Out-Law Analysis 9 min. read
19 Jan 2016, 11:08 am
The Commission wants to update the EU's Privacy and Electronic Communications (e-Privacy) Directive and the recommendations made to it last summer suggest that wide-ranging changes are likely, including to rules on the use of cookies, direct digital marketing and on the processing of location data.
Telecoms bodies have called for the repeal of the e-Privacy regime, but the study suggests it will be expanded and will have an impact on many more businesses that communicate via digital channels than is currently the case.
The Commission, which first outlined its intention to reform the e-Privacy Directive in 2014, has promised to consider the findings of the study. Proposals for reforms are scheduled to be instigated this year, with a consultation on the reforms likely to be opened in March, according to recent reports. Telecoms companies and others involved in online communications must act now to make their voices heard on the planned changes.
The scope of new e-Privacy rules
The current e-Privacy Directive, set in 2002 and amended in 2009, sets out rules for electronic communication network and service providers. The Directive governs the "processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks" in the EU.
The Directive does not, generally, apply to content providers that process personal data over those networks. This is controversial because, as the Commission-backed study points out, it can mean that two competing businesses that provide communications services might be subject to different legal standards "depending on whether they are provided in the form of an electronic communications service, an information society service, or an audiovisual service".
The report advised the Commission to make "information society service providers using the internet to provide communication services", such as Facebook, LinkedIn and Skype, subject to the revised e-Privacy rules alongside the providers of publicly available electronic communication services, such as businesses operating in the telecoms sector..
The impact on location data services
One area where this proposed change in scope would have an impact would be in businesses' use of location data.
Location data is information that records the geographic position of electronic devices, such as smartphones. Businesses use location data to promote the proximity of their outlets to consumers in the nearby area. Location data can reveal information that is inherently sensitive, in a non-technical sense, and in many cases is classed as personal data because it can identify devices users. This means that the collection, use and disclosure of this data is subject to data protection laws.
Because internet service providers (ISPs) and mobile network operators are governed by the e-Privacy Directive they face greater restrictions on the use of location data than other businesses, whose behaviour is just governed by general data protection legislation.
Under the e-Privacy regime telecoms companies are prohibited from processing location data unless the data has either been anonymised or they have the consent of the data subjects. Even where consent is given it can only be processed "to the extent and for the duration necessary for the provision of a value added service".
The providers also face pre-processing disclosure obligations relating to location data. These include a requirement to tell customers what type of location data they plan to process and for what purposes, how long they plan to carry out the processing for and what data sharing arrangements they have with third parties. Customers have the right to withdraw their consent to the processing of location data at any time.
However, the emergence of rival communication providers such as WhatsApp and Skype, which do not operate their own telecommunications networks but instead provide services over others', has led to criticism of the e-Privacy Directive's provisions, including on location data, from some telecoms industry bodies.
Global mobile operators' association the GSMA and the European Telecommunications Network Operators' Association (ETNO) believe the rules create a two-tier regulatory framework and have called for the e-Privacy Directive to be repealed. They wanted this issue to be addressed via the General Data Protection Regulation that is in the process of being finalised, but that does not now look likely.
GSMA told Out-Law.com that "specific obligations for telecom providers" in relation to the processing of location data are "no longer justifiable in the current telecom landscape". It said it would "still be pushing for a single set of horizontal data protection rules that cover everybody across the internet services ecosystem in the same way" even if 'over-the-top' communication service providers like Skype and WhatsApp were subject to the e-Privacy Directive.
"Many telcos are active beyond voice and messaging and differences in data protection rules are a relevant issue across the entire market," it said.
Shortcomings with the current rules on location data processing were acknowledged in the report published on behalf of the Commission. "Location based services that are offered to members of a private network are not governed by the provisions of … the e-Privacy Directive, even though privacy risks may be the same or even greater," it said.
The report called on the Commission to ensure that a revised legal framework on e-Privacy in the EU sets rules on location data processing that apply equally to "all services provided via public or publicly available private communications networks that collect and further process" such data.
In practice, this would mean that the restrictions on location data processing would apply "in the context of information society services provided via all kinds of mobile apps … even if the location data are not resulting from the public electronic communication network or service as such, but via other techniques such as Wi-Fi network proximity or IP-address databases".
Adopting this approach would alter the existing position, which was clarified in a 2011 opinion issued by the Article 29 Working Party (20-page / 109KB PDF), a committee made up of representatives of the national data protection authorities based across the EU. In its opinion, it stated that the e-Privacy Directive "does not apply to the processing of location data by information society services, even when such processing is performed via a public electronic communication network".
The move would give the GSMA and ETNO the regulatory level playing field they desire, but the specific legal framework, and fundamental restrictions, on location data processing would remain in existence in the telecoms sector and also have wide-ranging affect in the e-commerce environment.
Cookies
Some provisions of the existing e-Privacy Directive already do apply to information society service providers. They include the rules on the use of 'cookies', which are small text files that store details of internet users' online activity.
Website operators often use cookies to record user behaviour for the purpose of analytics or to deliver personalised content, whilst advertisers also use cookies to deliver targeted ads based on users' prior interactions online.
The e-Privacy Directive requires businesses to obtain consent before placing cookies on consumers' devices.
The Directive permits the storing and accessing of information on users' devices "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing". An exception to the consent requirements exists where the information stored, often in cookies, is "strictly necessary" for the provision of a service "explicitly requested" by the user.
The rules have meant that internet users are often now prompted by pop-up messages or banner notices on websites that highlight the potential tracking of their online activities through cookies.
The new report for the Commission said that the effect of those "warning messages" would "substantially increase" if they only appeared in "situations where there is an interference with users' privacy (including websites serving third party cookies for behavioural advertising purposes, excluding analytics cookies)".
The new e-Privacy rules could, the report said, expand on the exceptions to the cookies consent rule that currently apply. A new exception could be created to take away the need for cookie warning messages to be displayed, and consent obtained, if cookies relate "to the purpose for which the user is navigating on the site", it said. However, there is a question over how that exception could be provided for in practice.
If the report's recommendations were implemented, website operators would also be free to use cookies for the exclusive purpose of "website usage statistics" without having to obtain users' consent.
Under the plans, though, website operators and other cookie users would have to obtain explicit, specific, active and prior consent from device users to use cookies "or similar techniques" to track their online activities for direct marketing purposes.
New rules on unsolicited direct marketing?
The current e-Privacy Directive sets out strict rules designed to curb unwanted nuisance marketing calls, spam text messages or emails.
Businesses using automated call systems, fax or email to conduct direct marketing activities are prohibited from doing so except where they have the prior consent from prospective recipients of those communications.
In the case of email, the Directive does permit businesses' direct marketing of products or services to consumers who bought, or negotiated for the purchase of, similar ones from them where they have obtained their email address in the course of that earlier sale or negotiation, although consumers retain the right to opt out from receiving such promotions.
Under the framework, organisations are generally prohibited from sending all other unsolicited direct marketing communications to consumers without their consent. However, for those communications, EU countries have the choice of imposing an opt-in or opt-out consent requirement. In the new report, the Commission has been advised to keep this choice open to EU countries when it comes to propose changes to the e-Privacy rules.
The Commission has, though, been advised to alter the direct marketing rules for email communications. The Commission should ensure the new regime requires all direct marketing emails "transmitted via information society services" to only be sent on the basis of prior consent by the recipient, the report said.
This requirement, it said, should apply regardless of whether the marketing messages are contained in the "message body or attached in a separate document".
The new e-Privacy rules should not prevent businesses sending emails containing newsletters or other messages to consumers without such consent so long as they are "primarily sent for a different purpose, other than direct marketing", it said.
Businesses should not be forced to obtain prior consent from data subjects to engage in "personalised online advertising" under the new regime, according to a recommendation made to the Commission in the report.
A new e-Privacy Regulation?
The study commissioned by the Commission highlighted differences in the way EU countries have implemented the current e-Privacy Directive into national law. This means that national rules on the use of cookies, the processing of traffic and location data, and unsolicited direct marketing communications, for example, "have a different scope of application" than is contained in the Directive, it said.
To address this issue, and to ensure the new e-Privacy framework sits easily with the new General Data Protection Regulation, the researchers behind the study encouraged the Commission to replace the current Directive with an e-Privacy regulation, an approach that the UK government has already said it is not in favour of.
A regulation has direct unilateral effect in the EU, whereas a directive needs to be implemented into national laws by each of the EU countries.
Adopting a regulation would reduce the complexity in the interrelation between the new data protection regime and the e-Privacy rules, the report said. It could also mean that the 'one stop shop' mechanism proposed for handling enforcement matters under the new General Data Protection Regulation could also be used as the framework for regulating businesses subject to the e-Privacy regime, it said.
There is severe scepticism from some governments across the EU, including the UK and Ireland, about the one stop shop mechanism under the General Data Protection Regulation. Those countries have concerns about possible bureaucracy, delays in decision making and consumer redress as well as regulatory uncertainty for businesses.
With a review clause in the finalised General Data Protection Regulation to ensure the effectiveness of the planned system of enforcement can be scrutinised, law makers will want to consider whether regulation of e-Privacy should be kept separate from the one stop shop regime until that how that regime works in practice has been evaluated and shown to be effective.
Marc Dautlich is an expert in information law at Pinsent Masons, the law firm behind Out-Law.com.