Our digital footprint – and who can access it – continues to be a catalyst for legal debate. The European Union (“EU”) application of right to privacy is enshrined under Article 8 of the European Convention on Human Rights, as well as the Charter of Fundamental Rights of the European Union. The counter-argument can be seen through the lens of an increasing array of incidents within/outside the EU, as well as the interests of businesses and other enterprises that depend on the dissemination of personal data. The result is a balanced network of broad reforms proposed for the existing regulatory framework.
Legislation regulating the use of digital communications has been periodically refined to reflect advances in technology, and changes to user habits. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the “e-Privacy Directive”) forms part of the Regulatory Framework for Electronic Communications, and was first adopted in 2002. In light of shifting trends in digital communications, the e-Privacy Directive was updated in 2009 (implemented in force by all Member states as of January 2013).
Article 3 of the e-Privacy Directive states it will apply to ‘the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices.’ Despite this wide scope for ensuring protections in the digital communications sector (inclusive of text, videos, images and sounds), the EU Parliament has acknowledged that, notwithstanding the amendments made in 2009 – which included provisions for ‘cookies’ and similar web-history tracking technology – the status quo is believed to not ‘reflect recent evolutions in the sector and in consumers’ habits’. The final draft of the proposed updates was published on 10 January 2017, and unlike its predecessor would be a EU Regulation (not a Directive), and thereby apply directly across all Member States upon its accession – taking priority over domestic legislation.
What remains [at least mostly] the same?
The European Commission (“EC”) recently identified several issues over the previous iterations of the e-Privacy Directive, and in seeking to bring this legislation more in line with the recently-adopted General Data Protection Regulation (GDPR) it allowed that the Directive as it stands resulted in inconsistent enforcement of fines and division of domestic policies across Member States. It also recommended expanding the scope of the legislation to ensure the Regulation reflects market changes – and to make confidential information more secure. That being said, some policies remain relatively unchanged.
- Substantial fines: The previous Directive applied to entities located anywhere in the world that provide ‘electronic communications services’ to, or gather data from end users within the borders of the EU. The consequences of breaching this protocol – at least for businesses who want to continue trading within the biggest market in the world – can be relatively dire, with significant penalties weighed against the annual turnover of both individual vendors and large corporations. Under the Regulation, this regime would be enhanced – the liability for the corporation, business or other entity breaking the rules with regard to confidentiality of communications would rise from 2% of total annual turnover or €10million to 4% of annual turnover or €20million; the end user would also be given the right to directly sue for ‘material or non-material’ damage.
- Rules for e–marketing: in short, rules governing e-marketing –the use of digital services such as emails and other electronic communications to send marketing information to a device such as a tablet, smartphone or computer – have not been altered. Consumers will still have to ‘opt-in’ by giving explicit consent to any marketing content, save in limited cases – such as when there’s already been a previous purchase from the entity selling the goods. Some slight changes have been included with regard to marketing calls; however, Member States are given the right to opt in or out of this aspect of the proposed Regulation.
What’s going to change under the proposals?
- Content and ‘Metadata’: the Regulation would allegedly allow for new, more effective rules to govern both content (which in the current sense means what the communication said – for instance, what was contained in your email) and ‘metadata’ (e. the data used to identify the communication by the time, date or individuals addressed). Except in ‘very limited’ circumstances – such as when both consent was given and the interception/transmission of data was necessary for the completion of business – the passing on of such data will be prohibited without the express consent of the consumer/user.
- Tracking Controls: Changes to cookies and tracking controls comprise one of the most significant changes under the new Regulation. Explicit consent from the user for particular types of tracking tools – most explicitly cookies (small data files that are sent by websites, afterwards saved on the browser’s computer) – was added via the 2009 update to the Directive. Rules of the Regulation have been further enhanced to ensure all tracking tools are covered in the Regulation – inclusive of things that aren’t necessarily stored on the user’s computer.
Perhaps as an acknowledgment of the usefulness of these files, the new rules would attempt to streamline this process through the use of blanket ‘do not track’ services that would be attached to browsers in lieu of automatically disallowing the tracking files to be downloaded. Websites would therefore need to keep in mind both the explicit consent of the person accessing the site – allegedly by clicking either a ‘yes’ or ‘no’ box (in other words, the user now gets a choice, and are allowed access regardless of whether they download the files), as well as their personalised browser settings.
When will the Regulation be passed?
The Commission had intended the uptake of the Regulation to be relatively speedy, with an original ‘in force’ date of May 2018. Recent updates by the European Council have cited concerns as toward the possible duplication or overlap with other legislation (such as the GDPR) next year, stating that this outcome is perhaps a bit too ambitious. Nevertheless, the Working Party chosen to review the Regulation welcomed the broad scope of amendments included therein – as well as the explicitly narrow exceptions with regard to consent. As such, those who regularly utilise data earmarked for further scrutiny under this proposal should already prepare for significant changes.