Review of the e-privacy Directive : technology neutrality, extension to OTT, cookies and similar profiling techniques on the agenda

10508326 - europe map - circuit board backgroundAs another step on the way towards reviewing the Directive 2002/58/EC on privacy and electronic communications amended by the Directive 2009/136/EC (e-Privacy Directive or e-PD), the European Commission (EC) publicized its impact assessment on October 3nd, 2016. The e-PD is part of the Regulatory Framework for Electronic Communications, which comprises a Framework Directive 2002/21/EC and four specific directives. The e-PD is the one dealing with a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies.   In the Communication on a Digital Single Market Strategy for Europe of 6 May 2016, the expected review was presented as one of the key actions under the pillar aiming to create the right conditions for digital networks and services to flourish. Now that the GDPR is adopted, the EC announced objective in reviewing the e-Privacy Directive is to ensure a high level of protection for data subjects and a level playing field for all market players with a specific focus on the electronic communication sector. The EC also insists on the need to ensure consistency between the GDPR and the e-PD. Taking into account new technological developments is highlighted by the EC as one of the core objectives of the initiative. The EC also stresses in this regard that the review aims to be technologically neutral, which means that it does not intend to impose, or discriminate in favor of, the use of a particular type of technology. Rather, according to the EC, the review must ensure that the same service or function is regulated in an equivalent manner, irrespective of the technical means by which it is delivered. At least two illustrations of this objective can be found among the issues expected to be tacked as listed by the EC:
  • Possible extension of the scope of the e-Privacy Directive to online platforms providing OTT communication services. Today, the e-PD mostly applies to traditional telecommunication service providers, i.e. those providers who are responsible for carrying signals over an electronic communications network. To the contrary, it does not apply to so-called over-the-top (OTT) services which provide communication services such as, internet telephony or webmail. For illustration purpose, the EC refers to services such as Facebook, LinkedIn, Skype or Twitter. As an example of the inconsistencies resulting from the current scope of the e-PD, the EC points out that although the Data Protection Directive and the recently adopted GDPR apply to the processing of personal data carried out by OTTs, the enhanced protections provided by the e-PD do not apply to these operators. To correct this, the EC contemplates to extend the scope of the e-PD to services that are very similar from a functional perspective and regarded as substitutable by consumers such as OTTs. Should such an extension be confirmed, OTTs would have to prepare to comply with the obligations provided by the e-PD.
  • Review of Article 5(3) – cookies and similar techniques - with a view of making it consistent with modern tracking technologies. Under Article 5(3) of the e-PD the storing of information or the gaining access to information already stored on the user’s terminal equipment is subject to the requirement to collect the user’s prior consent. According to the EC, these provisions may have to be updated in order to capture new techniques using browsing activities for tracking purposes. As an example, the EC refers to device fingerprint, a technique based on information collected about a remote computing device and enabling to fully or partially identify individual users or devices even when cookies are turned off[1]. Also, it is important to note that the EC seems to be inclined to consider, in light of the GDPR, whether other changes are needed in order to ensure effective and efficient protection of confidentiality of communications. For instance, other issues that may be tackled in the course of the review include (i) the clarification of the possibility to rely on the configuration of browser settings in order to collect prior valid and effective consent by users[2] or (ii) the extension of the exceptions to the prior consent rules in order to include storing/accessing of information in users’ device which are not privacy invasive, such as first party web-analytics.
The list of issues to be addressed by the review will be confirmed once the REFIT[3]evaluation will be concluded. According to the EC work program, such an evaluation can be expected in the beginning of 2017. At that time, it will be possible to better assess the possible impact of the review as well as the necessity to engage or pursue the dialogue with the Commission.
Georgie Courtois, attorney Partner
Jean-Sébastien Marie, attorney Senior Counsel

[2] Recital (66) of the e-PD provides that: « where it is technically possible and effective […] the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application ». This possibility to rely on the configuration of browser settings was integrated into domestic transposition laws by several Member States. In France, this possibility is provided under Article 32-II of the Data Protection Act of 6 January 1978. In practice, such an option gave rise to uncertainties as to the conditions to be satisfied by a browser to be able to deliver valid and effective consent. In a first attempt to clarify the meaning of Recital (66), the Article 29 Working Party elaborated a very restrictive reading of it stating in essence that it is not an exception to Article 5(3) and that it shall correspond to very limited circumstances in practice (see Opinion 2/2010 on online behavioural advertising -
  #DSM #EU #Digital #dataprivacy #eprivacy
To go further