The proposal to update the special EU data protection rules which apply to cookies and similar technology, email and phone marketing and which contain additional restrictions on communications providers have taken a step forward in June.
The EU has already updated its main data protection rules in the General Data Protection Regulation, which replaces the 1995 Data Protection Directive. In January 2017, the Commission announced its intent to update the sister legislation to the Data Protection Directive, often referred to by the shorthand title of the e-Privacy Directive. The Commission also published a draft Regulation to replace this Directive.
Marju Lauristin, the MEP responsible for this legislation in the European Parliament, has now published her draft report on the Commission proposal. This is not the European Parliament's formal position; that will be adopted during their first reading of the Commission proposal. However, the report will be of interest to anyone who may be significantly affected by changes to the data protection regime which applies to digital or phone marketing, as well as to communications companies. Overall the Parliamentary report proposes a tougher regime, with more restrictions on use of communications data and on digital marketing than what appears in the Commission's proposal.
Key points to note are as follows:
- The draft report stresses that the aim of the Regulation is not to lower standards from GDPR but to adopt complementary and additional standards
- A provision allowing Member States to introduce supplemental rules on the same topic as the draft Regulation is removed - so increasing harmonisation.
- The Commission proposal cross referred to definitions of electronic communications services set out in the draft Communications Package. This cross-referencing is removed, so that the draft Regulation is free-standing and can be adopted without reference to other initiatives. However, the broad scope of the original Commission Proposal, which extended rules to over-the-top ("OTT") providers (e.g. and others offering functionally equivalent services to telecommunication service providers, is retained.
- The draft report proposes an altered definition of 'metadata' (anything other than content), which it suggests is clearer, but which begs the question of what 'content' is.
- The draft report makes it clear that interference with communications data is prohibited, whether the interference takes place when the data are at rest or in transit.
- Communications service providers are currently able to process communications data if this is necessary to effect the communication or for billing and service delivery purposes. These provisions are all tightened - data can only be used where 'strictly' necessary or, for content, where it is 'technically strictly necessary' to the service.
- All processing of communications data, by communications service providers or others, is strictly prohibited unless the Regulation expressly permits the processing.
- The ability of communications service providers to anonymise data when the data is no longer necessary is removed: instead the data must be deleted.
- Rules restricting storage of data on devices (cookie rules) and retrieval of data such as telemetry or crash data are tightened. This will only be possible if strictly necessary for the service or if based on specific consent - which cannot be required as a condition of receiving service. However, provisions facilitating analytics and software downloads (which are caught by the same rules) are introduced. There is also recognition that collection of data may also be necessary in an employment context to protect the functioning of equipment provided by the employer.
- Providers of browsers and operating systems must ensure that tracking and data collection technologies are, by default, turned off. Users should be presented with options to turn them on. These settings must be transmitted to, and respected by, others.
- There is a provision stating that, if communications service providers encrypt communications, decryption of such data or any attempt to weaken the providers' security, must be prohibited.
We will provide updates as the proposal proceeds through the legislative process.