By Ulrich Wuermeling

An internal Commission draft of a new ePrivacy Regulation (Draft) has been leaked to the public. The Commission plans to propose it in early 2017, but the content of the Draft does not seem near a final proposal. It is either older or still needs some time to be finalized. The Draft reveals the Commission’s priorities of extending the scope of the Regulation, reducing the number of consent notices for first party cookies, increasing privacy and confidentiality of user data and applying higher fines.

If the approach proposed by the Draft were to pass, the commercial rules for the Internet could change substantially in the EU. The ability of internet service providers to monetize services with marketing would be hampered and the users would have to pick up the bill. The economic impact analysis of the Draft simply ignores these consequences by stating that website publishers would have “small” adoption costs and not mentioning any economic impact for users. Furthermore, the Regulation would in parts isolate the EU market from global innovations by fostering data localization. The approach might shield EU based companies from unwanted competition, but would ultimately slow down the development of the digital market in the EU.

The European Commission works on the reform of the ePrivacy Directive (2002/58/EC) for two reasons. Firstly, it is mostly based on the European Data Protection Directive (95/46/EC) which will be replaced by the General Data Protection Regulation ((EU) 2016/679) (GDPR) on 25 May 2018. Secondly, it forms part of the European Commission’s strategy for a Digital Single Market to make the EU’s single market fit for the digital age. The new ePrivacy Regulation is intended to complement the proposed European Electronic Communications Code.

The key changes introduced by the Draft in comparison with the ePrivacy Directive are:

  • Regulation instead of Directive. The Draft is in the form of a regulation rather than a directive – this means it will be directly applicable in all EU Member States. It limits the scope for national implementation, but reserves rights for the Commission to further detail the rules in delegated acts. A similar limitation of Member States rights in favor of European Commission powers was proposed for the GDPR. The Draft, however, is less progressive on the point, presumably taking into account that the GDPR approach got completely reversed during the political negotiations. The potential consequences of the new ePrivacy Regulation differ substantially between Member States, because they have used the flexibility for national implementations under the ePrivacy Directive in different ways (for example with respect to B2B- or voice-to-voice marketing). The Draft is less flexible.
  • Not just personal data. The ePrivacy Directive generally limits its scope to the processing of “personal data” and includes some provisions protecting subscribers and users which can be individuals or legal entities. The general scope of the Draft skips the limitation to “personal data” and applies generally to all electronic communications data, i.e. data related to an “end-user” which can also be individuals or legal entities. Some provisions also apply to information about “equipment” of end-users. There will be areas of application to which the privacy focused GDPR will not apply, leaving the ePrivacy Regulation on its own. Therefore, the Draft includes a number of references to the GDPR which would make provisions – like the consent requirements – applicable whether or not personal data is processed.
  • Not just telecoms. The Draft applies to the processing of data in connection with communications services including services over the Internet (over-the-top or OTT) which are currently not regulated by the ePrivacy Directive. The scope also includes machine-to-machine communications in order to regulate the Internet of Things. As a result, the extended scope captures types of data processing in the Internet the GDPR has been designed for.
  • Broader territorial reach. The Draft has a broad territorial scope and applies to data processed in connection with the provision of electronic communications services in the EU even if the processing does not actually take place in the EU. This includes any offer of electronic communications services to end-users in the EU. The independent definition of the territorial reach may lead to inconsistencies with the territorial scope of the GDPR, but takes broadly a similar extra-territorial approach. As a consequence, new services from outside the EU will probably have no choice than excluding EU users and possibly geo-blocking the EU ‑ including non EU citizens visiting Europe – when they introduce new services until they have the ability to ensure compliance with EU regulations.
  • Limited right to process metadata. The Draft moves from the term “traffic data” to “metadata” which is defined broadly to include any data related to the communication of content. Metadata – but not content – can be processed to the extent necessary for the security, quality, billing, fraud protection and emergency services purposes. For any other processing of metadata, the end-user has to give consent. Unless one of the legal grounds apply, metadata has to be deleted as soon as the communication has taken place. The concept might put established security measures that rely on monitoring and storage of content in question. It is also remains unclear – due to an incomplete sentence – how metadata necessary for the provision of services can be legally processed.
  • Choice between consent or paywall. Consent has to comply with the burdensome requirements of the GDPR. This includes the requirement that consent has to be freely given. The GDPR allows companies to make a contract dependent on providing consent, if the consent is necessary for the performance of the contract. This may include the requirement to provide consent for marketing use, if the service is funded by marketing revenues. A recitals of the Draft elaborates further on the point and states that end-users have a free choice if similar services are available for an “affordable price”. This would lead to the solution of giving users the choice of using a service with marketing for free or paying a reasonable fee for a service without marketing. The consent requirements are also intended to apply to consent from legal entities.
  • Periodic withdrawal right. In addition to the requirements of the GDPR, the Draft mentions that an end-user should be given the opportunity to withdraw from consent not just any time, but also in periodic intervals of six months. It could be clearer what this would look like in practice, but it does not seem to require to renew consent every six months.
  • Limited right to store data. The Draft suggests limited retention periods for metadata, which should be anonymized or deleted once the communication has occurred, except where there are lawful grounds for retention, such as for security and billing purposes. The Draft allows that the parties communicating may store such data, if they have sole control over the storage. This probably means that each party may store the data under its sole control, but the wording is not clear. It is also not clear whether in case of a communication with an employee of a company, the company or the employee would be regarded as the relevant end-user who should have sole control over the data.
  • Nuanced new cookie rules. The Draft specifies the protection of the end-user’s terminal equipment and information stored by it, including cookies. For certain situations, the Draft allows the use of such equipment or the collection of information from the equipment without consent (for example first party cookies for analytics). It also specifies that consent may be expressed by browser settings, but requires at the same time that such settings have to be configured by default to prevent third parties from storing information. The same applies for software such as apps. These requirements would cause high implementation costs and reduce the number of devices that will allow third party access to cookies.
  • Stricter limitations against unsolicited communication. As under the ePrivacy Directive, e-mail marketing is not permitted without the end-user’s consent unless it relates to similar products or services offered to an existing customer. However, the Draft provides for a broader protection against unsolicited communication, because it does not only apply to automatic calling machines, fax and e-mail. Any use of electronic communication services to transmit direct marketing communications for B2B and B2C purposes is covered. This could potentially include marketing communication displayed on websites. Again, it should be noted that these restrictions are not limited to situations in which personal data is processed. The Draft also covers marketing calls for which it requires not only consent but also a caller line to be displayed at which the legal entity conducting the marketing can be reached and a specific  code or prefix that identifies that the call has a marketing purpose. Member States, however, will still be able to keep national opt-out concepts for voice-to-voice calls.
  • National surveillance and data retention possible. The Draft leaves it to the Member States to regulate national security matters. This indicates that the Commission has finally parted from the idea to reintroduce European data retention rules. However, the Draft requires compliance with the Charter which will keep the door open for oversight by the surveillance critical Court of Justice of the European Union (see judgments in Digital Rights Ireland and Schrems).
  • Increased fines: The Draft Regulation mirrors the fines in the new GDPR, imposing penalties for non-compliance of up to 4% of total worldwide annual turnover or 20 million Euros, whichever is higher.

Originally, the Commission aimed to replace the ePrivacy Directive simultaneously with the GDPR on 25 May 2018. The Draft does not include this date and, therefore, indicates that the Commission has become more realistic as to the potential duration of the legislative process. Given the broad scope and level of detail of the Draft, one should expect a long process to reach a political agreement. The Draft brings many issues that have been solved in the GDPR negotiations back on the table. An attempt to reopen these issues will inevitably lengthen the political process. Therefore, one has to be prepared for a time period of substantial legal uncertainties when the GDPR becomes applicable and the old ePrivacy Directive will be still in force. The Draft proposes that the new ePrivacy Regulation should become applicable twenty days plus six months after it is published in its final form. Not much time for companies to get compliant.