EU policy makers begin review of e-Privacy laws, including rules on cookies

Out-Law News | 15 Apr 2016 | 2:42 pm | 3 min. read

EU laws on privacy and electronic communications (e-Privacy) could apply to new communications services like WhatsApp and Skype in future, under plans being considered by the European Commission.

The Commission has opened a review of the EU's e-Privacy Directive (ePD) with a public consultation in which it has asked businesses and other stakeholders for their views on possible reforms. It has asked stakeholders whether a new e-Privacy framework is necessary and, if so, whether it should expand in scope to apply to 'over-the-top' (OTT) communication providers.

Currently the e-Privacy Directive's rules only apply to providers of publicly available electronic communications services in public communications networks.

Telecoms industry bodies, including the global mobile operators' association the GSMA and the European Telecommunications Network Operators' Association (ETNO) have repeatedly expressed concern that the rules are unfair on that basis since OTT communication providers face less stringent obligations, including fewer restrictions on their use of traffic and location data to provide consumer services.

"The ePD applies to traditional telecommunication service providers (i.e. providers responsible for carrying signals over an electronic communications network)," the Commission said. "It does not apply to the so called over-the-top providers (hereinafter 'OTTs') that provide (functionally equivalent) communications services (e.g. Voice over IP, instant messaging) over the internet. The review should assess whether this situation should be changed."

Last month telecoms law expert Diane Mullenex of Pinsent Masons, the law firm behind Out-Law.com, said EU policy makers would be wrong to regulate 'over-the-top' (OTT) communication services in the same way as they do traditional telecoms operators.

The Commission first outlined its intention to reform the e-Privacy Directive in 2014. Earlier this year data privacy law expert Marc Dautlich of Pinsent Masons took a detailed look at a study on the EU's e-Privacy framework carried out on behalf of the Commission and published last summer. The report on that study suggested that wide-ranging changes to the e-Privacy regime are possible, including to rules on the use of cookies, direct digital marketing and on the processing of location data. The Commission's new consultation addresses each of those issues.

The current e-Privacy Directive (ePD) generally requires businesses to obtain consent before placing cookies on consumers' devices. The rules have meant that internet users are often now prompted by pop-up messages or banner notices on websites that highlight the potential tracking of their online activities through cookies.

In the Commission's consultation, consumers are asked to specify the circumstances in which they want to be asked for their consent to the processing of their personal data, including cookies, when using "smart devices".

The use of tracking cookies, which lets companies store and access information on internet users' devices, so as to glean insights on the type of information and content those users are viewing and potentially interested in online, is also highlighted by the Commission. To minimise disruption to the "internet experience" but ensure consumers retain an "ability to consent" the Commission said one option might be to require manufacturers of internet browsers and operating systems to "place on the market products with privacy by default settings (e.g. third party cookies off by default)".

Other options to address the issue could be to set new legislation "defining mechanisms for expressing user preferences regarding whether they want to be tracked", ordering new technical standards to be produced, prohibiting "specific abusive behaviours, irrespective of user's consent" or supporting a self-regulatory framework on tracking cookies consent, it said.

The Commission also asked stakeholders whether website operators and other providers of 'information society services' should be able to "deny access" to internet users that refuse to accept cookies, or whether they should be "required to make available a paying service (without behavioural advertising), as an alternative to the services paid by users' personal information".

The Commission said that ensuring that EU e-Privacy rules "complement" the new General Data Protection Regulation is one of the issues "potentially needing to be addressed" through its review. The review will also "consider options to improve the effectiveness, efficiency, and coherence of the relevant provisions" as well as how to address "inconsistent enforcement and fragmentation", it said.

The consultation is open until 5 July. The Commission said it would "use the feedback from the consultation to prepare a new legislative proposal on e-Privacy". This is due to happen before the end of this year, it said.