The Article 29 Working Party (WP29) (consisting of data protection regulators from the 28 Member States) has adopted an Opinion 01/2017 on the proposed e-Privacy Regulation, which will repeal and replace the e-Privacy Directive. Whilst the WP29 welcomes the proposal, it identifies several points of concern, and sets out how the proposal can be improved.
The WP29 lists the positive aspects of the proposal as:
- The choice for a regulation as the regulatory instrument, which ensures uniform rules across the EU, and complements the GDPR.
- The enforcement of the proposed Regulation and the GDPR by the same supervisory authority (i.e. the Data Protection Authority).
- The alignment of fines under both instruments.
- The removal of specific data breach notification rules from e-Privacy legislation is also welcomed, as it prevents unnecessary overlap with the data breach requirements of the GDPR.
- The focus on providing an equal level of protection to all end-users, dispensing with the notion of differentiating between “subscribers” and other end users of electronic communications.
- The expansion of the scope of the proposed Regulation to include Over-The-Top (OTT) providers.
- The clear definition of “electronic communications data” as covering all content as well as associated metadata.
- The legal assumption that analysis of content is high-risk processing, and always requires prior consultation with the (lead) Data Protection Authority.
- The continued recognition of the importance of anonymisation.
- The broad formulation of the protection of terminal equipment – any interference with terminal equipment requires the consent of the end user, subject to certain exceptions.
- The failure of a third party to abide by the preferences expressed in an individual’s browser settings are enforceable, as set out in the recitals. However the WP29 assert that this should be laid down in a relevant provision of the proposed Regulation.
- The inclusion of legal persons in the scope of the proposed Regulation, thus allowing Data Protection Authorities to take action in cases where legal persons are a victim of infringement, for example corporations receiving spam, or having their communications surreptitiously monitored.
- The clarification that internet access and (mobile) telephony are essential services and providers of these services cannot “force” their customers to consent to any data processing unnecessary for the provision of the essential service itself. However, the WP29 is concerned that this clarification is too narrow, as services from certain OTT providers may also be considered as essential services, and the Regulation should also specifically prohibit take-it-or-leave-it choices in other circumstances.
The WP29 have expressed several concerns with the proposed Regulation. The WP29 would like four key issues of grave concern, which allegedly undermine the protection accorded by the GDPR, to be addressed:
- Stronger rules on obtaining user consent to Wi-Fi device tracking are needed – The obligations in the proposed Regulation for the tracking of the location of terminal equipment should comply with the GDPR requirement. The Regulation merely requires the display of a notice in order to collect information emitted by terminal equipment, and the data controller must indicate any measures end-users can take to minimise or stop the collection. The European regulators note that tracking under the GDPR is likely either to be subject to consent, or may only be performed if the personal data collected is anonymised. The WP29 call on the Commission to promote the development of technical standards for devices to automatically signal an objection against such tracking, and to ensure that adherence to such a signal is enforceable.
- Conditions for analysis of content and metadata must be elaborated – The WP29 would like stricter controls on the processing of user metadata (and an expanded definition of that term). The European regulators state that the same high level of protection must be accorded to content and metadata. They state that the starting point should be that it is prohibited to process both metadata and content without the consent of all end-users (i.e. sender and recipient). Processing without consent should only be allowed, if strictly necessary, for certain purposes, such as spam detection/filtering, or to provide services requested by the end-user, such as text-to-speech and translations services.
- Privacy by design and by default is required in devices – The WP29 would like manufacturers to ensure that devices and software by default offer privacy protective settings, to discourage, prevent and prohibit unlawful interference. The European regulators believe that the Regulation undermines, with regard to communications and device data, the principles of privacy by design and by default introduced by the GDPR.
- Cookie walls should be banned – The WP29 submit that the practice of blocking access to a website if a cookie is not accepted should be expressly prohibited.