The European Union is currently working on a major update to privacy laws that could have a major impact on current digital business models. The EU General Data Protection Regulation (GDPR), which updated the 1995 Data Protection Directive imposing stricter obligations on transparency and accountability for digital actors has been in force for shortly over a year and businesses who are still struggling to comply have already got to watch out for the new ePrivacy regulation which could come to reinforce existing obligations.
Effectively, in addition to the GDPR, another complementary text aims to protect personal data and privacy of online communications: the e-Privacy Directive (2002/58 / EC) which is currently under revision to be replaced by a Regulation whose Proposal by the European Commission was published on January 10, 2017 but is still being negotiated. The main difference between a regulation and a directive is that while regulations become automatically binding throughout the EU on the date of their entry into force, directives must be incorporated into national law by the EU countries. With a directive, countries are required to achieve a certain result, but are allowed to choose how to achieve it. That said, the regulation is not just a reinforced version of the directive. The proposed Regulation is based on an in-depth evaluation of the Directive and addresses the shortcomings of the Directive, on the one hand, and on the other, the digital and legislative developments (such as the GDPR) that have occurred since its last revision.
Indeed, this future regulation is the subject of much debate in that it might question the business model of the industry and notably AdTech players. This regulation is one of the flagship actions in the framework of the Digital Single Market strategy, aimed at strengthening confidence and security in the digital age. This text differs from the GDPR in its scope in that it is not limited to the protection of natural persons but also includes legal persons. The GDPR for example, deals with general personal data whereas the proposed update to e-Privacy rules is intended to supplement the GDPR by addressing specifically the confidentiality of electronic communications, and the tracking of internet users. It therefore covers marketing and other tracking technologies (including but not limited to cookies); and is intended to fight issues involving spam, as well as respond to excessive profiling and behavioral advertising by requiring transparency and affirmative consent.
The key points of the reform that are particularly expected are the supervision of OTT media services (so-called “Over the Top” actors such as Skype, Whatsapp, Messenger, etc.), the supervision of cookies and tracking technologies, the strengthening of the consent of users, the definition of data retention periods and the determination of the scope of authority of the supervisory authorities. There are multiple stakes that require the establishment of long-lasting, adjustable and flexible rules, taking into account the latest developments in digital technologies (artificial intelligence, M2M, IoT). Like the GDPR, the proposed e-Privacy Regulation would apply to companies offering services in Europe not only to those based in Europe and it also includes major penalties for violations (of up to 2% or 4% of a company’s global annual turnover) which is also intended to boost enforcement and consistency of EU privacy rules.
Negotiations over the regulations continue to stall over major disagreements on how the new law could affect the business model of companies who greatly rely on tracking and behavioral advertising to make any revenue. One of the major bones of contention is the opt-in for cookies and trackers which adtech associations are completely opposed to as they find it conflicting to their ad-supported business models which heavily rely on cookies and tracking technologies to try to monetize free content via targeted ads. ePrivacy is therefore a major lobbying target for the media and publishing associations such as the IAB who don’t want it to alter their existing business models.
The Romanian Presidency of the EU Council recently released a progress report summarising progress on the e-privacy proposal. Through discussions between Working Party on Telecommunications and Information Society (WP TELE) and the EU Council, some delegations have repeatedly raised concerns about the articulation of the e-Privacy and new technologies regulation proposal. According to this report, several clarifications were made by the Commission, in particular concerning recitals 13 (on end-user groups), 20 (on the end user) and 21 (on consent).
The other issue raised was the issue of the processing of personal data for purposes of prevention, image detection and reporting of abuse of minors. Some Member States proposed including a provision to this effect in Article 6 of the proposal on the lawfulness of processing, but others argued that this issue could be better addressed in the context of Article 11 relating to “limitations”. WP TELE also discussed the need for adequate safeguards for this type of processing. Discussions also involve the question of how long data should be kept and on the need to maintain the possibility for existing and future data retention regimes. The Presidency has therefore proposed a compromise text for Article 11 accompanied by recital 26. The Presidency has also paid particular attention to the provisions on supervisory authorities with the aim of providing Member States with greater flexibility while respecting the independence requirements of Art. 8 (3) of the EU Charter, now expressly recalled in recital 38. In addition, the Presidency also introduced important clarifications regarding cross-border cooperation as well as the role and involvement of the European Data Protection Board (EDPB). There was therefore a lot of progress under the Romanian presidency but not enough to push the legislation through to vote because there is yet to be a consensus.
On 26 July 2019, the Finnish Presidency of the EU Council issued a revised proposal for the e-Privacy Regulation with some amendments concerning article 6 by dividing it into four distinct provisions to clarify their respective scope notably; electronic communication content, data & metadata, and further processing of metadata to be discussed during a next Council meeting on 9 September 2019. It also involves amendments in Recital 32 and Article 16 concerning the scope of rules on unsolicited communications which suggest that targeted advertising might not constitute direct marketing communications under the ePrivacy Regulation contrary to the previous version which only excluded advertising displayed online to the general public. So far, the ePrivacy regulation has some consistencies; cookies and other tracking devices are still subject to prior consent, there is common consensus on the secrecy of electronic communications data equally applicable to M2M and IoT communications and unsolicited commercial communications by electronic means (“spam”) are still prohibited.
Privacy of personal communications is a fundamental right in Europe which requires an adequate legal framework to defend it against technological erosion. A huge problem of the modern adtech industry is that it is the cash cow of the 21st century yet it is ringed by a lack of transparency and limited consent mechanisms. Users who need to know what is being done with their data, who is doing it and for what specific outcomes feel exploited. The final approval still appears far to happen, but companies need to start getting ready by following discussions around this regulation in order to anticipate compliance.