Data Privacy

10 Jan­u­ary 2017 – To com­ple­ment the Gen­eral Data Pro­tec­tion Reg­u­la­tion fi­nalised ear­lier this year, to­day (10 Jan­u­ary 2017) the Eu­ro­pean Com­mis­sion pub­lished a pro­posed reg­u­la­tion to re­place the 2009 ePri­vacy Di­rec­tive. As the draft pro­posal that was re­cently leaked in­di­cated, the di­rec­tive is in­deed be­ing re­placed by a reg­u­la­tion. Ac­cord­ing to the Com­mis­sion, hav­ing one set of rules through a reg­u­la­tion in­stead of 28 na­tional im­ple­men­ta­tions of the di­rec­tive will sig­nif­i­cantly in­crease le­gal cer­tainty for busi­nesses while en­sur­ing that all peo­ple and busi­nesses in the EU will en­joy the same level of pro­tec­tion for their elec­tronic com­mu­ni­ca­tions.

In ad­di­tion to adapt­ing the ePri­vacy rules to com­ple­ment the Gen­eral Data Pro­tec­tion Reg­u­la­tion, the scope has been ex­panded to cover new in­ter­net-based providers of elec­tronic com­mu­ni­ca­tions ser­vices in con­trast to the cur­rent ePri­vacy Di­rec­tive which only ap­plies to tra­di­tional tele­coms op­er­a­tors.

The rules on cook­ies in the pro­posed reg­u­la­tion is a game-changer that will dra­mat­i­cally al­ter how web­sites and browsers op­er­ate. While the cur­rent ePri­vacy Di­rec­tive pro­vides lit­tle de­tails on whether web­sites need to seek con­sent on the us­age of cook­ies, case law and guid­ance by mem­ber state data pro­tec­tion au­thor­i­ties have gen­er­ally es­tab­lished that browser pri­vacy set­tings are not suf­fi­cient for ex­pressly grant­ing con­sent to the us­age of cook­ies. The pro­posed reg­u­la­tion changes this dras­ti­cally by cre­at­ing new rules for browsers and the us­age of track­ing tech­nolo­gies.

The Com­mis­sion stated how­ever when re­veal­ing the pro­posal that no con­sent is needed for non-pri­vacy in­tru­sive cook­ies in­clud­ing “cook­ies set by a vis­ited web­site count­ing the num­ber of vis­i­tors to that web­site” as well as cook­ies that are es­sen­tial for the proper func­tion­ing of a web­site (e.g. to re­mem­ber shop­ping cart his­tory). The pos­si­bil­ity to en­sure the func­tion­ing of a web­site with­out the need for ex­plicit con­sent sup­ports browser-im­ple­mented “Do Not Track” func­tion­al­ity pro­vided for by some browsers (but which is cur­rently al­most uni­ver­sally ig­nored by web­sites) by en­sur­ing that it is not nec­es­sar­ily a bi­nary choice be­tween ac­cept­ing cook­ies or be un­able to use a web­site but rather a choice whether to ac­cept be­ing tracked.

The new pro­posal is likely to re­ceive strong crit­i­cism from es­tab­lished multi­na­tional in­ter­net com­pa­nies whose busi­ness mod­els of­ten rely ex­ten­sively on user track­ing to pro­vide tar­geted ad­ver­tis­ing. In ac­knowl­edg­ing the is­sue, the Com­mis­sion re­sponded pre­emp­tively when launch­ing the pro­posal: “the new rules will not pro­hibit ad­ver­tis­ing, or the pos­si­bil­ity for web­sites to use cook­ies or other tech­nolo­gies for track­ing user be­hav­iour [but] em­pow­ers users to make an in­formed choice con­cern­ing the ac­cep­tance of these prac­tices.” An­drus An­sip, the EU Dig­i­tal Sin­gle Mar­ket Com­mis­sioner, is adamant: “our draft ePri­vacy Reg­u­la­tion strikes the right bal­ance: it pro­vides a high level of pro­tec­tion for con­sumers, while al­low­ing busi­nesses to in­no­vate.”

The Com­mis­sion is urg­ing the Eu­ro­pean Par­lia­ment and Coun­cil to work swiftly on the pro­posal in or­der for it to be adopted by 25 May 2018 when the Gen­eral Data Pro­tec­tion Reg­u­la­tion comes into force.