– To complement the General Data Protection Regulation finalised earlier this year, the European Commission was scheduled to publish a proposal to update the e-Privacy Directive in November. While the publication of the proposal has been postponed to January 2017, a draft version has been leaked by Politico, which may give some indications on what to expect from the coming proposal. The first notable point is that the directive is replaced by a regulation to fully complement the General Data Protection Regulation.
The leaked proposal also provides much needed clarity on how web browser cookies should be handled. While the current e-Privacy Directive provides little details on whether websites need to seek consent on the usage of cookies, case law and guidance by member state data protection authorities have generally established that browser privacy settings are not sufficient for expressly granting consent to the usage of cookies. The draft proposal changes this drastically with recitals explicitly dealing with browsers and tracking technologies.
Notably, the draft regulation endorses existing “Do Not Track” functionality provided for by some browsers (but which is currently almost universally ignored by websites) by stating that “general privacy settings of a browser or other application shall be binding on, and enforceable against, any third parties.” Making browser privacy settings binding means that the prevalent practice of ignoring browser privacy settings while presenting a cookie notice would expose websites to the possibility of liability under the draft proposal.
The leaked draft also clarifies that there is no need for explicit consent if cookies are used purely for ensuring the proper functioning of a website, e.g. “to remember language preferences [or] to keep track of the user’s input when filling online forms over several pages”. The possibility to ensure the functioning of a website without the need for explicit consent further supports the “Do Not Track” regime by ensuring that it is not necessarily a binary choice between accepting cookies or be unable to use a website but rather a choice whether to accept tracking (by cookies or other means).
Other noteworthy provisions include explicitly mandating “privacy by design” for communications products sold in the EU, and a requirement on browsers to present an initial privacy configuration “at the moment of the first use of the software”. Additionally, there is a new obligation for browsers to move away from current general practice of allowing all cookies as default to a requirement to block all cookies and tracking “in case of no active choice or action from the user”.
Failure to comply with the draft proposal comes at a steep price: infringements are subject to administrative fines up to €20 million, or 4 % of the total worldwide annual turnover.