The question of how data privacy rights bite within the online environment is undoubtedly one of the most important questions with which 21st century information rights practitioners have to grapple. It is also one of the most difficult. This is not least because this is an area which is dominated by a European legislative triumvirate which is highly complex and, in a number of areas, heavily under-tested. That triumvirate comprises: the Data Protection Directive (95/46/EC), the E-Privacy Directive (2002/58/EC) and the E-Commerce Directive (2000/31/EC).
In a nutshell:
- the Data Protection Directive is concerned with the general protection of data privacy rights;
- the E-Privacy Directive is concerned more specifically with the protection of data privacy rights in the online world and, in particular, with the protection of data subjects with respect to spamming, the confidentiality of e-communications and online data tracking activities;
- the E-Commerce Directive is concerned, amongst other things, with insulating online intermediaries against excessive legal liability for the content which they host, cache or transmit.
As if things weren’t hard enough as it is, the sea-change ushered in by the introduction of the General Data Protection Regulation will inevitably have ripple effects on both e-privacy and e-commerce principles.
It is very much with an eye to those ripple effects that the EU Article 29 Working Party (“WP”) has recently issued an opinion on how the E-Privacy Directive should be revised so as to make it future proof – see the opinion here (note, in drafting this opinion, the WP’s other eye was very much on the emergence of the single digital market).
The following is a summary of the WP’s key conclusions:
- The need for complementary regimes – The GDPR is not a comprehensive data privacy code. There remains a need for free-standing e-privacy legislation to complement the GDPR. This is confirmed by Article 95 of the GDPR which makes clear that the GDPR does not purport to address data processing operations in connection with publicly available electronic communications systems.
- Stronger together – Insofar as the processing of communications data, traffic data and location data involves the processing of personal data, the E-Privacy directive should operate so as to complement, rather than undermine, GDPR principles. This will entail the introduction of more precisely defined conditions which take the privacy-impact on data subjects more thoroughly into account.
- Consent is the touchstone principle
- Any revised version of the E-Privacy Directive should maintain and reinforce the principle that, save for certain exceptional cases, the collation of online communications, traffic data and location data should be consent-based, and the need for consent should be treated as prevailing over counter-veiling considerations (such as the legitimate interests of the data controller). Consent is also generally required for all direct marketing communications, by whatever online means.
- As with the GDPR, consent in the context of E-Privacy legislation should not be treated as having been obtained where the data subject was not given any choice in the matter: “The Working Party invites the EC to develop a specific prohibition on such ‘take it or leave it’ choices with regard to electronic communications, where such choices would undermine the principle of freely given consent”. “Forced consent” should otherwise be prohibited in a number of areas (e.g. tracking of health or sexual data; bundled consent for processing for multiple purposes).
- Capturing non-traditional providers – The E-Privacy legislation should be expanded so that it covers not only traditional e-communication service providers (e.g. telecoms services and ISPs) but also “functionally equivalent communication services (such as, for example, WhatsApp, Google GMail, Skype and Facebook Messenger), especially when it concerns messages exchanged by and between individuals and private user groups”. Publicly accessible private communications networks (e.g. hotel wifi services) should also be caught. Once upon a time, this expansion of the application of E-Privacy legislation would have resulted in the excessive burdening of e-communications providers, particularly in view of the fact that providers who were subject to E-Privacy legislation were also subject to the very onerous Data Retention Directive. However, given that the latter Directive has been declared unlawful by the CJEU, such concerns no longer arise. The WP called upon the EC to state explicitly that it will not seek to reintroduce a data retention requirement.
- An harmonious pan-European approach – The current E-Privacy legislation leaves Member States with too much room to manoeuvre when it comes to the interpretation and application of E-Privacy legislation. That fragmentation of approach should be transcended through the use of more tightly drawn definitions and requirements.
- Accuracy in definitions – The definitions in the legislation should in any event be redrawn to reflect the technical realities of online communications operations (see further the fact that, in practice, the distinction between content data and traffic data is not clear cut).
- Interceptions of e-communications
- The E-Privacy legislation should be revised so as to extend the general prohibition on interception of e-communications to group communications (e.g. webcasts; conference calls).
- The legislation should avoid any legal gaps when it comes to interceptions by elaborating “in a Recital that interception and surveillance should be interpreted in the broadest technological meaning, including the injection of unique identifiers such as, for example, advertising identifiers, audio beacons or super cookies to (the content of or traffic data related to) the communication”.
- The legislation should in any event make clear that “use of the data for advertising, marketing, ‘product innovation’ or research purposes should never be allowed to override the requirement of prior consent for the interception of the content of communication and related traffic data”.
- The legislation should otherwise recognise that so-called “meta-data” (e.g. traffic and location data) can reveal privacy intrusive information: “Based on the recurrent observation of location data, travel patterns may be revealed, including home addresses and work addresses. Traffic data such as calling behavior may reveal social patterns and relations between users while website traffic data may reveal sexual orientation, or for example political affiliation”. Accordingly, consent should generally be required for the processing of such data.
- Data collation and the ‘internet of things’ – The legislation should be revised with a view to ensuring that data which is collated through user devices automatically speaking to e-communications service providers (i.e. passive tracking). However, the legislation should also seek to avoid creating liabilities for data collation which has no significant privacy implications for the user (as may be the case for example where the use of cookie technology yields only aggregated statistical data).
- Direct marketing
- The rules on direct marketing should be revised so as to make clear that it applies to unsolicited communications independent of the means (so as to take into account the fact that single communications can by transmitted by multiple electronic means).
- “The burden of proof of obtaining the consent (of either legal or natural persons) should be on the sender or the party commissioning the unsolicited communication, including keeping time stamped copies of the information provided to users when obtaining the consent”
- Revoking consent should be easy and free of charge. Wherever possible individuals should be able to do this through browsers or other software or operating systems.
- “To reflect Article 7(3) of the GDPR it is particularly important to give an easy one-stop mechanism for withdrawing consent to third party marketing where contact details have been included on marketing lists sold on to large numbers of unknown third parties”.
- “The consent has to be specific, as defined in Article 7 of the GDPR. If consent is sought for inclusion in marketing lists to be used by third parties, such consent can only be legally valid if it is separated from, and not combined with, the consent for the first party communication. The categories of products for which electronic communication may be sent and the (categories of) recipients have to be clearly described before obtaining the consent. This requirement also applies to so-called ‘hosted’ communications, where an organization sends unsolicited communication on behalf of other organizations (for example e-mail or targeted advertising in social networks).”
- Data Breaches – The E-Privacy legislation should be amended so as to remove the provisions requiring notification of data breaches, so as to avoid duplicating the notification obligations already provided for under the GDPR.
- Enforcement – To ensure a consistent approach with the GDPR, national data protection authorities should be responsible for enforcing the E-Privacy legislation.
It remains to be seen how far the EU will embrace these recommendations. It also remains to be seen how e-privacy principles will shape up domestically in the aftermath of Brexit.
Anya Proops QC