Following our previous post
, we shall go over the e-privacy reform, as the European Commission has precised its position by publishing its formal proposal
on January 10th. In line with the General Data Protection Regulation
(GDPR), this new project aims at completing the upgrade of personal data regulation. In an effort to get a quick and full harmonization, the Commission has chosen to resort to a regulation rather than a directive, as it will be directly enforceable in all member states. Besides, the Commission recommends that it comes into effect on May 25th, 2018, on the same day as the GDPR. Extended scope.
As previously announced, the Commission calls for a neutral technology, applying to all communication services and terminal equipments (art. 3 § 1). Under this new definition, OTT services (WhatsApp, Facebook Messenger, Viber…) would be thus covered (unlike before). Moreover, these rules will apply regardless of the provider’s place of establishment, as soon as final users are located in the European Union. Changes for internet cookies.
The Commission wants to increase the power of web users by submitting the deposit of cookies to their prior and express consent (except for those which are necessary to the transmission of electronic communications, to provide the service subscribed by a user, or intended for audience measurement, art. 8 § 1). As for third-party cookies (advertising), electronic communication softwares (e.g. Internet Explorer or Chrome) shall offer the option to prevent access to users’ terminals. Nonetheless, if the user accepts it, he will not have to « click » each time to give his consent anymore, contrary to the current system. End-users who have consented to the processing of electronic communications data shall be given the possibility to withdraw their consent at any time and be reminded of this possibility at periodic intervals of 6 months (art. 9). The provision does no longer provide that accesses by third-parties are blocked by default - a version of it was leaked in December and stated otherwise - but online advertising industry still has some concerns. Finally, opt-in requirements remain unchanged for commercial prospection, but will apply more extensively to all electronic communications services used for the purpose of sending direct marketing communications. Enhancement of data confidentiality.
The new Regulation distinguishes between communication content
and metadata (linked to data traffic). Metadata
can be processed without user’s consent if it is necessary to meet mandatory quality of service requirements, for billing interconnection payments, or yet detecting and stopping fraudulent or abusive use of electronic communication services. Nevertheless, it can be noticed that - if this project is adopted as such - telecom operators will also now be able to use metadata to develop their services (provided they have collected users’ consent). Providers may process electronic communication content for the sole purpose of a specific service to an end-user, if end-users have given their consent, or the provision of such service cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority (art. 6). Finally, providers shall erase electronic communications content or make that data anonymous after receipt by intended recipients. The same principle will apply to metadata as soon as they are no longer needed for the purpose of the transmission of a communication. Only metadata necessary for billing purposes may be kept until the end of the period during which a bill may lawfully be challenged or a payment may be pursued in accordance to national law (art. 7). The consequences for infringing this new set of rules are aligned on the sanctions
stated in the GDPR (up to 20 million euros or 4 % of the total worldwide annual turnover of the preceding financial year, for the most serious breaches). However the possibility of a class action has disappeared from the final version of the Commission’s proposal. Even if the proposals increases obligations, the Commission considers that companies will have new perspectives in terms of date exploitation and will evolved in a market with harmonised rules. Besides, the Commission has published, on the very same day, a statement about "Building a European data economy"
and on Data transfers outside the EU
. Given the negative reactions following the Commission’s proposals, from both industries and civil society, discussions may be lengthy and difficult in order to reach an agreement. It will be hard to comply with the timetable that has been proposed (as a reminder, the adoption of the RGPD had taken four years).
Georgie Courtois, Partner
Jean-Sébastien Mariez, Senior Counsel