Protecting Privacy Online: GDPR and e-Privacy Directive Revisited

October 16, 2016

The transformative potential and the central role of data in the digital economy have long been recognized by businesses and are gradually being understood by policy makers alike. Implications of this development can be seen in an increasing number of areas. In consumer law, for instance, provision of data has recently been recognized as consideration {counter-performance) in contracts for the supply of digital content. Data protection violations are also discussed in the updated guidelines on Unfair Commercial Practices Directive. In competition law, the role of data is already being taken into account in merger decisions and might also become of importance when defining the dominant position of an undertaking. How tricky the area can be is best illustrated by the 2014 Facebook/WhatsApp merger, which was cleared by the European Commission on condition that the WhatsApp’s privacy standards were not undermined. However, recent changes in the WhatsApp’s privacy policy suggest that Facebook is not eager to give up the potential of these data sets so easily. WhatsApp will continue to encrypt messages exchanged through the application and will not share user data directly with advertisers. It will, however, do so with Facebook and its ‘family of companies’ so that the latter can ‘improve [user] experiences within their services such as making product suggestions (for example, of friends or connections, or of interesting content) and showing relevant offers and ads’. Perhaps to make up for this, Facebook has recently launched its new functionality: secret conversations. Facebook users may now choose to encrypt their messages so that in theory no one, not even Facebook itself, can intercept them. Irrespective of the motivation behind it, Facebook’s business decision appears particularly timely given the recent data protection reform in the EU and the upcoming review of the e-Privacy Directive. 

The interplay of GDPR and e-Privacy Directive 

Over the years, the EU has remained at the forefront of the global debate about personal data protection and privacy. Data Protection Directive 95/46/EC introduced a standard centred on the rights and freedoms of individuals and provided a basis for the approximation of national laws on the processing of personal data. While the directive had already anticipated some of the challenges associated with the emerging information society, the scale of these developments was scarcely conceivable at the time. Specific rules addressing in the electronic communication sector were subsequently included in the Directive 2002/58/EC on privacy and electronic communications (e-Privacy Directive). That formed a part of a broader telecom package and was intended to particularise and complement the Data Protection Directive with respect to privacy and personal data protection by providers of publicly available electronic communications services. The e-Privacy Directive has been amended once, in 2009. In its present shape it addresses the following set of issues: confidentiality of communications, security of networks and services, data breach notifications as well as requirements regarding, among other things, unsolicited commercial communications (spam), the storing of information in subscribers’ terminal equipment (Article 5(3) – the source of the ubiquitous cookie walls) and the processing of traffic and location data.

In April 2016 the General Data Protection Regulation (GDPR) was adopted with the aim of replacing the Directive 95/46/EC and bringing the data protection framework in the EU up to date. Driven by the desire to empower data subjects to fully exercise their right to personal data protection (Article 8 of the European Charter of Fundamental Rights, Article 16 TFEU, Article 8 ECHR), the instrument builds on the existing safeguards and extends or clarifies them where it deems necessary. Among many other things, the GDPR strengthens the conditions for a valid consent, ensures that data subjects are provided with information and access to their data and can effectively object to the processing, reiterates the right not to be subject to a measure based on automated data processing and explicitly clarifies that this includes profiling. It also includes a widely cited ‘right to be forgotten’ and the equally important right of data portability. All these are correlated with the corresponding obligations of data controllers according to the newly formulated principles of data protection ‘by design’ and ‘by default’. Both principles bring about a significant paradigm shift as they not only require data controllers to ensure data protection compliance ex ante (ie already at the planning stage), but also to design standard settings in a way that only the minimum amount of personal data necessary is being processed. The GDPR also elaborates on the data controller’s obligation to ensure data security and report data breaches.

In line with the previous data protection directive, the principles laid down in GDPR apply to any information concerning an identified or identifiable person (as explained in recital 26). The novelty, however, lies in the clarification that online identifiers provided by devices, applications and protocols as well as location data may be used to identify a person (see further clarification in recital 30). Without going into detail, it seems fair to assume that under the new regime many online identifiers – such as IP addresses, device IDs and cookies, in particular third-party cookies used for profiling and targeting – will be regarded as personal data.

In short, what emerges from the GDPR is an increasingly comprehensive regime with an intentionally broad scope of application. The interplay between the GDPR and the e-Privacy Directive is mentioned in recital 173 of the GDPR, which stipulates that:

This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council, including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation.

As a result, the e-Privacy Directive is currently undergoing review and has yet again attracted considerable public interest. In August the European Commission presented a summary report on the public consultations carried out in this context. A consumer-oriented analysis was, as usual, submitted by the European Consumer Organisation BEUC. The European Data Protection Supervisor (EDPS) and the Article 29 Data Protection Working Party (WP29) have also presented their positions. All three documents are discussed further below. 

Need for revision, type of the legal instrument and its scope

While recognising the important developments within the framework of personal data protection, BEUC, the EDPS and WP29 remain convinced that the e-Privacy Directive should continue to form a lex specialis for the online sector. As regards the type of legal instrument, BEUC and EDPS are clearly in favour of a regulation while WP29 does not show a strong preference but emphasises the importance of the e-Privacy Directive’s clarity and unambiguity.

Most of the e-Privacy Directive rules apply to the provision of publicly available electronic communications services in public communications networks, ie services that members of the public can sign up to in order to send or receive electronic signals, for instance by entering into a phone contract or an internet service contract.  These services are provided by the so-called pipeline providers, such as telecom companies or internet access providers. WP29 rightly notes that already under the current legal framework several e-Privacy Directive rules have a broader scope of application and remain of relevance to all organisations carrying out certain activities – eg unsolicited direct marketing (Article 13) or accessing or storing information on a user’s device (Article 5(3)). However, an important part of e-Privacy Directive provisions, in particular those relating to confidentiality and security, is limited to the pipeline providers, which can be subject to criticism.

BEUC, EDPS and WP29 take the view that the scope of e-Privacy Directive should be extended to cover both traditional electronic communication services and other functionally equivalent services. This refers in particular to the so-called over-the-top (OTT) services, ie communications and content delivery services and applications that end-users access using their own internet connections, such as Voice over IP and instant messaging (Skype, Whatsapp, Messenger, Viber, FaceTime). WP29 yet again lays an emphasis on clear definitions and notes that OTT is, in fact, a very broad term and should be applied with caution. At the same time, WP29 argues that specific rules for location and traffic data should be expanded even further, and apply to all organisations. EDPS generally calls for a bold approach and notes that services which allow individual communication in addition to other offerings (eg messaging functionalities in gaming) could also be considered.

It is worth noting that the views of the industry on this topic are more divided. According to the European Commission, 43% of the industry respondents consider that the rules of the e-Privacy Directive should be extended to OTTs, while 42% are against such an extension. The Information Technology Industry Council (ITI) has submitted a separate position paper on this issue, which deserves a special mention. Among major UK-based trade associations, techUK, for instance, points out that the scope of e-Privacy Directive should not be extended ‘as the primary concerns are addressed by the GDPR, existing legislative mechanisms, expanded guidance from regulators and industry best practice’.

As regards the substantive part of the directive, the commentators generally agree that the act should continue to address issues such as confidentiality, security and unsolicited communications and propose targeted adjustments in each of these areas. 

Security and confidentiality 

According to BEUC providers of electronic communication services should be obliged to secure all communications by using the best available techniques to ensure security and confidentiality. At the same time, users should remain free to adopt additional protection measures. Both EDPS and WP29 stress that interception and surveillance should be interpreted in the broadest technological meaning, and include inter alia the injection of unique identifiers such as advertising identifiers or super cookies. This implies that the use of such tools should only be allowed with users’ prior consent. WP29 further elaborates that whenever the e-Privacy Directive requires user consent it should be given freely, which means that the user should be able to refuse consent and still use the service. This remains in accordance with the BEUC and EDPS proposals put forward in the context of cookies. WP29 also emphasises that the consent should, as a general rule, be granular.

While the need to ensure security of electronic communications seems undisputed, a potential overlap of the e-Privacy instrument and other pieces of legislation, in particular GDPR, NIS Directive and their implementing acts, should be taken into account. EDPS addresses this issue very briefly and concludes that the remaining acquis does not provide for a full coverage. Unfortunately it does not elaborate on this thought. Specific e-Privacy Directive rules could indeed be established to ensure the protection of confidential business information. At the same time, efforts should also be made to avoid complex overlapping legislation and unnecessary burdens. WP29 acknowledges this challenge to a certain extent, and recommends the removal of specific data breach rules provided for in the e-Privacy Directive (Articles 4(2) and 4(3)). WP29 also identifies a possible tension between the expanded consent requirements and high security standards and observes that the processing necessary for security purposes should not be hindered. As regards confidentiality, there seems to be a strong case to extend the scope of existing provisions at least to OTT-1 players, as this issue does not seem to be addressed elsewhere. Market developments, such as the default end-to-end encryption offered by Whatsapp, Apple’s iMessage and the opt-in encryption recently introduced by Facebook, demonstrate that the industry is perfectly capable of implementing privacy upgrades. 

Accessing users’ devices to place a cookie 

WP29 rightly notes that Article 5(3) of the e-Privacy Directive is not limited to traditional pipeline providers but is extended to all parties which intend to store information or gain access to information stored on the user’s device. Both WP29 and BEUC recognize that tracking techniques are constantly evolving and some of them no longer require the storing of a separate file on the user’s terminal equipment. WP29 concludes that the scope of Article 5(3) should generally be broad and as technologically neutral as possible. At the same time, however, WP29 notes that, in cases where the processing does not have a significant impact on the users’ privacy, an opt-out mechanism could be sufficient. This could be the case for the less intrusive cookies (eg first-party analytic cookies) or, interestingly, where collected data are immediately and irreversibly anonymized. 

The approach favoured by BEUC appears to be less balanced. The organisation believes that super cookies should be forbidden altogether and the lifespan of other cookies should be linked to their purpose. Similarly to WP29, BEUC underlines that users should not be prevented from accessing services if they refuse the storing of identifiers that are not necessary to provide the service. This view is also shared by the EDPS, who, however, also considers a mid-way solution. According to the EDPS, the revised e-Privacy Directive could include a non-exhaustive list of situations where a choice will not be considered as freely given and allow the European Data Protection Board to provide further guidance on this issue.

Five years after the implementation of the cookie consent provision, it appears self-evident that the directive has failed to achieve the desired impact. The ubiquitous cookie walls essentially confront the users with a take-it-or-leave-it situation, and there is no doubt that something should be done about it. The proposals of WP29, BEUC and the EDPS are based on a similar assumption, which appears suitable to remedy the situation. At the same time, questions relating to the interface between the e-Privacy Directive and the remaining EU acquis continue to arise. Couldn’t the requirement to provide users with a clearer and more granular choice and to adhere to the principle of data minimisation already be derived from GDPR (now that many online identifiers are clearly in its scope)? Is the privacy rationale sufficient to extend the legal effects of Article 5(3) of the e-Privacy Directive? To what extent could the collection of data for purposes of tracking/profiling, without the knowledge of the user, be considered a misleading omission of material information and potentially an unfair commercial practice? Does anyone still remember the recent UCPD guidance which has actually elaborated on this matter? Before reopening the whole cookie debate once again, it would seem reasonable to first assess where we stand. 

Traffic and location data 

Since traffic and location data are generally regarded as personal data, the e-Privacy Directive mainly serves the particularisation of existing data protection norms. As the EDPS rightly notes, by requiring consent for the processing of these categories of data, the current e-Privacy Directive offers a higher level of protection than the data protection regulation. BEUC, WP29 and the EDPS are convinced that the prior consent of the user should remain a key principle regarding the collection of traffic and location data, thus limiting the other legal grounds laid down in GDPR. Furthermore, stakeholders agree that the scope of the rules on metadata should be extended to cover all parties and all traffic and location data. BEUC underlines that the requirement should in particular cover GPS location data and wi-fi network location data used by information society services in mobile devices. WP29 also notes that once provisions on traffic and location data (Articles 6 and 9 of the e-Privacy Directive) are merged, specific exceptions for marketing purposes and ‘value added services’ will no longer be necessary.

Stricter conditions for the lawful processing of traffic and location data along with specific requirements as to erasure or anonymization of data can indeed be seen as justifiable, given the undeniable privacy concerns at hand. There also seem to be no convincing reasons for maintaining a distinction between data collected by electronic communications service providers and by other information society services providers. At the same time, while understanding BEUC concerns about anonymization, it needs to be recognized that traffic and location data are essential for the proper functioning of many digital services. WP29 rightly notes that the processing of traffic and location data that are necessary to technically deliver a requested service does not necessarily pose a high risk to users. The working party also attempts to define conditions for adequate anonymization, which seems to be the right course of action. 

Unsolicited commercial communications 

According to the EDPS, WP29 and BEUC, current rules on unsolicited communications should be maintained, updated and strengthened. All types of marketing messages should be subject to the opt-in obligations, independent of the means (e-mail, voice or video calls, direct messaging etc.). Indeed, all these channels of communication share certain similarities. In fact, however, unsolicited commercial messages sent through social media or messenger apps do not seem to present a serious problem and in this domain the issue of targeted ads displayed on users’ screens appears more pressing.  

Conclusion 

Beyond doubt, the principles of personal data protection ‘by design’ and ‘by default’ enshrined in GDPR constitute a significant development in the data protection regime. In the technologically-mediated digital ecosystem, where traditional concepts are often difficult to apply and even harder to enforce, an increased focus on ex ante compliance (eg at the stage of designing products/services or programming algorithms) could present a promising way forward. According to BEUC, the concepts of ‘privacy by design’ and ‘privacy by default’ should become ‘fundamental guiding principles in the online environment’. Similarly, WP29, which supports the EDPS on this matter, argues that ‘browsers and other software or operating systems should be encouraged to develop, implement and ensure effective user empowerment, by offering control tools within the browser (or other software or operating system) such as Do Not Track (DNT), or other technical means that allow users to easily express and withdraw their specific consent’. According to some authors, this aim could be achieved by introducing specific privacy rules into the contract law framework (ie the proposed Digital Content Directive and Distance Sales Directive – for IoT applications). Given the growing importance of data-driven business models this appears to be an interesting path. The European legislator should, however, also make sure that innovation is not killed on the way – and, to ensure that, more clarity as to the practical application and the interdependence of particular legal acts is necessary. 

Agnieszka Jablonowska is a PhD researcher at the University of Lodz, Poland and an LLM researcher at the European University Institute, Florence, Italy.

An early version of this text was published on recent-ecl.blogspot.com