Peter Church

EU - Status of the proposed ePrivacy Regulation: Tighter cookie rules and more

The European Union is preparing new rules to protect online privacy.  The rules are set out in the proposed Regulation on Privacy and Electronic Communications, which will accompany the wider reform of data protection laws under the General Data Protection Regulation. The proposals were issued at the start of the year and contain specific provisions on cookies, online marketing, and the use of content and metadata. We consider the status of these proposals and the recent assessment prepared for the LIBE Committee.

The proposed Regulation

The European Commission issued a draft of the Regulation on 10 January 2017 to replace the existing ePrivacy Directive (adopted back in 2002). As lex specialis it complements the general rules in the General Data Protection Regulation with specific rules applicable to the electronic communications sector.

The proposed Regulation has already attracted a good deal of interest. Both the Article 29 Working Party (here) and the European Data Protection Supervisor (here) issued opinions on it in April. More recently, various committees in the European Parliament have issued views on the proposals, the most substantive of which is an assessment by the IViR Institute for Information Law for the Civil Liberty, Justice and Home Affairs’ Committee (“LIBE Assessment”). This was released at the start of June and identifies four main issues:

  • Cookie “tracking walls” should be prohibited, i.e. access to a website should not generally be conditional on accepting the use of tracking cookies.
  • There should be stricter rules for Wi-Fi location tracking and similar device tracking.
  • Browsers should have privacy settings enabled by default.
  • Therre should be stricter rules on the use of content and metadata.

We consider these recommendations in further detail below. The LIBE Assessment is available here.

Timetable

The original proposal was for the Regulation to apply from May 2018, and thus coincide with the start date for the General Data Protection Regulation. However, it is very likely this date will slip.

One of the major challenges is that proposed Regulation is tied to a wider reform of telecoms regulation (through the proposed Electronic Communications Code) and that reform is unlikely to be complete by May next year. To avoid further delay, the LIBE Assessment suggests decoupling the proposed Regulation from these wider telecoms reforms.

Key changes

Cookies

Under the current ePrivacy Directive, website operators must obtain consent from users to the use of cookies unless the cookie is strictly necessary for the operation of the website or transmission of a communication. The proposed Regulation suggests a number of changes:

  • Consent harder to obtain – Consent to the use of cookies must meet the same standard as set out in the General Data Protection Regulation. This means that there must be a clear affirmative action. This may mean existing practices, such as showing a website banner stating that continuing to use the website constitutes consent, may need to be revisited.
  • Browser fingerprinting – The rules on cookies will also apply to “browser fingerprinting”, a process that seeks to uniquely identify users based on their browser configuration (without actually setting a cookie on that browser).
  • Limited exception for analytics – There will be an exemption for website analytics, recognising that this is not an intrusive activity. However, it will only apply to analytics carried out by the website provider. It is not clear if third party analytic cookies, like Google Analytics, will benefit from this exemption.
  • Browser requirements – Browsers must contain cookie controls and users must choose those settings as part of the installation process. In theory, these settings could demonstrate consent to certain cookies, though there appears to be little appetite from regulators to accept browser settings as sufficient. This provision is also drafted in very broad terms and includes any software that permits electronic communications, potentially capturing a broad range of other devices, such as those part of the Internet of Things.

The current rules on cookies have not been universally popular. The Regulation itself suggests that users are “overloaded with requests to provide consent”.

While these changes are only likely to increase this consent burden, the LIBE Assessment suggests they should go further and prohibit “tracking walls” – i.e. prevent websites from making access conditional on the acceptance of tracking cookies. It also suggests that browsers should be set to block tracking cookies by default.

Wi-Fi tracking

The proposals contain new provisions addressing Wi-Fi and other types of device tracking. These technologies allow the location of a device to be monitored by recording details of the MAC address for that device (or similar) as it is carried about by its owner.

The proposed rules are surprisingly liberal. Tracking is permitted so long as the information is collected to provide a connection (suggesting this is limited to genuine Wi-Fi services) and suitable notice and opt-out mechanisms are in place.

This has attracted fierce criticism. The Article 29 Working Party has “grave concerns” about this approach. The LIBE Assessment suggests tracking should only take place if the individual consents or the information is made anonymous.

Electronic direct marketing

The proposed Regulation contains a number of restrictions on electronic direct marketing to natural persons. This builds on the restrictions in the current ePrivacy Directive on marketing by email, SMS, fax and telephone. The key changes proposed to by the Regulation are:

  • Online marketing – The proposed Regulation will also apply to targeted online advertisements, for example website banners or in-App adverts. These advertisements require consent. While this feels like a significant change, in practice it is likely to be closely tied to the new rules on cookies set out above. Targeted advertising is likely to require the use of cookies which will require consent in any event.
  • Consent harder to obtain – The general rule is that consent will be needed for electronic direct marketing and that consent must meet the standard as set out in the General Data Protection Regulation.  However, there are two key exceptions: (i) email marketing will still be allowed where there is an existing relationship under the similar products and services exemption; and (ii) Member States can remove the requirement for consent for telephone marketing. In practice, the UK is likely to remove the need for consent but retain the Telephone Preference Services as a general means of opting out of such marketing.
  • Telephone marketing – The proposal suggests a caller must present identity of line or specific code or prefix indicating it is a marketing call.

These proposals are broadly similar to the existing rules in the ePrivacy Directive and so less controversial. However, the LIBE Assessments suggests greater clarity is needed in relation to online marketing (for example, whether that captures contextual online marketing as well as behavioural online marketing).

Electronic content and metadata

The most significant changes are to the rules on the use of content and metadata. The proposals contain strict restrictions on when this information can be used, as set out in the table below.

Electronic communications content Electronic communications metadata

Use allowed:

  • To provide a specific service to an end user with the end user’s consent
  • For other specific purposes with the consent of all end users (subject to privacy impact assessment and consultation with supervisory authority)

Use allowed:

  • Needed for mandatory QoS obligations
  • Necessary for billing, calculating interconnection payments, fraud or abusive use of electronic communications services            
  • For other specific purposes with the consent of the end user

In either case, use allowed:

  • To achieve the transmission of the communication
  • To ensure the security of the system and to detect faults
  • Where required by EU or national law

 

These proposals have also proved controversial. Some industry bodies say they fail to reflect the fact that electronic communication providers are no longer passive conduits. Instead, they provide, and customers expect, a range of sophisticated services that need to access content and metadata (for example spam filtering, scheduling and AI assistant tools).

In contrast, the LIBE Assessment calls for greater controls. It suggests that content and metadata should only be used in more limited circumstances and that, outside these limited circumstances, consent from all end-users is required, i.e. the customer and the third party to the communication. However, getting consent from third parties would be a challenging proposition in practice.

Scope and sanctions

The proposed Regulation will expand the scope of these rules. They will not just apply to traditional telecoms companies but also apply to OTT (over the top) providers, such as WhatsApp. Similarly, the proposals have an extra-territorial effect and apply to services provided to end-users and devices in the European Union, regardless of where the provider is based. If the provider is outside the European Union, they must appoint a representative within the European Union.

There will also be a step change in sanctions. Breach of the rules protecting user content and metadata will be subject to fines of 20m or 4% of annual worldwide turnover. Breach of the other provisions of the regulation can result in fines of €10m or 2% of annual worldwide turnover. These sanctions match those in the General Data Protection Regulation and are intended to make privacy a board-level issue.

The proposed Regulation on Privacy and Electronic Communications is here.

By Peter Church, London