Nearly a year ago, on 10 January 2017, the EU Commission released the proposed ePrivacy Regulation (ePR). The three main areas covered by the legislation are the use of electronic communications data by telecommunications operators and other specified entities, the use of tracking applications, and unsolicited direct marketing communications.
The ePR aims to ensure a coherent, up-to-date framework capable of balancing economic interests and privacy rights of natural persons reflected in the Article 7 of the EU Charter of Fundamental Rights (CFR). Concerns have arisen from many quarters, however, that the proposed ePR is too prescriptive in some respects and too ambiguous in others, including with respect to the way in which the ePR will interoperate with the GDPR and the draft EU Electronic Communications Code.
Throughout 2017 the EU Parliament’s the Civil Liberties Committee (LIBE) and the EU Council have negotiated their positions, while the European Economic and Social Committee (EESC), the European Data Protection Supervisor (EDPS), and the Article 29 Working Party have issued papers outlining their concerns and suggestions for clarification. For further information on the EU Commission’s proposal and subsequent development, see our prior client alert.
168 Proposed Amendments
On 19 October, LIBE’s adoption of the ePR Report, which includes a set of 168 proposed amendments to the original proposal from the Commission, out the committee draft before the full EU Parliament. A week later, the Parliament’s plenary voted in favor of it. Although the draft has a green light to move forward, the vote was close, with the LIBE Committee voting 31-24, with one abstention, and Parliament’s plenary voting 318-280, with 20 abstentions. Some of the proposed amendments include:
- Amendments 24 and 92 – Recital 22 and Article 8: Preventing the use of so-called “cookie walls” and “cookie banners” that do not help users to maintain control over their personal information and privacy or become informed about their rights. This would ban websites from denying users’ access to any service or functionality because they refused to consent to tracking cookies that process information that is unnecessary for the provision of that service or functionality.
- Amendment 29 – Recital 26(a): Extending the incorporation of the principles of security and privacy by design by promoting the use of end-to-end encryption to ensure the security and integrity of network and services. The Parliament also suggests that Member States should not be able to weaken the security of the network or services by the creation or facilitation of backdoors.
- Amendment 63 – Article 4(3)(f): Widening the scope of direct marketing communications to include any form of advertising, whether in written, oral or video format, whether sent, served or presented.
- Amendment 77 – Article 2(6): Requiring data protection impact assessments where a type of processing of electronic communications metadata, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
- Amendment 106 – Article 10(1): Requiring the default settings in software placed on the EU market to be set to prevent other parties from transmitting to or storing information on the terminal equipment of a user and from processing information.
- Amendment 122 – Article 11(c): Requiring providers of electronic communications services to record requests made by public authorities to access content or metadata and publish a report every year.
- Amendments 156-163 – Article 23: Applying administrative fines of up to € 20 million or up to 4% of the total worldwide annual turnover for the preceding financial year, whichever is higher, for violations of: (a) Article 5 principles of confidentiality of communications; (b) Article 6 processing electronic communications data obligations; (c) Article 7 time limits for erasure and confidentiality obligations; (d) Article 8 obligations for processing electronic communications; (e) Article 9 consent requirements; (f) Article 10 software enabling electronic communication obligations; or (g) Article 17 obligation to permit the retrieval and presentation of information on the internet. This widens the scope of infringement that would be covered by these potentially very large fines.
- Amendment 168 – Article 29: Changing the enforcement date from 25 May 2018, to one year from the date the Regulation enters into force.
Given the Issues Under Debate, Trilogue Phase May Take Some Time
The next stage of the legislative process is for the EU Council (Member States) to agree on its draft, at which point the two drafts will move to the trilogue phase, that is, negotiations between the Parliament and the Council, facilitated by the EU Commission. For the ePR to become law it will require approval by the Parliament and the Council. Although the goal is to have the final version of the ePR by the time the General Data Protection Regulation (GDPR) comes into effect on 25 May 25 2017, it is increasingly unlikely that this deadline will be met given the number of controversial issues that remain to be settled.
The marketing industry, in particular, is raising a number of concerns about the draft legislation. FEDMA, an organization that represents marketing interests, believes that the proposed ePR will compromise the prevailing Internet business model by restricting “data-driven ad revenue” and free content. FEDMA is further concerned that users will not benefit from ePR because they will be “exhausted, confused and unsure about what ‘granting consent’ actually means.”
On the other side of the debate, the Parliament’s former Rapporteur Marju Lauristin, and now her counterpart Birgit Sippel (German MEP), stand behind the ePR stating that the fundamental privacy rights established by Article 7 of the CFR need to be protected. In her most recent interview, Sippel indicated that she is “very happy with the results achieved by Marju Lauristin.” She “aims to put users back in control of their communication data and wants to ensure that they are able to decide how their information is being used”, i.e. she also wants to make Europe a place where “digital businesses and services [are governed] in a way that helps business and protects … user[s] at the same time.”
ePR Will Likely Come Into Force in 2019
It seems unlikely the final ePR will be ready by 25 May 2018 with one of the co-legislators, the Council, still in discussion (amongst Member States) about its own position. Consolidation of the Council and Parliament’s views will not be easy considering the different perspectives and strong opposition from business groups. Even if the text of the ePR is finalized by May 2018, it is unlikely that it will enter into force without a transition period. The period is not likely to be as long as that provided for the in the case of the GDPR (two years).
Our Global Data Protection & Cybersecurity team and our EU Public Policy experts are carefully monitoring developments relating to the ePR and related legislation. Watch this space for further information on legislative developments relating to the ePR.