Will a new e-Privacy Regulation clip the wings of the GDPR?

Will a new e-Privacy Regulation clip the wings of the GDPR?
April 25, 2017 Arne Defurne

On The 4th of April, the Article 29 WorkingParty (WP29) issued its opinion on a proposed e-Privacy Regulation (ePR).

While they praise many elements (the choice for a Regulation, complementary to the GDPR, the same authority responsible for monitoring compliance, inclusion of OTT providers…), they do identify 4 key areas of concern, where the proposed Regulation would undermine the level of protection offered by the GDPR. The e-Privacy Regulation is complimentary to the GDPR and is not meant to lower the level of protection offered to natural persons under the GDPR. The opinion of the WP29 however shows that the articles of the Regulation don’t always reflect this:

1. A tracking of the location of terminal equipment. The person responsible for the collection of this data must only

(1) display a notice,

(2) implement security measures, and

(3) indicate the measures end-users may take to minimise or stop the collection of data.

Consequently, consent doesn’t seem to be required. Furthermore, there are no clear limitations regarding the scope of the data collection or how it is then processed. In contrast, under the GDPR, such tracking requires consent or needs to be (preferably immediately) anonymised.

2. The WP29 advocates for a prohibition of tracking walls. Tracking walls block access to a site until a user has consented to tracking. If he/she doesn’t consent, he/she won’t have an access to the service. Such ‘take it or leave it’ approach is rarely legitimate, as the WP29 has already stated in their previous opinion on the e-Privacy Directive.

3. The conditions under which the analysis of content and metadata is allowed. The Article 29 Working Party does not agree with the different levels of protection which are awarded to content and metadata as both categories are highly sensitive. WPA9 believes that metadata, like content, should only be processed when consent is obtained from all end-users; e.g. not only the sender, but also the recipient.

4. A terminal equipment and software should offer privacy protective services by default. The obligations in the Proposed Regulation are not equal to privacy by default. Instead, users should be given a clear opportunity to agree with or change the default settings during installation and in use. The privacy preferences in these settings must be able to convey specific consent and should not be limited to interference by the third parties or cookies. Overall, the Article 29 Working Party recommends that adherence to the Do Not Track standard should be mandatory.

Aside from these 4 key areas of concern, the Article 29 Working Party identifies many others, like:

  • A need for an expansion of the territorial and substantive scope of the Regulation;
  • A further strengthening of the protection of terminal equipment;
  • A insufficient protection against direct marketing;
  • A doubt of whether the Regulation will be ready by May 25th 2018;
  • Broadening of the possibilities to retain data;
  • Clarification on over 20 points to ensure legal certainty.

Overall this opinion has revealed many issues that exist in the proposal. To prevent undoing the results achieved by the GDPR, before entering into force, the EU Commission would do well to revise the proposed Regulation.