- A proposal for a Regulation on Privacy and Electronic Communications (E-Privacy Regulation)
- A Communication on “Building a European Data Economy” and
- A Communication on exchanging and protecting personal data in a globalized world.
This article has been produced to provide a summary of the proposals contained in the three initiatives and to highlight the possible impact they could have on the information sector.
The existing E-Privacy Directive 2002/58/EC sets out specific privacy-related rules for telecommunications, marketing, and digital services that complement those in the Data Protection Directive. However, following the enactment of the General Data Protection Regulation (GDPR), there has been a need to update the E-Privacy Directive.
The proposed new E-Privacy Regulation includes significant changes to the current framework that, if enacted in its current form, would impact a wide range of companies that operate online. Among other things, the draft introduces new rules in relation to traffic and location data, modifies the controversial “cookie” rule, and aligns fines for breach of the proposed Regulation with the GDPR – meaning a maximum fine of up to 4% of annual worldwide turnover for certain breaches.
Significant changes to the current framework include:
- A Regulation (to harmonize rules across Europe) with broad(er) territorial reach. The current E-Privacy Directive is implemented in a patchwork of national Member State laws; the leaked draft, however, is a Regulation, which requires no national implementing laws (and so would harmonize these rules across the European Union); this approach mirrors the approach taken by the GDPR. The geographic scope of the law has been clarified: unlike the current E-Privacy Directive, which applies only to “the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community,” the new proposal also applies where processing takes place outside the Union, provided those services are provided to end-users in the EU.
- Telecommunication over-the-top (OTT) services are clearly in scope. The current E-Privacy Directive applies to providers of public electronic communications services and networks — the meaning and scope of which has been subject to debate. In response by telecoms providers to “level the playing field,” the new Regulation would also apply to so-called “OTT providers,” such as instant messaging and chat apps.
- Expansion of rules on confidentiality, interception, and traffic / location data. The e-Privacy Regulation would significantly tighten confidentiality requirements in relation to the processing of all “electronic communications data” (a term defined to include both “electronic communications metadata” (including both traffic and location data), and “electronic communications content”). The Regulation would prohibit providers of electronic communications services from processing any such data without meeting strict grounds set out in the Regulation (one of which, in some circumstances, is the consent of end-users). In the case of processing of electronic communications content, such conditions are highly restrictive, and could require companies to consult with regulators prior to processing.
- Modifications to the “cookie law.” The law requiring consent for the use of certain cookies will be reformed, so that cookies are prohibited except where (i) the end-user has provided consent; (ii) where it is necessary for the purpose of carrying out communications over a network; (iii) where it is necessary for an information society service requested by the end-user, or where a provider of such a service measures use of the service; or (iv) where it is necessary for web audience measuring, provided that the measurement is carried out by an information society service at the request of the end-user. The standard of “consent” is also heightened, by reference to the high threshold set out in the GDPR.
- High(er) fines for breaches. The E-Privacy Regulation takes the same approach as the GDPR by introducing fines as high as EUR 20 million or 4% of total worldwide turnover, whichever is greater.
- “Privacy by design” requirement. The Regulation would introduce a wholly new requirement to mandate that software that “permits” electronic communications must “offer the option” to prevent third parties from storing, processing or using information on the end-user’s device. Consent will be required before any software is installed and for software already installed users will be put through the process “at the time of the first update of the software, but no later than 25 August 2018.”
- Similar rules on unsolicited communications but applied more broadly. The proposed Regulation’s rules on unsolicited communications are similar to the E-Privacy Directive; the rules on consent and the “soft opt-in” are maintained (although, unlike the E-Privacy Directive, there is no reference to “prior” consent). The rules would also be expanded, however, to apply expressly to “electronic communication services for the purpose of transmitting direct marketing communications,” rather than only to the “use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail [as defined].”
The draft proposed Regulation is envisaged to apply from May 25, 2018. The proposed regulation, if adopted in the form proposed, would be significant for the information industry, although a draft would have a long way to go before enactment. (The GDPR took four years to finalize from the point it was first proposed.) The European Parliament and Council will review the proposal before all three institutions debate its provisions in trilogue. This process will likely result in amendments to the proposed Regulation.
Building a European Data Economy
The Data Protection Directive, and soon the GDPR, provides the foundation for the free flow of personal data throughout the EU. However, Member States have imposed data localization restrictions for various reasons (e.g., in relation to patient health records, for auditing or law enforcement requirements). In addition, the GDPR and Data Protection Directive only provide for the free flow of data within the EU in relation to personal data, not non-personal data.
The Communication sets out to address these data localization requirements and transfer barriers. In addition, the Commission uses the document to address “emerging issues” that the Commission believes could lead to problems in the growing European “data economy” (a loose term that refers to the growing network of industrial data, machine-generated data related to the Internet of Things, and data pools generated by and for autonomous machinery, self-driving cars, and machine learning tools).”
Free Flow of Data
Despite original intentions, the Commission avoided proposing legislation prohibiting data localization restrictions in the Communication. Instead, it proposes engaging in “structured dialogues with the Member States and other stakeholders on the justifications for and proportionality of data location measures.” Based on the results of the dialogues, the Commission may then “launch infringement proceedings to address unjustified or disproportionate data location measures.”
Emerging Issues in the Data Economy
In addition to the proposal to consult on data localization requirements, the Commission also floats proposals to address what it sees as “emerging issues” relating to the interdependent “data economy” (e.g., of machine-generated data, the Internet of Things (IoT), and machine-learning algorithms). Proposals discussed include:
- New ways to encourage exchange and transfer of data within the growing European data economy. This includes a variety of plans, including the potential institution of default contract rules; extending the scope of the Unfair Contract Terms Directive requirements to B2B contracts (section 3.4 of the Communication); new incentives for businesses to share data; and new rules to permit access by public authorities for public interest and scientific purposes.
- Mechanisms to apportion or clarify liability for emerging technologies such as the IoT and autonomous connected systems. The Commission’s concern is that existing EU law (e.g., the Product Liability Directive) will be evaluated in the context of IoT and autonomous connected systems (section 4.1 of the Communication). The Communication considers assigning liability to the “market players generating a major risk for others or to those market players which are best placed to minimize or avoid the realization of such risk.” The Communication also suggests coupling such an approach with a voluntary or mandatory insurance scheme that could compensate injured parties.
- Helping prevent customer “lock-in” to data economy products or systems (because customers may struggle to exchange, trade, or withdraw useful data from such products/systems). Suggested ways of addressing this include measures relating to the portability of non-personal data; the interoperability of services to allow data exchange; and technical standards for implementing portability.
Exchanging and protecting personal data in a globalized world
The Commission plans to expand mechanisms for data transfers out of the European Union in the coming months and years. The Communication issued on this topic discusses a number of topics:
- Adequacy decisions (immediate priorities are Japan and South Korea). The Commission will prioritize discussions relating to adequacy decisions to enable data flows to Japan and Korea in 2017, and also potentially India. Countries in Latin America (in particular Mercosur (the sub-regional bloc of Argentina, Brazil, Paraguay, Uruguay and Venezuela)) and non-EEA countries geographically near Europe are also identified as priorities. The Commission also re-commits to the ongoing monitoring of existing adequacy decisions (including the EU-U.S. Privacy Shield decision).
- Facilitating trade and effective enforcement by protecting privacy and international cooperation mechanisms. The Commission will also work in a range of fora with third countries that are engaged in promoting and adopting data protection laws to encourage data protection principles akin to those in the EU. For example, the Commission will encourage third countries to accede to Council of Europe Convention 108 and its additional Protocol, and will push for the Convention’s modernization and accession of the EU as a party to that Convention.
- Alternative data transfer mechanisms. The Commission will work with stakeholders to develop alternative personal data transfer mechanisms adapted to the particular needs or conditions of specific industries, business models and/or operations. (Such mechanisms could comprise codes of conduct or sector-specific adequacy decisions, for instance.)
About the Author: Neil Munroe is Deputy Managing Director of BIIA. He is also Principle Consultant of CRS Insights Limited: Neil comes to BIIA with 35 years’ experience in the financial services and credit reporting industries. For the last 12 years he was responsible for External Affairs and Communications at Equifax, which involved extensive customer, industry body and government liaison, monitoring regulatory and other external affairs that could influence the credit reporting industry in the UK. Since 2009 Neil is serving as president of ACCIS, the Association of Consumer Credit Information Suppliers. Neil Munroe can be reached at: [email protected]