No ads in email services without prior consent: CJEU in C‑102/20, StWL Städtische Werke Lauf

Today we would like to recall one of the judgments delivered by the Court still in late 2021 - in case C-102/20 StWL Städtische Werke Lauf. Since many language versions of this judgment were not available until recently (including the English one), it may be helpful to summarise it quickly, while interested readers can now consult the full text of the Court's decision here. The case is noteworthy as it combines an interpretation of the e-Privacy Directive 2002/58/EC with that of Directive 2005/29/EC on unfair commercial practices (UCPD). 

 Facts of the case

The case involved two competing electricity suppliers in Germany, one of whom commissioned a marketing campaign consisting in displaying ads to the users of a free email service, T-Online. The advertisements appeared in private email inboxes of those users, inserted between the emails received. The entities differed from the incoming emails in three respects: (i) the date was replaced by the word ‘Anzeige’ (advertisement), (ii) no sender was mentioned and (iii) the text appeared against a grey background. The subject of the "message" was of promotional nature, and referred to advantageous prices for electricity and gas services. Upon clicking on it, the user was redirected to the advertiser's website. 

A competitor of the supplier engaged in this form of promotion considered the practice to be unlawful under German law. Among others, it was argued, the practice violated the provisions on unsolicited email marketing and persistent unwanted solicitation. Since both issues also fall under EU law, the German Supreme Court (BGH), hearing the appeal, decided to stay the proceedings and refer questions concerning the e-Privacy Directive and the UCPD to the Court of Justice.

Judgment of the Court

The CJEU focused on two issues: firstly, the concept of electronic mail, and use thereof, within the meaning of the e-Privacy Directive, and secondly, the reading of the per se prohibition set out in point 26 of the Annex to the UCPD. 

Unsolicited email marketing (e-Privacy Directive)

Pursuant to Article 13(1) of the e-Privacy Directive the use of, among others, electronic mail for the purposes of direct marketing may be allowed only in respect of subscribers or users who have given their prior consent. What the Court had to analyse was, therefore, whether the factual situation in the case at hand qualified as the use of electronic mail covered by the Directive. 

The Court did not seem to have doubts about an affirmative answer to this question. Firstly of all, the fact alone that commercial messages were communicated by means of email inbox was sufficient for the CJEU to conclude that the use of electronic mail referred to in Article 13(1) took place (para. 46). Moreover, the Court opted for a broad reading of direct marketing, whereby selection of recipient remains irrelevant to the qualification of commercial communications as addressed "directly and individually" to that recipient. In other words, the fact that respective communication is sent "on a mass, random basis to multiple recipients" does not disqualify it as direct marketing. A user who obtains access to his or her inbox only after having entered his or her registration data and password and sees commercial messages in that space counts as an individual recipient (para. 51). 

Two extra points

While the response of the Court could be limited to these two points, two additional points are worth considering. Firstly, the Court expressly stated that the list of means of communication, referred to in Article 13(1) of the e-Privacy Directive, is not exhaustive, but instead should be given a broad interpretation, evolving from a technological perspective (paras. 38-39). The leaves it open what other ways of communicating messages via publicly available electronic communications services, similar to voice calls, fax, SMS/MMS and email, could fall under Article 13(1) - with the consequence that the use of such services for direct marketing would always require user's prior consent. Messaging apps, such as Messenger or WhatsApp, certainly come to mind. Interestingly, Facebook reportedly intended to insert ads in WhatsApp, but abandoned the idea following public backlash. It now seems that legal reasons would also speak against it, especially in view of the broad reading of 'direct marketing' recalled above.

The second point, which the CJEU decided to address without being directly asked about it, concerns the corresponding consent of the user. Not surprisingly, the Court observed that consent must "be indicated, at least, in a manifestation of a free, specific and informed wish on the part of the person concerned", in line with the conditions which are now extensively defined in the General Data Protection Regulation (para. 57). What seems most interesting in this regard is the reading of "freely given" consent in the context of so-called bundling, i.e. whereby access to a service is conditioned on granting one's consent. While the judgment did no address this directly, the Court appears to pay attention that two versions of the email service were available to the user - a paid and ad-supported one (para. 58). Arguably, this direction of reasoning can be accepted with regard to freely given consent, provided the conditions of the paid subscription are reasonable - a matter which the CJEU did not explore in the case at hand. Like in the previous case law, the Court devoted more attention to the informed nature of consent, specifying that users should be clearly and precisely informed about the means of adverts distribution, in particular the fact that advertising messages are displayed within the list of private emails (para. 59). While the lack of clear guidance on the freely given consent is somewhat disappointing, it is interesting that consent given to the email service provider is accepted as relevant for assessing the lawfulness of specific commercial messages communicated through this service. Advertisers making use of such services are thus advised to verify the consent mechanisms applied by their providers.

Persistent and unwanted solicitations (UCPD)

In the second part of the judgment the Court turned to consumer law stricto sensu, namely to Directive 2005/29/EC on unfair commercial practices. To recall, point 26 of the Annex to the UCPD establishes a per se prohibition of "making persistent and unwanted solicitations by telephone, fax, e-mail or other remote media except in circumstances and to the extent justified under national law to enforce a contractual obligation". A question was thus posed if activities considered in the case at issue fulfilled the above criteria.

As was to be expected, the Court found that advertising messages, such as those in the case at issue, consitituted a solicitation of email service users within the meaning of point 26 of the UCPD black list (para. 71). What is surprising, however, is the limited guidance as regards the criteria of "persistent" and "unwanted" nature. As for the former, the focus remained on the messages from a particular advertiser and a broad reading of persistent solicitation was applied, whereby three ads within a period of approx. 1 month were deemed to be persistent (para. 73). The Court did not elaborate, however, if persistence may also refer to the commercial messages displayed in the email service as a whole. That question, arguably, remained outside the scope of the present dispute, but is definitely a practically relevant one.

As for the "unwanted" nature of solicitations, the Court connected it to the absence of consent of the user prior to the display of ads. However, what exactly is meant by such "consent prior to the display" is not elaborated. While a connection to the first part of the judgment would make sense at first glance, on a closer look some questions can be posed. If what we analyse are specific commercial messages inserted in the mailbox, can consent to the use of email service really be decisive? And if so, shouldn't that consent also specify the type of adveritsements which the user does not wish to receive, or at least be conditional on the possibility of screening them subsequently? As a matter of fact, the Court mentioned the relevance of user's "opposition" to advertising practices, which was supposedly established in the main proceedings - this, nonetheless, is not apparent from the recalled facts of the case. Overall, the reading of the UCPD in case C‑102/20 disappoints and further guidance on the notion of persistent and unwanted solicitations will certainly be needed.

UK using their right to forget the right to privacy again?

UK's government named Mr John Edwards as the new Information Commissioner (ICO). His task: to move away from the EU data protection rules, which are at least to an extent perceived as 'pointless' (see BBC's news 'Data protection 'shake-up' takes aim at cookie pop-ups'). For example, the pop-up notices that a website is using cookies could only be required in the future when the website brings about 'high risk' to privacy. How the 'high risk' will be determined? - remains to be seen. Generally, privacy is to be protected through 'a light touch' though, which likely means that the new UK rules will not be compatible with GDPR rules. This, in turn, may inhibit trade with EU countries (if UK is recognised as a country deviating too much from GDPR rules to guarantee safe transfer of data), which could not be worth creating the regulatory haven the UK government is dreaming about. But then again, the right to privacy was never perceived as a human right in the UK and it seems Brexit could give an excuse to strip it away again.

Norwegian Consumer Council - sheriff of online consumer protection

The Norwegian Consumer Council (Forbrukerrådet) has published two interesting news reports this month. 

 

First, on Jan 14 it has reported on potentially unfair commercial practices of Amazon, which make it difficult for consumers to cancel their Amazon Prime subscription (You can log out, but you can never leave). The Norwegian Consumer Council identified many of these practices as Amazon using dark patterns to manipulate consumers online, hindering them in making informed choices, trying to nudge them away from actually cancelling the subscription (by misdirection, visual interferences, confirmshaming). This may be achieved through making consumers go through many pages, asking them to confirm their choices in a manner that causes confusion with consumers, etc. Generally, the Norwegian survey looked into practices of digital service providers, where consumers would take out a subscription for services. Such subscriptions involve automatic payments, content is delivered online, and thus if consumers stop using a service they may forget about it, it becomes invisible to them. Therefore, it may be especially important to facilitate consumers' termination of such services. And yet, the survey found that 25% of respondents have experienced problems with cancelling such subscriptions due to a difficult process having been set up.

Today, it has reported that another Norwegian authority - Norwegian Data Protection Authority (Datatilsynet) - issued a fine of over 9.5 million Euro to the dating app Grindr (10% of their global annual revenue), following on the Norwegian Consumer Council's complaint from a year ago about infringements of privacy by this app (Historic victory for privacy as dating app receives gigantic fine). The breach of GDPR occurred due to the app collecting and sharing personal data without sufficiently informed and explicit users' permission to such practices (more in the report 'Out of control', on Grindr specifically as of p. 72).

CJEU confirms stricter requirements for valid cookie consent - case C-673/17 Planet49

Yesterday the Court of Justice delivered its judgment in case C-673/17 Planet49, concerning the requirements for a valid consent to the storage of cookies. The judgment largely falls in line with the previous opinion of Advocate General Szpunar, on which we reported in an earlier post (see: Pre-ticked checkboxes NOT informed consent...).

Background of the case

Source: Pixabay

To recall, the case involved a promotional lottery whose prospective participants were asked, among others, to provide personal details and agree to be contacted by various sponsors. Besides several items, to which users agreed by ticking corresponding boxes, the form included another, already pre-ticked checkbox, which concerned the placement of cookies by Planet49. German consumer organisation vzbv questioned the validity of such 'consent' under Directive 2002/58/EC on privacy and electronic communications. Following a 2009 amendment, Article 5(3) of that Directive required Member States to ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a user is only allowed on condition that the user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.

As readers may remember, Directive 95/46/EC was, in the meantime, repealed and replaced by the General Data Protection Regulation. The E-Privacy Directive was also supposed to be replaced with a regulation, with the aim to increase coherence with the GDPR. The respective proposal, however, got stuck in the legislative pipeline. The Court was not distracted by these facts and decided to interpret Directive 2002/58 in the light of both Directive 95/46 and Regulation 2016/679.

Judgment of the Court

First of all, the Court agreed with the Advocate General that consent referred to in Article 2(f) and in Article 5(3) of Directive 2002/58 cannot validly be obtained by way of a pre-ticked checkbox which the user must deselect to refuse his or her consent. To support this conclusion, the Court referred to the requirements for consent to be 'specific' and 'unambiguous' under Directive 2002/58 as well as the even more detailed wording of the GDPR.

Importantly, the Court did not elaborate on the requirement that consent must be ‘freely given’, arguing that a corresponding question had not been asked by the referring court. Response to such a question - one of major importance to the digital economy - would involve an assessment whether user’s consent to the processing of personal data for advertising purposes constituted a prerequisite to that user’s participation in a promotional lottery. As noted in our previous post, the Advocate General elaborated on this matter in a way that was subject to criticism. Against this background, self-restraint showed by the Court is to be welcomed.

As regards the question whether the interpretation set out above should differ, depending on whether or not the information stored or accessed on user's terminal equipment qualifies as personal data, the Court responded with a clear 'no'. This remains in line with the rationale of Directive 2002/58 which aims to protect the user (including natural persons acting for business purposes) from interference with his or her private sphere, regardless of whether or not that interference involves personal data.

Finally, as regards the scope of information to be provided to the user before obtaining his or her consent, the Court opted for a broad reading of Article 5(3) of Directive 2002/58 in conjunction of Article 10(c) of Directive 95/46 and Article 13(1)(e) of the GDPR. In this respect, the Court, once again, sided with the Advocate General, stressing that "clear and comprehensive information implies that a user is in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed" (para. 74). The Court considered that information on both the duration of the operation of cookies and whether or not third parties may have access to them had to be provided to the user.

 

Concluding thought

The judgment in Planet49 strengthens the protection of privacy in the digital sphere, not only of consumers stricto sensu, but of internet users more generally. Moreover, the Court confirmed that the standard of 'cookies protection' does not depend on whether or not user's personal data is involved. Privacy, according to this reading, concerns the very fact of placing pieces of software on user's 'terminal equipment'. This resembles the way in which some consumer authorities have read the notion of 'aggressive practices' under Directive 2005/29/EC on unfair commercial practices, also beyond the cookie context (see especially the Italian decision against Facebook). Whether or not such an approach to the UCPD will hold, and how it might be related to standards of disclosure, is still an open question (on the latter, see the judgment of the Court in Wind Tre, para. 45 et seq). When it comes to the E-Privacy Directive these questions do not emerge: here, without doubt, the duty to inform provides a further layer of protection to the one provided by the consent framework. The E-Privacy Directive, therefore, is quite remarkable: it combines high standards of consumer law and data protection law and applies them beyond their traditional scope. Hopefully, internet users will truly be able to benefit from it.

Is Big Data harmful to our financial well-being?

On the 15 of March a Joint Committee of the European Supervisory Authorities - ESAs (consisting of the European Banking Authority-EBA, the European Securities and Markets Authority- ESMA and the European Insurance and Occupational Pensions Authority-EIOPA) published their final report on the impact of Big Data on our financial well-being. The overall conclusion of the report is that the potential benefits outweigh the risks posed by Big Data.

Big Data is a flow of data from our daily online activities that is collected and processed with highly sophisticated IT tools. This may include information from our social media presence, internet browsing history, smart phone signals or data generated by using a payment card. Connecting information from various sources enables financial firms to offer tailored financial products and services to  us, their customers. 

Financial firms are increasingly reliant on Big Data. This this is like to increase in the future with the fast developing Fintech sector that developed exactly with the aim to compete with traditional firms  by providing better suited products to consumers. Fintech is likely to develop faster in the future due to regulatory initiatives such as Open Banking in the UK (see our report here) that mandates banks to share their customer information with Fintech firms upon the consumer's request.

The advantages of Big Data are undeniable. First and foremost, Big Data enables firms to personalized financial products to meet the needs of their customers. Big Data opened the door for innovative, tailored financial products that would not be previously available from mainstream financial providers. This is largely because Big Data enables financial firms to connect non-financial information derived e.g. from our Facebook activity with financial information about our savings to create a better picture about our savings and investment habits, and than to tailor their offer in line with our habits. Secondly, Big Data also enables firms to design their provision of information in a way that can be useful to consumers. For example, the insurance company is able to provide the consumers with a warning that the insurance policy does not cover a parachute jump, which the person recently announced on social media. Finally, the use of Big Data can result in cheaper products for consumers. For example, inexperienced drivers could benefit from lower insurance premiums if they are able to prove that they are driving responsibly. This can be done by installing a telematics device in their cars that will enable insurance companies to check and analyse their driving habits.

The use of Big Data also carries risks. The primary risk is that Big Data is misinterpreted. For example, movements of a doctor that works night shifts could be interpreted as a indication of an unhealthy lifestyle, and as a result a consumer may be denied access to financial services for example a loan. Secondly, consumers may be overloaded with information about various, highly specific products that are difficult to compare and they may end up with a product that is not the best match to their needs. Thirdly, consumers may be also overwhelmed with targeted offers and may end up buying a product that they do not really need. Finally, as every data, Big Data is also vulnerable to cyber attacks.

Given the risks and benefits, the impact of Big Data on our financial well-being is largely dependent on us, on our digital footprint. Firstly on what sort of digital medium we are present, and secondly, what conscious steps we take in making decisions on the information we share. The ESAs warn us that  firms are obliged to inform us on what sort of data they collect about us and how they store it, and that we need to make sure that we understand how our data may be used. However, the recent application of the new GDPR (see our report here) and the many privacy notices we received in recent days reminded us on just how many spaces we are present, and just how many companies store our personal information, many of which we do not even remember signing up for. We were also asked to review our privacy settings, seemingly placing us in driving seat in deciding on the information we are willing to share. But how can we decide on ticking one box rather than the other without knowing the full implications of our decision? For example, a doctor doing frequent night shift may never find out that his/her loan was refused because of misinterpreted information, even is he/she does, he/she might be unaware on just how many occasions he/she agreed to share his/her location, and where he/she needs to go now to turn these settings off. Is control over our Big Data illusionary? Will Big Date be harmful to our financial well-being without this control? What do you think?

More privacy protection?

Yesterday, the European Commission published its proposal (COM(2017) 10 final) for a Regulation on Privacy and Electronic Communications, which is meant to repeal the e-Privacy Directive (2002/58/EC). The Commission, on the basis of the conducted REFIT exercise, evaluates the current framework as still sound as to its objectives and principles. The need for review comes from the technological changes in the market, mostly the popularity of Over-the-Top communications services, which are not currently subject to regulation in e-Privacy Directive. The new Regulation is meant to be lex specialis to General Data Protection Regulation 'and will particularise and complement it as regards electronic communications data that qualify as personal data'. (p. 2 of the Proposal)

Some of the interesting provisions in the new draft Regulation (see more here):

• it will apply also to provision of e-communications for free;
• it uses the same definitions as GDPR and European Electronic Communications Code;
• it protects both data and metadata (incl. traffic and location data);
• conditions for consent are the same as in GDPR
• consent may be expressed by 'using the appropriate technical settings of a software application enabling access to the internet' - for the purpose of consenting to processing and storage of personal data through terminal equipment of end-users 
• withdrawal of consent needs to be possible - with reminders about this option being sent every 6 months, as long as the processing continues
• software needs to offer the option to prevent 3rd parties from storing information on the terminal equipment of an end-user or processing information already stored there
• upon installation end-users will need to be prompted to choose and consent to a privacy setting; with already installed software such consent will be required during the first update thereof - not later than 25 August 2018
• right to compensation for material and non-material damage
• administrative fines of up to 4% of global turnover

First concerned reactions of the press worried about the industry (!):
"Will this EU privacy proposal lead to a more trustworthy internet or a more annoying one?"
"WhatsApp, Facebook and Google face tough new privacy rules under EC proposal"

GDPR, e-Privacy and beyond: more certainty and coherence for the online sector (or quite the opposite)?

The interplay of GDPR and e-Privacy Directive

One of the objectives of the General Data Protection Regulation (GDPR), which was adopted earlier this year and will effectively replace Directive 95/46/EC in 2018, was to make the European data protection framework fit for the 21st century. The extensive regulation does indeed bring the existing framework up to date and promises greater uniformity of national standards and interpretations. Driven by the desire to empower data subjects to fully exercise their right to personal data protection (Article 8 of the European Charter of Fundamental Rights, Article 16 TFEU, Article 8 ECHR), the instrument builds on the existing safeguards and extends or clarifies them where it deems necessary. Among many other things, the new data protection regulation strengthens the conditions for a valid consent, ensures that data subjects are provided with information and access to their data and can effectively object to the processing, reiterates the right not to be subject to a measure based on automated data processing and explicitly clarifies that this includes profiling. It also introduces a widely cited right to be forgotten and the equally important right of data portability. All these are correlated with the corresponding obligations of data controllers according to the newly formulated principles of data protection ‘by design’ and ‘by default’. Both principles bring about a significant paradigm shift as they not only require data controllers to ensure data protection compliance ex ante (i.e. already at the planning stage), but also to design standard settings in a way that only the minimum amount of personal data necessary is being processed. The regulation also elaborates on the data controller’s obligation to ensure data security and report data breaches.

In line with the previous personal data protection directive, the principles laid down in GDPR apply to any information concerning an identified or identifiable person (as explained in recital 26). The novelty, however, lies in the clarification that online identifiers provided by devices, applications and protocols as well as location data may be used to identify a person (see further clarification in recital 30). Without going into detail, it seems fair to assume that under the new regime many online identifiers – such as IP addresses, device IDs and cookies, in particular third-party cookies used for profiling and targeting – will be regarded as personal data.

In short, what emerges from the updated data protection act is an increasingly comprehensive regime with an intentionally broad scope of application. Nevertheless, believe it or not, there are still several issues that have not been addressed by data protection framework. These relate more broadly to the protection of privacy (Article 7 of the Charter), and have so far been regulated by Directive 2002/58/EC on privacy and electronic communications (e-Privacy Directive). In the words of the European Commission the directive “sets out rules on how providers of electronic communication services, such as telecoms companies and Internet Service Providers, should manage their subscribers’ data”. It touches upon issues such as: confidentiality of communications, security of networks and services, data breach notifications as well as requirements regarding, among other things, unsolicited commercial communications (spam), storing of information in subscribers’ terminal equipment [Article 5(3) – the source of the ubiquitous cookie consent pop-ups] and processing of traffic and location data. The interplay between e-Privacy Directive and the general personal data protection legislation is mentioned in recital 173 of the GDPR, which stipulates that:

This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council, including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation

As a result, the directive is currently undergoing review and has yet again attracted considerable public interest. In August the European Commission presented a summary report on the public consultations which were carried out in this context. A careful, consumer-oriented analysis was, as usual, submitted by BEUC and is now available on its website.

Review of e-Privacy Directive and BEUC response

Why do we need an e-privacy instrument and which services should be included in its scope?

BEUC: While recognising the important developments within the framework of personal data protection, BEUC remains convinced that the e-Privacy Directive should continue to form a lex specialis for the online sector, complementing and particularising the provisions of GDPR. In view of BEUC, sector-specific rules should address, in particular, the issue of data mining and tracking/profiling of users as well as confidentiality of communications. The scope of such an act (ideally – a regulation) should cover both traditional electronic communication services and over-the-top (OTT) services such as Voice over IP and instant messaging (Skype, Whatsapp, Messenger). OTTs are currently outside the scope of e-Privacy Directive, as they do not fall under the definition of an electronic communication service, which requires inter alia "conveyance of signals".

Which issues remain unresolved under the current data protection regime?

Security and confidentiality

BEUC: Providers of electronic communication services should be obliged to secure all communications by using the best available techniques to ensure security and confidentiality. Users should remain free to apply other techniques.

Comment: While the need to ensure security of electronic communications seems undisputed, a potential overlap of the e-Privacy instrument and other pieces of legislation, in particular GDPR, NIS Directive and their implementing acts, should be taken into account. At the same time, there seems to be a strong case to maintain and even extend the scope of existing provisions referring to confidentiality to OTTs, as this issue does not seem to be addressed elsewhere.

Accessing users’ devices (e.g. in order to place a cookie)

BEUC supports the existing consent requirement laid down in Article 5(3) of e-Privacy Directive. More importantly, however, it argues that users should not be prevented from accessing non-subscription based services if they refuse the storing of identifiers (i.e. cookies) that are not necessary to provide the service. Furthermore, according to BEUC, the lifespan of cookies should be linked to their purpose.

Comment: Five years after the implementation of the cookie consent provision, no one dares to deny that the directive failed to achieve its desired impact. Indeed, consent requests are generally treated as a formality and essentially confront the users with a take-it-or-leave-it situation. BEUC proposal appears suitable to address this problem. At the same time, questions relating to the interface between e-Privacy Directive and the remaining EU acquis continue to arise. Couldn’t the requirement to provide users with a clearer and more granular choice and to adhere to the principle of data minimisation be derived from GDPR (now that online identifiers are clearly in its scope)? To what extent could the collection of data for purposes of tracking/profiling, without the knowledge of the user, be considered a misleading omission of material information and potentially an unfair commercial practice? Does anyone still remember the recent UCPD guidance which has actually elaborated on this matter? What about the proposed Digital Content Directive and Distance Sales Directive - shouldn't they have something more to say about this? Is the privacy rationale sufficient to extend the legal effects of Article 5(3) and, consequently, is the e-Privacy Directive the right instrument to regulate this issue? Before reopening of the whole cookie debate once again, it would seem reasonable to first assess where we stand.

Traffic and location data

BEUC: The consent requirement for the processing of traffic and location data should be maintained and the exemptions to this rule should not be broadened. On the contrary, the scope of the provision should be extended to cover GPS location data and Wi-Fi network location data used by information society services in mobile devices.

Comment: Stricter conditions for the lawful processing of traffic and location data (consent requirement for certain types of the processing) along with specific requirements as to erasure or anonymisation of data can indeed be seen as justifiable, given the undeniable privacy concerns at hand. There also seem to be no convincing reasons for maintaining a distinction between data collected by electronic communications service providers and by other information society services providers. At the same time, while understanding BEUC concerns about anonymisation, it needs to be recognised that traffic and location data are essential for the proper functioning of many digital services. The European legislator should therefore make sure that the revised instrument does not throw the baby out with the bathwater.

Unsolicited commercial communications

BEUC argues that marketing messages sent through social media should be subject to the same opt-in obligation that applies to email. Indeed, both channels of communication share certain similarities. In fact, however, unsolicited commercial messages on social media do not seem to present a serious problem and in this domain the issue of targeted advertisements appears much more pressing. 

Conclusion

Beyond doubt, the principles of personal data protection ‘by design’ and ‘by default’ enshrined in GDPR constitute a significant development in the data protection regime. In the technologically-mediated digital ecosystem, where traditional concepts are often difficult to apply and even harder to enforce, an increased focus on ex ante compliance (e.g. already at the stage of designing products/services or programming algorithms) could present a promising way forward. According to BEUC, the concepts of ‘privacy by design’ and ‘privacy by default’ should become “fundamental guiding principles in the online environment”. Given the growing importance of data-driven business models this appears to be a noble aim. The European legislator should, however, also make sure that innovation is not killed on the way – and to ensure that, more clarity as to the practical application and the interdependence of particular legal acts is necessary.