ePrivacy Regulation

    Europe

    ePrivacy Regulation

    Proposal or a Regulation of the European Parliament and of the Council concerning the respect of the private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC

    On 10 January 2017, the European Commission issued a proposal for an ePrivacy Regulation (hereinafter ePR). Although the ePR was initially slated to come into effect at the same time as the GDPR, numerous debates in the EU Parliament and in the Council of Ministers have slowed down the process. The latest draft was issued early in 2019 by the new Romanian presidency of the Council of Ministers.

    Last Updated: July 30, 2019


  • General

    In general terms, the objective of the EU Regulator is to:

    1. update current rules to technological and market developments;
    2. adapt them to the General Data Protection Regulation; and
    3. to strengthen trust and security in the Digital Single Market and boosting the data economy.

    The development of the proposal for an ePR consolidates an important legislative step regarding the protection of privacy as a fundamental right. This proposal responds to recital 173 of the GDPR suggesting that the ePrivacy framework ought to be reviewed in order to ensure coherence with the GDPR. In addition, another important reason for enacting an ePR is to expand the scope of application of the current Directive 2002/58/EC (ePrivacy Directive) to include providers offering services, content and applications over the Internet (the so-called Over-The-Top providers or OTTs the likes of Whatsapp, VoIP services like Skype, instant messaging, etc.). The aim of encompassing OTTs in the scope of the ePR is to respond to the need of safeguarding a fundamental human right which cannot and should not be left to sectoral self-regulation: the right to the confidentiality of communications.

    Outstanding issues

    An extract from a draft issued by the Council of Ministers indicates that delegations had recently raised several fundamental questions that still need to be answered, such as: consent requirements — and the risk of creating consent fatigue; permitted further processing (Article 6); processing of electronic communications data for the purpose of child protection; specific safeguards for permitted further processing activities; the protection of end-users’ terminal equipment (Article 8); the exclusion of national security and defence from the scope of the Regulation; the precise scope of the regulation and alignment with the GDPR; a problematic mixture of the fundamental rights of confidentiality on the one hand and data protection on the other hand; unclear treatment of GPS location data; and, doubts about whether the current draft fits in with the goal of the EU to foster technological developments in areas like AI, IoT and automated driving.

    Cookie consent has been a widely debated issue with the latest development being that consent for cookies will be streamlined (fewer pop-ups) as a browser setting (instead of individually per site visited), and there are clear indications that an or opt-in feature for direct marketing will be retained with clear rules and exceptions.

    Material scope

    The material scope of the current draft of the ePR encompasses the following activities:

    • the processing of end-users’ terminal equipment information;
    • The placing on the market of software permitting electronic communications, including the retrieval and presentation of information on the Internet (e.g. websites and cookies);
    • the offering of a publicly available directory of end-users of electronic communications services;
    •  the sending of direct marketing communications to end-users; and
    • the processing of electronic communications content and metadata carried out in connection with the provision and the use of electronic communications services.

    The scope is intended to include not only electronic communications services such as traditional telephony and mobile telephony but also functionally equivalent applications that may be used as a substitute. Functionally equivalent applications are not defined in the ePR draft but, functional equivalence is a crucial concept to properly discriminate those services that would fall under the material scope of the ePR from those that wouldn’t.

    The taxonomy of OTT services sketched in the BEREC ‘Report on OTT services’ (issued in January 2016) is quite helpful for underpinning the concept of functional equivalence:

    • OTT-0 are all services that qualify as electronic communications services (such as traditional voice telephony);
    • OTT-1 are those services that don’t qualify as electronic communications services but that can potentially compete or substitute traditional electronic communications services (VoIP such as Skype, WhatsApp, Webex, etc.); and
    • OTT-2 are those services that are neither electronic communications services nor substitutes to those services. OTT-2 services belong more to the realm of information society services as defined in Article 1(b) of Directive (EU) 2015/1535 (e.g. e-commerce, streaming sites, music services like Spotify, etc.).

    The first two categories fall under the scope of the ePR because those services would be equivalent in the options that the user has for communicating. For example, WhatsApp would be an OTT-1 type of service that offers the same functions as a traditional mobile telephony service: messaging texts and multimedia, free calls and video calls (with the caveat that it is only possible among the network of users), group chats, etc. However, WhatsApp does not quite replace a traditional telephony service, users have to own a mobile phone and a telephony service plan to be able to access the Internet and use OTT-1s like WhatsApp or Skype. The third category OTT-2 falls out of the material scope of the ePR draft.

    Territorial scope

    The material application of the ePR, like the GDPR, is determined by the users and their terminal equipment being located in the EU regardless of the location of the provider of any of the services listed above, in which case, the electronic communications service provider ought to designate, in writing, a representative in one of the EU Member States where the end-users are located. The only exceptions to this extraterritorial reach concerning service providers is where the activities carried out are occasional and unlikely to result in a risk to the fundamental rights and freedoms of end-users. A risk-driven assessment should contemplate the nature, content, scope and purpose of the foreseen activities.

    Definitions

    The ePR displays several definitions that are specific to the protection of the confidentiality of communications and also draws definitions provided in other Directives.

    From Article 4.3 of the proposal for an ePR

    • Electronic communications data
      The content and metadata of electronic communications.
    • Electronic communications content
      All content exchanged by means of electronic communications, such as text, voice, videos, images, and sound.
    • Electronic communications metadata:
      All data processed by means of electronic communications services for the purpose of transmitting, distributing, or exchanging electronic communications content, including data used to trace and identify  the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, as well as date, time, duration and type of communication.
    • Publicly available directory
      Means a directory of end-users of number-based interpersonal communications services whether in printed or electronic form, which is published or made available to the public or to a section of the public, including of a directory enquiry service and the main function of which is to enable identification of such end-users.
    • Direct marketing communications
      Any form of advertising, whether written or oral, sent to one or more identified or identifiable end-users of electronic communications services (such as voice-to-voice calls, the use of automated calling, communications systems with or without human interaction, electronic messages, SMS, etc.). It is relevant to note that the legislator intentionally talks about identified or identifiable end-users (instead of “data subjects” or of “individuals”), and the reason for this is the fact that the ePrivacy framework (including the current framework) protect the confidentiality of communications of natural persons and of legal entities. Therefore, the term “end-user” is used as a broader reference (i.e. an end-users can be individuals as well as legal entities).
    • Direct marketing voice-to-voice calls
      Live calls, which do not entail the use of automated calling systems and communications systems.
    • Automated calling and communications systems
      Any system capable of automatically initiating calls to one or more recipients in accordance with instructions set for that system, and transmitting sounds which are not live speech, including calls made using automated calling and communications systems which connect the called person to an individual.
    • Electronic message
      Any message containing information such as text, voice, video, sound or image sent over an electronic communications network which can be stored in the network or in related computing facilities, or in the terminal equipment of its recipient. This definition encompasses email services, SMS, MMS, and functionally equivalent applications.

    From Article 2 of the Directive establishing the European Electronic Communications Code

    • Electronic communications network
      Transmission systems, whether or not based on a permanent infrastructure or centralized administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, which permit the conveyance of signals by wire, radio, optical or other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including internet) and mobile networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed.
    • Electronic communications service
      Means a service normally provided for remuneration via electronic communications networks, which encompasses, with the exception of services providing, or exercising editorial control over, content transmitted using electronic communications networks and services, the following types of services:

      • internet access service,
      • interpersonal communications service, or
      • services consisting wholly or mainly in the conveyance of signals.
    • Interpersonal communications service
      Means a service normally provided for remuneration that enables direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s) and does not include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.
    • Number-based interpersonal communications service
      Means an interpersonal communications service which connects with publicly assigned numbering resources, namely, a number or numbers in national or international numbering plans, or which enables communication with a number or numbers in national or international numbering plans.
    • Number-independent interpersonal communications service
      Means an interpersonal communications service which does not connect with publicly assigned numbering resources, namely, a number or numbers in national or international numbering plans, or which does not enable communication with a number or numbers in national or international numbering plans.
    • End-user
      Means a user not providing public electronic communications networks or publicly available electronic communications services and it encompasses natural persons as well as legal entities.
    • Call
      Is a connection established by means of a publicly available interpersonal communications service that allows two-way voice communication between users. 

    From Article 1(b) of Directive (EU) 2015/1535 (Information Society Services)

    • Information Society Services
      Any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.

    For the purposes of this definition:

    (i) “at a distance” means that the service is provided without the parties being simultaneously present;
    (ii) “by electronic mean” means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means;
    (iii) “at the individual request of a recipient of services” means that the service is provided through the transmission of data on individual request.

    This definition ought to include services which enable interpersonal and interactive communication merely as an ancillary feature that is intrinsically linked to another service.

    Interplay with the GDPR

    The ePrivacy Regulation, like the ePrivacy Directive, is intended as lex specialis to the GDPR. Article 1 of the proposal for an ePrivacy Regulation states that ‘[t]he provisions of this Regulation particularise and complement’ the GDPR ‘with regard to the processing of data that qualify as personal data by laying down specific rules’ regarding the protection of the fundamental rights and freedoms of natural and legal persons.

    To particularise means to make it more specific, to contain specific provisions that take precedence over the more general provisions of the GDPR (lex specialis derogate legi generali). Several provisions in the proposal for an ePR particularise the provisions of the GDPR such as provisions concerning metadata (such as traffic data). Another example is that the full range of lawful grounds for processing provided by the GDPR because certain activities that are particular to the ePrivacy framework may only be processed under limited conditions. As the EDPB has put it in a report on the interplay between the ePrivacy Directive and the GDPR: “A corollary of the Lex Specialis principle is that there shall only be a derogation from the general rule insofar as the law governing a specific subject matter contains a special rule.”

    The ePrivacy framework complements the GDPR in that it protects both the fundamental rights of natural persons and the legitimate interests of legal persons.

     

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.