On 10 January 2017, the Commission published a proposal for a draft regulation, to replace the current e-Privacy Directive. The Article 29 Working Party has now published its Opinion (ref.WP247) on the proposal.
The Opinion is mixed. It welcomes elements of the proposal which make the new text sit better with the General Data Protection Regulation and which propose to regulate most Over the Top services in the same way as communications services, with which they are largely functionally equivalent. However, the Working Party also expresses concerns about elements of the proposal which propose more flexibility for operators in certain areas.
Tracking consumers movements by way of device signals is increasingly common – for example, in shopping centres for footfall analysis. The Commission proposal effectively endorsed industry approaches of notice in affected areas and an opportunity to opt-out. A29WP considers this too lenient. It proposes:
- Consent; or
- Anonymisation (subject to strict conditions); and
- That the Commission should develop a technical standard for devices to be able to signal an objection to tracking automatically.
Indeed, the A29WP proposes that providers should have to conduct Data Protection Impact Assessments even in relation to anonymous tracking: a complete break from the current principle that anonymous data falls outside the scope of data protection legislation.
Analysis of content and metadata
A29WP proposes greater control over use of meta-data (and greater clarity as to what the term entails – in particular, that it covers usage data generated by OTT providers, not just the underlying network providers).
The WP proposes dual party consent for uses of both content and meta-data. It also proposes that the rules on protection of content and metadata should apply to data both in transit and when stored.
Users should be able to consent to use of their own metadata (i.e .without needing consent of the other party) for services which would be covered by a domestic purposes exception. The examples given by the WP are search and indexing functionality or text to speech services.
The welcome given to security related services in GDPR recitals is continued: the WP considers that these could be given a free pass as they may be considered to be strictly necessary for prevention/ detection of service abuse. Similarly downloading of software patches ought to be possible – currently the rules on storage of information on a user's device may catch this practice.
Consent – a tougher standard
The A29WP is looking for an express statement that 'cookie walls' (i.e. barriers to entering sites unless users give consent to all requested uses of tracking technology) are prohibited.
The A29WP welcomes statements that internet access and mobile telephony providers offer essential services, so cannot require (non-essential) consent as a condition of service. However, the WP considers that other providers (i.e. OTT providers) should be treated in the same way – with the result that take it or leave it choices about use of data would be prohibited.
The WP also looks for more detailed options for consent – for example, suggesting that the end user must be able to give separate consent per website or app for tracking for different purposes. However a controller who is responsible for several sites or apps could ask for consent for all of these sites – as long as this request for consent is presented separately. The WP also suggests that request to agree to 'all' cookies (with no option for the user to be selective) will also be invalid.
The WP proposes dealing with consent-fatigue by banning organisations from seeking consent for third party collection of data more than once in any six month period.
The draft Regulation abolishes the current distinction between subscriber (the person with the contract) and end-user. This may cause difficulties in the case of corporate provided devices – as there is no lawful basis for the employer to update software on the device. The WP proposes special rules for dealing with this.
Privacy by design
The WP wants device manufacturers and software manufacturers to be required to do more. They must not just present users with a choice – but the default settings should be protective of privacy – i.e. tracing should be turned off by default.
The WP also makes a number of other drafting and clarifying recommendations – for example, suggesting that an exemption for analytics should be made clearer and narrower and altering drafting on rules on direct marketing (to make clearer that they apply to all forms of targeted online advertising, not just to marketing which is 'sent' to an individual in the manner of an email or text. The broad concept of marketing should also be retained – covering political campaigning and charitable appeals – although the WP suggests that charities should be given more flexibility in the soft opt-in (which allows marketing based on an opt-out, rather than consent).