Things move fast in the world of privacy and data protection. Recently, the collective group of EU data protection authorities, the Article 29 Working Party ("WP29"), has been particularly active. In addition to publishing guidelines and launching consultations regarding the General Data Protection Regulation ("GDPR"), WP29 also released its views on the proposed ePrivacy law reforms, which legislators are aiming to coincide with the commencement of the GDPR. We examine the views of WP29.

What is the ePrivacy Directive?

The ePrivacy Directive (2002/58/EC) (the "Directive"), currently implemented in Ireland through the 2011 ePrivacy Regulations, regulates a wide variety of uses of private information in the electronic communications sphere. The Directive is the origin of laws regarding the use of cookies and similar technologies, the collection and use of location data, and the sending of 'spam' and electronic direct marketing. The Directive also covers many telecoms-specific issues, such as billing, collection of traffic data and the interception of communications. While the Directive has been subject to amendments in 2005 and 2009, a more significant overhaul has now been proposed, in particular to reflect changes to data protection law with the introduction of the GDPR.

New Proposals

In July 2016, following a public review and consultation carried out by the European Commission, WP29 issued an opinion on the reform of the Directive. In January 2017, the European Commission proposed a new law to regulate ePrivacy issues (the "Proposed Regulation"). This Proposed Regulation is intended to replace the Directive, and will overhaul the laws relating to electronic communications, direct marketing, cookies and other issues. One of the biggest changes will be the extension of the rules relating to confidentiality of communications to so-called 'over-the-top' service providers: online messaging providers who are not regulated under the existing ePrivacy Directive. Changes to align enforcement with the GDPR are also proposed.

Regulators' views

In April 2017, WP29 issued an opinion on the Proposed Regulation. WP29 welcomed aspects of the Proposed Regulation, including the expansion to regulate 'over-the-top' service providers and the alignment of enforcement responsibilities with the GDPR.

However, WP29 has also expressed some significant concerns around the Proposed Regulation. In particular, WP29 highlighted issues regarding the proposed rules on the use of device data, the analysis of communications content and metadata, and the software settings offered by default. Interestingly, WP29 suggests there should be an explicit ban on tracking walls, which would seem to constrain platforms which require the use of cookies or tracking technologies to allow users to access a service. WP29 also recommend that the 'Do Not Track' standard should be respected, and has strongly recommended that 'Do Not Track' technical mechanisms are made mandatory for web browsers. For online service providers who are reliant on targeted advertising, or which have adblocker detectors in place, this is potentially significant.

In addition, WP29 is advocating a stricter standard for the tracking of the location of terminal equipment, such as smartphones and tablets. It states that the level of protection in the Proposed Regulation is lower than that in the GDPR, and it advocates the adoption of primarily consent-based approach. In relation to direct marketing, WP29 has expressed concern that the scope of direct marketing is too limited. WP29 wants the definition to be extended to all advertising sent, directed or presented to users. This could have a notable impact on the online advertising market.

What is expected next?

The proposed Regulation is not yet in its final form. There are two further rounds of legislative scrutiny due, as the European Parliament and Council will also have an opportunity to amend the legislation. If there is disagreement between the three bodies as to the final draft of the legislation, there may be a trilogue, a three way negotiation over the final text, as was needed to finalise the GDPR. As the legislative procedure moves forward, we may see some changes on foot of the WP29 recommendations.

For online operators, the Proposed Regulation is as significant as the GDPR due to the impact on potential advertising revenue. We should hope for a thorough debate as the legislation progresses to finalisation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.