PART 1 - The New e-Privacy Regulation: A Timeline So Far
The world of data privacy is becoming messier to navigate. Companies have spent the last few years implementing important changes to ensure they are compliant with the General Data Protection Regulation (GDPR). However, while all of this has been going on, EU officials have been busy planning the next big change.
The discussion of the ePrivacy Regulation, a stricter version of the current ePrivacy Directive (also known as the Cookie Directive) has been famously opposed by news publisher trade groups, arguing that the new laws could be catastrophic. The ePrivacy Regulation introduces substantial changes to the old ePrivacy Directive and specifically addresses the use of cookies, applying to most online service providers and even messenger services such as WhatsApp and Facebook Messenger. However, discussions have been ongoing for nearly 3years and as yet a decision is awaited. So, what is this new law, and why is it so controversial?
In this first article, we look at the timeline of the ePrivacy Regulation sofar, and how the negotiations and objections have led to heavily caveated proposals. Next week,we will look in more detail at what rules are changing.
The New ePrivacy Regulation
The new ePrivacy Regulation aims to complement the rules introduced by the GDPR, creating uniform and directly applicable rules to protect end users’ privacy at every online interaction. The ambitious decision to create the widest protection of EU citizens’ privacy and confidentiality means that the Regulation has a massive scope, applicable not only to communication service providers such as mobile telephone operators, but also on the internet. This impacts spam, direct marketing, instant message companies, app developers and the Internet of Things in general.
As these changes have been debated, regulators have made decisions in the interim which mean that the landscape is becoming difficult to navigate.
A Timeline towards new Cookies Compliance
The first draft in January 2017 concentrated on rules for direct marketing and cookies. It had direct scope which meant it would apply automatically to leave less room for divergent national laws and applied whether processing took place within or outside the EU. It included strict rules on opt-in consent to cookies, setting out that third party cookies should be prevented by default and that these rules covered any sort of tracking tool. Direct marketing was not permitted without consent, unless it was sent to existing customers with the possibility of opting out. It also aligned breach notification procedures with the GDPR. At the time, it was thought that this draft applied only to personal data which meant that some cookies and direct marketing practices might have fallen outside the scope of the laws.
However, the next draft of September 2017 created even broader scope, with the Article 29 Working Party clarifying that any electronic communications data would fall within the scope of both the GDPR and this new Regulation. This includes data online and offline by means of user’s terminals, any content transmitted including metadata, any type of direct marketing communications and any machine to machine service.
This meant that the draft expanded to include Industrial Internet of Things communications.
It removed the numerous options we have for processing data under the GDPR; when it came to direct marketing and cookies, businesses could no longer rely on options such as legitimate interests of the performance of contracts. For these electronic communications, the only option is consent. Cookie walls were banned, and strong limitations were placed on web analytics.
There was an international reaction that this regime was especially restrictive and worries that, during this age of digitalisation, the EU market would halt the usage of machine learning, artificial intelligence and the Internet of Things.
The draft that followed in July 2018 saw the negotiations and objections creating some key changes. Further processing of electronic communications metadata was now to be allowed, but with several conditions to be met. Access to specific website content could in fact be made conditional on the consent to the storage of a cookie or similar identifier.
However, there remained concerns about how these still restrictive rules could affect the development of Blockchain technology.
In March 2019 the further revised proposal appeared to be more favourable to digital businesses. The original draft had required user-friendly cookie and tracking controls, which was supposed to avoid a user having to click on a banner every time they accessed a website and this requirement had been removed. The new draft allowed users to give consent to certain types of cookies by inserting specific cookie providers in a whitelist. Browser providers were to ensure that users could easily set up and modify these whitelists and withdraw consent easily and transparently. The higher level of consent set out in previous drafts remained.
Clarification from Finland?
The latest step has been the Finnish Government’s revised proposal in November 2019 on the Regulation. It carved out that the obligation to erase electronic communications data would only be when it is no longer necessary. It clarified that the processing of cookies cannot be a condition to access a service, where there is an imbalance between the end-user and the service provider. Positively, it limited the scope of the rules to state that they only applied to machine to machine electronic communications when carried out via a publicly available electronic communications network. It also allowed for the processing of data on terminal equipment without the consent of the end-user, where this was necessary to provide a service requested- for example, the storing of data after filling out online forms.
So what will the new rules be, and what do data controllers and data controllers who use and rely on cookies and online tracking technologies need to do in order to prepare for and head towards cookies compliance? Check out our Part 2 article to follow!
In the meantime, if you have any questions about cookies or data protection, please get in touch!
Article by Lily Morrison @ Gerrish Legal, November 2019