Monday, 19 September 2016

GDPR, e-Privacy and beyond: more certainty and coherence for the online sector (or quite the opposite)?

The interplay of GDPR and e-Privacy Directive

One of the objectives of the General Data Protection Regulation (GDPR), which was adopted earlier this year and will effectively replace Directive 95/46/EC in 2018, was to make the European data protection framework fit for the 21st century. The extensive regulation does indeed bring the existing framework up to date and promises greater uniformity of national standards and interpretations. Driven by the desire to empower data subjects to fully exercise their right to personal data protection (Article 8 of the European Charter of Fundamental Rights, Article 16 TFEU, Article 8 ECHR), the instrument builds on the existing safeguards and extends or clarifies them where it deems necessary. Among many other things, the new data protection regulation strengthens the conditions for a valid consent, ensures that data subjects are provided with information and access to their data and can effectively object to the processing, reiterates the right not to be subject to a measure based on automated data processing and explicitly clarifies that this includes profiling. It also introduces a widely cited right to be forgotten and the equally important right of data portability. All these are correlated with the corresponding obligations of data controllers according to the newly formulated principles of data protection ‘by design’ and ‘by default’. Both principles bring about a significant paradigm shift as they not only require data controllers to ensure data protection compliance ex ante (i.e. already at the planning stage), but also to design standard settings in a way that only the minimum amount of personal data necessary is being processed. The regulation also elaborates on the data controller’s obligation to ensure data security and report data breaches.

In line with the previous personal data protection directive, the principles laid down in GDPR apply to any information concerning an identified or identifiable person (as explained in recital 26). The novelty, however, lies in the clarification that online identifiers provided by devices, applications and protocols as well as location data may be used to identify a person (see further clarification in recital 30). Without going into detail, it seems fair to assume that under the new regime many online identifiers – such as IP addresses, device IDs and cookies, in particular third-party cookies used for profiling and targeting – will be regarded as personal data.

In short, what emerges from the updated data protection act is an increasingly comprehensive regime with an intentionally broad scope of application. Nevertheless, believe it or not, there are still several issues that have not been addressed by data protection framework. These relate more broadly to the protection of privacy (Article 7 of the Charter), and have so far been regulated by Directive 2002/58/EC on privacy and electronic communications (e-Privacy Directive). In the words of the European Commission the directive “sets out rules on how providers of electronic communication services, such as telecoms companies and Internet Service Providers, should manage their subscribers’ data”. It touches upon issues such as: confidentiality of communications, security of networks and services, data breach notifications as well as requirements regarding, among other things, unsolicited commercial communications (spam), storing of information in subscribers’ terminal equipment [Article 5(3) – the source of the ubiquitous cookie consent pop-ups] and processing of traffic and location data. The interplay between e-Privacy Directive and the general personal data protection legislation is mentioned in recital 173 of the GDPR, which stipulates that:

This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council, including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation

As a result, the directive is currently undergoing review and has yet again attracted considerable public interest. In August the European Commission presented a summary report on the public consultations which were carried out in this context. A careful, consumer-oriented analysis was, as usual, submitted by BEUC and is now available on its website.

Review of e-Privacy Directive and BEUC response

Why do we need an e-privacy instrument and which services should be included in its scope?

BEUC: While recognising the important developments within the framework of personal data protection, BEUC remains convinced that the e-Privacy Directive should continue to form a lex specialis for the online sector, complementing and particularising the provisions of GDPR. In view of BEUC, sector-specific rules should address, in particular, the issue of data mining and tracking/profiling of users as well as confidentiality of communications. The scope of such an act (ideally – a regulation) should cover both traditional electronic communication services and over-the-top (OTT) services such as Voice over IP and instant messaging (Skype, Whatsapp, Messenger). OTTs are currently outside the scope of e-Privacy Directive, as they do not fall under the definition of an electronic communication service, which requires inter alia "conveyance of signals".

Which issues remain unresolved under the current data protection regime?

Security and confidentiality

BEUC: Providers of electronic communication services should be obliged to secure all communications by using the best available techniques to ensure security and confidentiality. Users should remain free to apply other techniques.

Comment: While the need to ensure security of electronic communications seems undisputed, a potential overlap of the e-Privacy instrument and other pieces of legislation, in particular GDPR, NIS Directive and their implementing acts, should be taken into account. At the same time, there seems to be a strong case to maintain and even extend the scope of existing provisions referring to confidentiality to OTTs, as this issue does not seem to be addressed elsewhere.

Accessing users’ devices (e.g. in order to place a cookie)

BEUC supports the existing consent requirement laid down in Article 5(3) of e-Privacy Directive. More importantly, however, it argues that users should not be prevented from accessing non-subscription based services if they refuse the storing of identifiers (i.e. cookies) that are not necessary to provide the service. Furthermore, according to BEUC, the lifespan of cookies should be linked to their purpose.

Comment: Five years after the implementation of the cookie consent provision, no one dares to deny that the directive failed to achieve its desired impact. Indeed, consent requests are generally treated as a formality and essentially confront the users with a take-it-or-leave-it situation. BEUC proposal appears suitable to address this problem. At the same time, questions relating to the interface between e-Privacy Directive and the remaining EU acquis continue to arise. Couldn’t the requirement to provide users with a clearer and more granular choice and to adhere to the principle of data minimisation be derived from GDPR (now that online identifiers are clearly in its scope)? To what extent could the collection of data for purposes of tracking/profiling, without the knowledge of the user, be considered a misleading omission of material information and potentially an unfair commercial practice? Does anyone still remember the recent UCPD guidance which has actually elaborated on this matter? What about the proposed Digital Content Directive and Distance Sales Directive - shouldn't they have something more to say about this? Is the privacy rationale sufficient to extend the legal effects of Article 5(3) and, consequently, is the e-Privacy Directive the right instrument to regulate this issue? Before reopening of the whole cookie debate once again, it would seem reasonable to first assess where we stand.

Traffic and location data

BEUC: The consent requirement for the processing of traffic and location data should be maintained and the exemptions to this rule should not be broadened. On the contrary, the scope of the provision should be extended to cover GPS location data and Wi-Fi network location data used by information society services in mobile devices.

Comment: Stricter conditions for the lawful processing of traffic and location data (consent requirement for certain types of the processing) along with specific requirements as to erasure or anonymisation of data can indeed be seen as justifiable, given the undeniable privacy concerns at hand. There also seem to be no convincing reasons for maintaining a distinction between data collected by electronic communications service providers and by other information society services providers. At the same time, while understanding BEUC concerns about anonymisation, it needs to be recognised that traffic and location data are essential for the proper functioning of many digital services. The European legislator should therefore make sure that the revised instrument does not throw the baby out with the bathwater.

Unsolicited commercial communications

BEUC argues that marketing messages sent through social media should be subject to the same opt-in obligation that applies to email. Indeed, both channels of communication share certain similarities. In fact, however, unsolicited commercial messages on social media do not seem to present a serious problem and in this domain the issue of targeted advertisements appears much more pressing. 

Conclusion

Beyond doubt, the principles of personal data protection ‘by design’ and ‘by default’ enshrined in GDPR constitute a significant development in the data protection regime. In the technologically-mediated digital ecosystem, where traditional concepts are often difficult to apply and even harder to enforce, an increased focus on ex ante compliance (e.g. already at the stage of designing products/services or programming algorithms) could present a promising way forward. According to BEUC, the concepts of ‘privacy by design’ and ‘privacy by default’ should become “fundamental guiding principles in the online environment”. Given the growing importance of data-driven business models this appears to be a noble aim. The European legislator should, however, also make sure that innovation is not killed on the way – and to ensure that, more clarity as to the practical application and the interdependence of particular legal acts is necessary.