Online public consultation for the revision of the "ePrivacy Directive"

By Gabriel Voisin


On 11 April 2016, the European Commission announced the launch of an online public consultation regarding the revision of Directive 2002/58/EC on privacy and electronic communications as amended (the "ePrivacy Directive"). This text provides specific rules for the telecommunications industry but also general provisions (applicable to any organisation) in areas such as (i) electronic direct marketing and (ii) the use of cookies or similar technologies. Following the launch of the public consultation, the European Commission organised a kick-off workshop on 12 April 2016 where the following was discussed:

From a Directive to a Regulation?

There seems to be a growing consensus around the idea that the revised ePrivacy rules should be produced by way of a regulation (i.e. a text directly applicable to all EU Member States) instead of a directive (i.e. a legal instrument which can only be deployed into the national legal framework of each Member State by way of implementing legislation). The recurring arguments in favour of such an approach are as follows: (i) the necessity to avoid a "regudirective"; (ii) to prevent confusion similar to that experienced during the implementation of the cookie rules; and (iii) to follow the path used for the revision of Directive 95/46/EC on Data Protection (the "Data Protection Directive"), due to be replaced by the General Data Protection Regulation (the "GDPR") as from 25 May 2018.

GDPR alignment

At present, the ePrivacy Directive needs to be read in conjunction with the Data Protection Directive as the two texts work together. With the replacement of the Data Protection Directive by the GDPR, the ePrivacy Directive will need to be revisited so as to be in line with the new rules. One illustration of this can be found in the growing importance of the role and type of consent under the GDPR rules. For instance, Art 7.1 of the GDPR provides that “where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”. The European Commission will have to clarify whether this would require organisations using electronic direct marketing to implement a so-called "double opt in" procedure as already exists in Germany (i.e. under German laws, companies are currently required to obtain a prior express consent from individuals when conducting electronic direct marketing activities. As a result, email addresses in Germany must be confirmed before they are added to a distribution list. A request for confirmation must be sent to the submitted address and the recipient must take some action to confirm that he indeed wants to be added to the distribution list. Most often, the confirmation action is as simple as replying to the confirmation request or clicking on a link).

OTT and semi-public Wi-Fi operators to be caught and telco-specific breach notification regime to be abolished?

The public consultation is also aimed at getting the European Commission into line with today's technologies. There is an open question as to whether over the top ("OTT") actors (e.g. messenger applications provided by social media or application providers) and semi-public Wi-Fi operators (e.g. the provision of Internet access in coffee shops or stores) should be subject to the various telco-specific obligations provided in the ePrivacy Directive. The workshop was used as a platform by many attendees to relay the message that the current telco-specific breach notification obligations provided in the ePrivacy Directive and Regulation 611/2013 should be abolished. Affected telco-organisations should instead be subject to the general breach notification regime provided under the GDPR where a longer period of time for notification applies.

Cookies and similar technologies

The European Commission is seeking views as to whether the current cookie rules should be amended. It has, for instance, been argued that requesting users' consent to the storage/access of information on their devices, in particular tracking cookies, may disrupt the Internet experience. The European Commission would like to know if options should be considered (e.g. effective browser settings, Do-Not-Track standard, a self-regulatory regime and others).

Timing and next steps

The European Commission invites all interested parties to respond to the online public consultation before 5 July 2016. The European Commission intends to (i) review all expressed comments and (ii) carry out the necessary impact assessments over summer and autumn 2016. The plan is that a first draft proposal will be presented by the European Commission in December 2016. Whether this ambitious deadline will be met remains to be seen. However, organisations should take the online public consultation as an opportunity to express their views and contribute to the debate. Should you need assistance in this respect or would like to be represented, our data protection experts in over 14 EU countries will be happy to help.