e-Privacy Directive are applicable to “the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices.”⁴

3. The Report takes a detailed look at the definitions which make up this statement which highlights how complex it can be to work out whether the e-Privacy Directive is applicable to particular services and also how it can result in artificial distinctions being drawn where services that are very similar from a functional perspective are in fact regulated by different legal regimes. For instance, broadcasting services which are intended for a potentially unlimited audience are not covered (e.g. near video on demand services) but when the individual subscriber or user who is receiving that information that is part of the broadcasting service, can be identified, then it will be covered (e.g. video on demand services). Information society services are also excluded from the definition of “electronic communications services” and yet certain provisions in the e-Privacy Directive such as those dealing with cookies are almost certainly applicable to such services. This confusion is further compounded by the fact that the e-Privacy Directive has also not been transposed into the national legislation of the Member States on a consistent basis with certain provisions being transposed into legislation dealing with general data protection laws or other laws dealing with information society services or consumer protection. This means that different services can therefore be treated differently in each Member State.

4. The Report goes on to note that in contrast to the Data Protection Directive there are no applicable law provisions in the e-Privacy Directive. In the authors’ view, which is perhaps controversial, in the absence of such an explicit provision, the same principles should currently be applied as to the rest of the European Regulatory Framework for Electronic Communications, namely the place where the services are provided and they conclude that the applicable laws rules in the Data Protection Directive (which look to where the operator is established) would not be applicable to the e-Privacy Directive.

5. In the authors’ view, given growing convergence and technological developments, it no longer makes sense to distinguish technologically between information technology services, telecommunications services and media services. Indeed, they have the greatest doubts about whether the regulation of these activities in three separate sectors is sustainable. However, they highlight that this is an issue which goes beyond the e-Privacy Directive because it is a distinction which is underpinning all European regulation dealing with the online environment. As such, it is unlikely to change in the short term, so the Report therefore recommends instead, looking at what changes can be made to the existing e-Privacy Directive to help ensure consistency.

Report Recommendation

6. The recommendation is to amend Article 3 of the e-Privacy Directive (as set out in Para 2 above) to ‘make its provisions applicable to the protection of privacy and the processing of personal data “in connection with the provision of publicly available services in public or publicly accessible private communications networks in the Union”.’

7. The Report suggests that this amendment "would put an end to the discussion about the applicability of the provisions of the ePrivacy Directive to information society services and other value-added services provided via public electronic communications networks.’ and ‘ remedy the currently perceived distortion in which very similar services are subject to different regimes and the consequent uneven playing field."

Confidentiality of communications (Article 5.1)

8. The Report next turns to the duties in Article 5.1 to keep communications confidential. This Article states that: “Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services through national legislation” and that “in particular, [the member states] shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users”.

9. The Report notes that Member States have all had legislation for many years protecting the confidentiality of private communications (together with national exemptions for security and criminal investigation purposes) and that therefore the transposition of Article 5.1 did not have a harmonising effect in this regard. Nor do the consultants believe that this will change with the new draft Law Enforcement Directive⁵. These elements are so deeply integrated in matters within the jurisdiction of Member States that harmonisation is unrealistic. Nevertheless, the consultants propose changes to reflect their general approach of widening the scope of the e-Privacy Directive beyond public electronic communications systems.

Report recommendation

10. Consistent with the proposed changes to Article 3 (see para 6 above) the Report suggests making the provision applicable to “confidentiality of communications and the related use of traffic data by means of a public or publicly accessible private communications network”.

11. Secondly, in the authors’ view, it is uncertain what the current drafting of this provision means for technologies which are fully automated and which register electronic communications (such as deep packet inspection systems used to detect malware or mobile apps which access contact lists or SIM card data). The Report questions whether such intrusions are justified and that even with the consent of the user under Article 5.3 (i.e. the cookie rules as discussed further in Part 2 of this Article) whether they are incompatible with the proportionality principle applicable to the processing of personal data. The Report concludes that a recital should be added which clarifies that the confidentiality of electronic communications should be protected against “automatic” intrusions without human intervention.

12. Thirdly, the exception in Art. 5.2 for “technical storage which is necessary for the conveyance of a communication” should probably be broadened to “storage as far as necessary for ensuring the functioning of the network or the provision of the service on that network”. This is consistent with the Report's proposed extension of scope of Article 5.1 to information society services.

13. Finally in this chapter, the Report considers in some detail the lawful business exemption in Article 5.2. This states that the protection of confidentiality “shall not affect any legally authorised recording of a communication and the related traffic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication.”

14. Again this exemption has been transposed by Member States in very different ways: The United Kingdom and Belgium are notable for their extensive use of the exemption, but some Member States have made no such provision at all seemingly because it is thought to be too prejudicial to general rights to the privacy of communications. The consultants suggest that the scope of this exemptionbe clarified to allow further harmonisation in this area. They propose widening it to other situations such as the recording of communications in an employment context for quality control or legitimate supervision of work performance. However, a careful assessment of the impact of such change on stakeholders would be needed to assess its feasibility, taking into account the diversity of rules currently applicable to the processing of personal data in the employment context.

Cookies and consent (Article 5.3)

1. Under Article 5.3 (following the amendments made to the e-Privacy Directive in 2009), Member states are required to ensure that "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent…".

2. The Report looks in some detail at the historical background to the introduction of this consent requirement and takes the view that this provision does require"prior consent" (which is interesting to note in the light of arguments to the contrary by advertising interests). The consultants note that Article 5.3 regulates any information stored on terminal equipment and not just personal data, and they point out that it was pressure from the European Parliament which gave rise to the ‘consent’ requirement. The Commission, reacting to the widespread objection to the distribution of a tool called Mediamax by Sony as a Digital Rights Management measure which installed a rootkit onto the terminal equipment of the user, had merely proposed to widen the scope of the article to include distribution of ‘spyware’ by means other than an electronic communications network (now Recital 24).

3. The Report also highlights both the seemingly inconsistent wording of Recital 66⁶ of the Citizens Rights Directive (which amends the e-Privacy Directive), which speaks of the ‘right to refuse’ and the use of browser settings to give consent, and also the declaration by 13 Member States that a right to object is sufficient ‘consent’ in the case of legitimate cookies. As practitioners well know this new law is surrounded with confusion, not least because some states (such as Germany and Estonia) have not yet transposed the revised Article 5.3 into Member State law.

Report recommendation

4. Much of the authors’ discussion is consequently directed to the issue of obtaining consent by browser settings and they propose that the Directive be amended by a Recital to make it clear that this will only be effective if the default settings reject third-party cookies and require the user to engage in an affirmative action to accept both the setting of and continued transmission of information contained in the cookies. The authors are concerned by the proliferation of warning messages generated by the new rules and propose that such warnings should be restricted to third-party cookies, those used for direct marketing and those not related to the purpose for which the user has visited a web site.

5. Article 5.3 also includes exemptions from the need for consent either in the case of ‘any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’ The Report proposes widening these exemptions by removing the ‘strictly necessary’ condition and by providing a specific exemption for cookies used to obtain web-site usage statistics. On the other hand, the authors suggest an amendment requiring the explicit collection of ‘specific, active and prior consent in all cases where cookies or similar techniques are used for direct marketing.’

6. In concluding their discussion of cookies, the authors also mention briefly the unclear territorial scope of application of Article 5.3 and conclude that the most logical solution would be to use the rules in the general data protection framework. They mention in passing the fact that new server-side techniques of identification have been developed not requiring any storage on or access to terminal equipment. More substantially they raise doubts about the appropriateness of ‘consent’ to legitimise tracking activities which might be extensive or unlimited. They recognise that this question is part of the current debate on the proposed general data protection Regulation around the topic of ‘profiling’. The authors raise questions concerning their considerable misgivings as to whether ‘consent’ is ‘effective and logically plausible’ in this context, but give no answer to their question.

Traffic & Location Data (Articles 5 and 9)

7. Next, the Report considers the provisions relating to traffic and location data. Traffic data are “any data processed for the purpose of a conveyance of a communication on an electronic communications network or for the billing thereof”.

8. In principle, traffic data are to be deleted after their use for the transmission of the communication, but they may be retained for billing purposes and Member States can require their retention for national security and law enforcement purposes. Article 6.3 also permits providers of publicly available electronic communications services to process traffic data for the purpose of marketing electronic communications services as well as for the provision of value added services although this is only allowed where the subscriber or user has given her prior consent, which may be withdrawn at any time. In practice this means that traffic data, unlike other categories of personal data cannot be processed for direct marketing purposes based on an organisation’s legitimate interests.

9. The Report expresses some concern at the state of compliance with this provision and comments on the practice of obtaining consent in the general terms and conditions of a communications supplier and in some cases obtaining the right to use the data for two years after the end of the contract.

10. The Report also examines the rules for the use of location data which are not traffic data which are set out in Article 9 (although it recognises that some traffic data will also be location data and vice versa). Location data are defined as “any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.”

11. Article 9 requires that these data can only be used for value-added services (commonly known as location based services) if they are anonymised or with the consent of the subscriber or user. There is scope for retention of the data for national security and law enforcement purposes and the need for consent can be over-ridden by the emergency services.

12. There is an extensive discussion of the problems created by this Article in requiring consent of either subscriber or user and in providing information in advance of consent. The Report is particularly conscious that Article 9 applies only to electronic communications service providers and not to information society service providers. Consequently, innumerable mobile apps providing location based services are outside its scope. Neither does the Article cover location data that are transmitted via enterprise networks aimed at a private user group.

Report recommendation

13. Consistent with the Report’s general approach to extending the scope of the e-Privacy Directive, it proposes ‘to make the rules with regard to the processing of traffic and location data applicable to all services provided via public or publicly available private communications networks that collect and further process traffic and location data. As a result, the processing of location data in the context of information society services provided via all kinds of mobile apps would be subject to the application of Art. 6 and Art. 9 …’

14. Finally the Report suggests that the actual processing of traffic data and location data in Member States should continue to be closely monitored and that the solution for determining applicable law should also be brought in line with the solution adopted in the general data protection framework.

Unsolicited Direct Marketing (Article 13)

15. The anti-spam Article 13.1, which prohibits the use of the use of automated calling and communication systems, fax and e-mail for direct marketing without the prior consent of the subscriber or user, has, according to the Report, been reasonably transposed in a variety of ways into Member State laws.

16. The principal concern expressed is that the restriction to electronic communications systems has been strictly interpreted leaving unregulated direct marketing by information society services such as Facebook, LinkedIn, Skype or Twitter even though the message might ultimately be delivered over an electronic communications system and notwithstanding the fact that the Article applies to messages sent by anyone and not just communications service providers. The Report suggests that such a narrow interpretation might not be correct and that messages sent by a communications service, but finally delivered by, for example, a webmail service should be treated as falling within Article 13.1.

17. The Report considers at some length the ‘soft opt-in’ provisions (namely the exception to the consent rule) which have not been uniformly transposed and they express doubt about whether this exception is properly consistent with the notion of consent. When discussing means of giving consent, the Report is critical of what it describes as the ‘flexible’ UK approach and the advice given by the UK Information Commissioner. The Report notes the different approaches adopted by Member States in relation to direct marketing by other types of marketing medium and to the protection of legal persons.

Report recommendation

18. The Report makes recommendations consistent with its general approach to the scope of the Directive. Accordingly, it proposes that ‘the opt-in rule of Article 13.1 should also apply to e-mail messages transmitted via information society services.’ The choice of opt-in or opt-out under Article 13.3 should continue to be in the discretion of the Member States, partly because some states have already adopted an opt-in rule and partly to examine the success of systems such as the Telephone Preference Service. As a consequence of the different ways in which Member States have transposed Article 13, direct marketing can be subject to multiple and potentially inconsistent regulation. Consequently, the Report also calls for greater harmonisation of the rules on applicable law.

Relationship to Proposed General Data Protection Regulation

19. The Report in its final section refers to Article 89 of the draft Regulation which recognises the need to ensure the integration with the e-Privacy Directive. Article 89 reads thus:

‘This Regulation shall not impose additional obligations on natural or legal persons in relation to the processing of personal data in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.‘Article 1(2) of Directive 2002/58/EC shall be deleted ⁷’

20. The Report is content that this article would provide a workable relationship between the proposed Regulation and the articles in the e-Privacy Directive which are the subject of the Report.

Report recommendation

21. However, the authors note, ‘if… the scope of application of the ePrivacy Directive were to be modified, the text of Article 89(1) should be amended as well… This should be changed into “obligations on natural and legal persons in relation to the processing of personal data in connection with the provision of publicly available services in public or publicly accessible private communications networks in the Union”.

22. Finally, the Report proposes that ‘the Commission should consider transforming the Directive into a Regulation for three reasons.’ That would first reduce the complexity of the relationship between the provisions of the two legislative instruments; secondly, apply to the topics of the study the supervisory and enforcement mechanism introduced by the proposed Data Protection Regulation and thirdly, provide the technical basis for the amendment of Art. 89 of the general Data Protection Regulation (once adopted) if it were no longer consistent with any future “ePrivacy Regulation”.

Conclusions

23. Clearly, something must be done with the e-Privacy Directive. This Report gives the Commission a basis for dealing with the parts of that Directive which are specifically privacy related. The Commission has an opportunity, if it so wishes, to propose a further Regulation to deal with these topics and to extend its scope to information society service providers.

24. Beyond that political value, the Report provides a valuable survey and analysis. It clearly demonstrates that we are faced with public policy and legislative incoherence, graphically illustrating the inconsistencies generated by seeking to regulate such matters as location-based services and direct marketing on the basis of the three sectoral silos of electronic communication, information services and audio/visual media.

• ^[1] _{Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.}
• ^[2] _{The e-Privacy Directive was amended in 2009 by the Citizen’s Rights Directive 2009/136/EC.}
• ^[3] _{http://ec.europa.eu/digital-agenda/en/news/eprivacy-directive-assessment-transposition-effectiveness-and-compatibility-proposed-data.}
• ^[4] _{Article 3 e-Privacy Directive (as amended).}
• ^[5] _{Draft Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.}
• ^[6] _{Recital 66 states: "Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities."}
• ^[7] _{Article 1(2) currently states “The provision of this Directive particularise and complement Directive 95/46/EC for the purposes mentioned in paragraph 1. Moreover, they provide for the protection of the legitimate interests of subscribers who are legal persons”.}