Despite recent news stories about the Commission due to imminently release proposed reforms to the Directive on Privacy and Electronic Communications, commonly known as the e-Privacy Directive ("Directive"), all has seemingly gone quiet. At a recent event in Brussels attended by Fieldfisher's own Gaëtan Goossens, we learnt from Commissioner Rosa Barcelo (DG Connect) that it should be published in mid-January 2017 but that this is not a hard deadline. We examine those responses to gauge what the new draft Directive may or may not say – when it finally arrives.
What is it?
The Directive originally introduced a range of obligations for electronic communications service providers ("telcos") covering security, cookies and direct marketing back in 2002. It was amended in 2009 to reflect changes in technology not covered by the Data Protection Directive ("DPD") and, in particular, to introduce new 'consent' requirements for cookies.
The current obligations include a duty on telcos to provide secure services, maintain confidentiality, erase traffic data, notify the relevant Data Protection Authority of any data breaches, maintain an opt-in regime for electronic marketing, and the controversial cookies requirements. Being a Directive, of course the requirements (such as that to obtain "consent, having provided clear and comprehensive information") were interpreted differently by different Member States leading to divergence in rules for multinationals across the EU.
These inconsistencies, as well as the advancements in technology since 2002 and the upcoming changes in the GDPR, are the key drivers.
It has been a longstanding gripe of traditional telcos that new 'over the top' ("OTT") operators, such as Skype and WhatsApp, provide internet-based phone, email and instant messaging services that are more lightly regulated – particularly when many of these 'new' players are Internet giants, and not novices working out of a Palo Alto garage.
In addition, the current Directive has also been criticised for creating a parallel regime with some obligations that overlap with the DPD such as data retention and objection to marketing. Similarly, breach notification, already required under the Directive for telcos, will soon become obligatory for all businesses under the GDPR – raising questions as to whether a separate data breach notification regime under the Directive is still required.
What happened at consultation stage?
Before the ink was even dry on the finalised GDPR text (in fact, two weeks before it was finally adopted), the Commission launched a public consultation on reforming the Directive. It received 421 replies, 40% of respondents were members of the public and approximately the same proportion trade bodies or industry members.
The results highlight the predictable differences in opinions between citizens, industry and public authorities (which included Data Protection Authorities such as the UK's own ICO): when asked whether the rules should be extended to cover OTT providers, the proportion of those agreeing was 76%, 43% and 93% respectively. When asked whether telcos should not be able to refuse access to services if users refuse to store cookies, the respective proportions agreeing were 77%, 25% and 70%.
The Commission published its summary of the consultation in August, though the detailed analysis won't be available until "autumn". However individual responses are available in full by following links on the Commission summary page.
What did telco's think?
Other than supporting the extension the Directive's reach to OTT operators, telcos are otherwise, unsurprisingly, critical of any suggestion of expanding the Directive. There is a consensus that any such expansion is redundant in light of the GDPR, that it is already outdated, and so would any reform as it is not principles-based. The industry favours a move towards self-regulation and being led by the markets rather than further innovation-stifling regulation. Microsoft stated "Features like encryption, that people want should be driven by market forces, not legal requirements." However, citizen advocacy groups do not agree with the suggestion that market forces alone are sufficient to drive adequate protection of their data through communications services and want to see stronger regulation.
When finally published, negotiated and adopted, telcos feel harmonisation in this area will not be improved because (i) the Commission has suggested a Directive which will be implemented differently across different Member States, and (ii) the GDPR already covers and could contradict the objectives of the Directive. This, despite the stated aim of the Commission to bring the Directive in line with the GDPR. BT declared "Enhanced protections provided by the GDPR are sufficient – and harmonisation of the rules is essential which is what the GDPR achieves". Microsoft agreed "many of the EPD's measures will become unnecessary – or worse, confusing – following the GDPR's entry into force".
If the rules are to remain, however, telcos all agree they should be extended to OTT players – although they emphasise different reasons. T Mobile stated "OTTs benefit from less regulation while telecoms accordingly have less flexibility to innovate". Vodafone added "Measures should apply to an organisation based on the functionality they provide, not the sector they are in or technology they use". Predictably, OTT operators themselves are reluctant to see this. Facebook argued that "The GDPR deals extensively with the circs for data collection and processing, collection of user consent and general transparency measures towards users. Therefore, in our opinion there is no need to retain the ePD".
They were all, however, united in their opposition to further (or even any) regulation regarding cookies. Advertising provides essential funding for their services, and data processing is covered by the GDPR. Microsoft noted that cookies are becoming outdated anyway due to the growth of the mobile and app economy. Even ICO agreed "These issues are addressed by GDPR…Revised e-Privacy rules should avoid dictating business models, especially where there is minimal privacy impact for the individual."
What's happening now?
Despite the Reuter's story no official announcements have been made. The summary report on the Commission page provides some indication of its intentions. It emphasises the facts that the responses agreed special rules for electronic communications are required, that they should be extended to OTT providers and that individuals should be allowed to use services even if refusing cookies. For a concise analysis of the likely reforms please see my colleague Yuli's excellent article in the September edition of the Privacy & Data Protection Journal .
As a lot of expensive compliance work is at stake here understandably interested parties are lobbying to have their views heard. Telcos and OTT providers struggling to grasp their GDPR requirements do not want an additional layer of obligations. The Commission will be keen to get this right, and want to build on the momentum gained by the recent adoption of the GDPR. Cookies could be back on the menu soon – watch this space!
.... Update January 2017
The Commissions initial draft of the new proposal was first leaked in December then published last week. As predicted: it's a Regulation, it applies to OTT providers and it aims to harmonise with the GDPR. Cookie rules still remain! For more details see my colleague Phil's pithy summary here.
[with special thanks to Trainee Solicitor Caroline Ellard for her help in preparing this post]