– To complement the General Data Protection Regulation finalised earlier this year, today (10 January 2017) the European Commission published a proposed regulation to replace the 2009 ePrivacy Directive. As the draft proposal that was recently leaked indicated, the directive is indeed being replaced by a regulation. According to the Commission, having one set of rules through a regulation instead of 28 national implementations of the directive will significantly increase legal certainty for businesses while ensuring that all people and businesses in the EU will enjoy the same level of protection for their electronic communications.
In addition to adapting the ePrivacy rules to complement the General Data Protection Regulation, the scope has been expanded to cover new internet-based providers of electronic communications services in contrast to the current ePrivacy Directive which only applies to traditional telecoms operators.
The rules on cookies in the proposed regulation is a game-changer that will dramatically alter how websites and browsers operate. While the current ePrivacy Directive provides little details on whether websites need to seek consent on the usage of cookies, case law and guidance by member state data protection authorities have generally established that browser privacy settings are not sufficient for expressly granting consent to the usage of cookies. The proposed regulation changes this drastically by creating new rules for browsers and the usage of tracking technologies.
The Commission stated however when revealing the proposal that no consent is needed for non-privacy intrusive cookies including “cookies set by a visited website counting the number of visitors to that website” as well as cookies that are essential for the proper functioning of a website (e.g. to remember shopping cart history). The possibility to ensure the functioning of a website without the need for explicit consent supports browser-implemented “Do Not Track” functionality provided for by some browsers (but which is currently almost universally ignored by websites) by ensuring that it is not necessarily a binary choice between accepting cookies or be unable to use a website but rather a choice whether to accept being tracked.
The new proposal is likely to receive strong criticism from established multinational internet companies whose business models often rely extensively on user tracking to provide targeted advertising. In acknowledging the issue, the Commission responded preemptively when launching the proposal: “the new rules will not prohibit advertising, or the possibility for websites to use cookies or other technologies for tracking user behaviour [but] empowers users to make an informed choice concerning the acceptance of these practices.” Andrus Ansip, the EU Digital Single Market Commissioner, is adamant: “our draft ePrivacy Regulation strikes the right balance: it provides a high level of protection for consumers, while allowing businesses to innovate.”
The Commission is urging the European Parliament and Council to work swiftly on the proposal in order for it to be adopted by 25 May 2018 when the General Data Protection Regulation comes into force.