The latest draft of the forthcoming EU e-Privacy Directive has been leaked. The legislation, which will replace the existing EU Directive 2002/58/EC, will safeguard “in particular the right to privacy and confidentiality with respect to the processing of personal data in the electronic communications sector and to ensure the free flow of movement of such data and of electronic communications equipment and services in the EU.” The new Directive, which addresses 21st Century technological phenomena such as the Internet of Things, will complete the latest stage in the development of EU data protection law and will accompany and complement the forthcoming GDPR. This synergy is plainly evident throughout the draft document, for example:
Article 9 – Consent
1. “The conditions for consent provided for under Article 7 of Regulation (EU) 2016/679/EU shall apply.”
Article 25 – General conditions for imposing administrative fines
1. “For the purposes of this Article, Chapter VII (incorrect – should read Chapter VIII) of Regulation 2016/679/EU shall apply to infringements of this Regulation.”
The existing Directive was last updated in 2009, and is transposed into Irish law as S.I. 336 of 2011.
Of course, the communications sector has evolved considerably during the past seven years, particularly with regard to online communications services offered by companies such as WhatsApp, Facebook and Skype. It is these service providers which will face increased regulation under the new law which will extend to include online messages, known as OTT (Over-The-Top) services when the Directive is rolled out in 2018 (estimated). The current legislation is presently limited to telecom companies only – a source of contention for years within the industry.
According to the draft document, internet-based communication services will be required to obtain users' consent and offer confidentiality of communications when handling customers' data (including location data):
3.4 Impact assessment
“Enhancing protection of confidentiality of electronic communications by means of a technologically neutral definition, which extends the scope of the legal instrument to include new functionally equivalent electronic communications services. In addition, the Regulation enhances users’ control by clarifying that where consent is requested, it can be expressed through appropriate technical settings.”
Moreover, the new legislation aims to remove the obligation on websites to ask visitors for permission to place cookies on their browsers via a banner if the user has already consented through the privacy settings of the web browser. Cookies are placed on web browsers’ computers and possess information about the user, such as what other websites they have visited or where they are logging in from.
Recital 27:
"If browsers are equipped with such functionality, websites that want to set cookies for behavioural advertising purposes may not need to put in place banners requesting their consent insofar as users may provide their consent by selecting the right settings in their browser.”
Recital 28:
“While such banners serve to empower users, at the same time, they may cause irritation because users are forced to read the notices and click on the boxes, thus impairing internet browsing experience. “In the case of no active choice or action from the user, the web browser shall be set so that it blocks by default the storage of third party cookies or other types of trackers.”
Inevitably, this proposed legislation will undergo umpteen redrafts and amendments before a final text is agreed. Such an important piece of legislation which affects the business of such powerful stakeholders such as those listed above, will no doubt be subject to intense lobbying, as was the case with the GDPR which earned the dubious honour of being the most heavily-lobbied piece of legislation in the history of the EU before being finalised earlier this year. As the new Directive takes shape, we will report on these changes which will have affect us all. Watch this space…