//

Proposal for the ePrivacy Regulation 2019 Explanatory Memorandum

1.     CONTEXT OF THE PROPOSAL

1.1.   Reasons for and objectives of the proposal

The Digital Single Market Strategy (“DSM Strategy”)[1] has as an objective to increase trust in and the security of digital services. The reform of the data protection framework, and in particular the adoption of Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”)[2], was a key action to this end. The DSM Strategy also announced the review of Directive 2002/58/EC (“ePrivacy Directive”)[3] in order to provide a high level of privacy protection for users of electronic communications services and a level playing field for all market players. This proposal reviews the ePrivacy Directive, foreseeing in the DSM Strategy objectives and ensuring consistency with the GDPR.

The ePrivacy Directive ensures the protection of fundamental rights and freedoms, in particular, the respect for private life, confidentiality of communications and the protection of personal data in the electronic communications sector. It also guarantees the free movement of electronic communications data, equipment and services in the Union. It implements in the Union’s secondary law the fundamental right to the respect for private life, with regard to communications, as enshrined in Article 7 of the Charter of Fundamental Rights of the European Union (“Charter”).

In line with the ‘Better Regulation’ requirements, the Commission carried out an ex post-Regulatory Fitness and Performance Programme (“REFIT evaluation”) of the ePrivacy Directive. It follows from the evaluation that the objectives and principles of the current framework remain sound. However, important technological and economic developments took place in the market since the last revision of the ePrivacy Directive in 2009. Consumers and businesses increasingly rely on new Internet-based services enabling inter-personal communications such as Voice over IP, instant messaging and web-based e-mail services, instead of traditional communications services. These Over-the-Top communications services (“OTTs”) are in general not subject to the current Union electronic communications framework, including the ePrivacy Directive. Accordingly, the Directive has not kept pace with technological developments, resulting in a void of protection of communications conveyed through new services.

[1] Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A Digital Single Market Strategy for Europe, COM(2015) 192 final.

[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1–88).

[3] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p.37).

1.2.   Consistency with existing policy provisions in the policy area

This proposal is lexed specialis to the GDPR and will particularise and complement it as regards electronic communications data that qualify as personal data. All matters concerning the processing of personal data not specifically addressed by the proposal are covered by the GDPR. The alignment with the GDPR resulted in the repeal of some provisions, such as the security obligations of Article 4 of the ePrivacy Directive.

1.3.   Consistency with other Union policies

The ePrivacy Directive is part of the regulatory framework for electronic communications. In 2016, the Commission adopted the proposal for a Directive establishing the European Electronic Communications Code (“EECC”)[1], which revises the framework. While the present proposal is not an integral part of the EECC, it partially relies on definitions provided therein, including that of ‘electronic communications services’. Like the EECC, this proposal also brings OTT providers in its scope to reflect the market reality. In addition, the EECC complements this proposal by ensuring the security of electronic communications services.

The Radio Equipment Directive 2014/53/EU (“RED”)[2] ensures a single market for radio equipment. In particular, it requires that, before being placed on the market, radio equipment must incorporate safeguards to ensure that the personal data and privacy of the user are protected. Under the RED and the European Standardisation Regulation (EU) 1025/2012[3], the Commission is empowered to adopt measures. This proposal does not affect the RED.

The proposal does not include any specific provisions in the field of data retention. It maintains the substance of Article 15 of the ePrivacy Directive and aligns it with the specific wording of Article 23 of the GDPR, which provides grounds for the Member States to restrict the scope of the rights and obligations in specific articles of the ePrivacy Directive. Therefore, Member States are free to keep or create national data retention frameworks that provide, inter alia, for targeted retention measures, in so far as such frameworks comply with Union law, taking into account the case-law of the Court of Justice on the interpretation of the ePrivacy Directive and the Charter of Fundamental Rights[4].

Finally, the proposal does not apply to the activities of Union institutions, bodies and agencies. However, its principles and relevant obligations as to the right to respect for private life and communications in relation to the processing of electronic communications data have been included in the Proposal for a Regulation repealing Regulation (EC) No 45/2001[5].

[1] Commission proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast) (COM/2016/0590 final – 2016/0288 (COD)).

[2] Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62–106).

[3] Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12–33).

[4] See Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others, ECLI:EU:C:2014:238; Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB and Secretary of State for the Home Department, ECLI:EU:C:2016:970.

[5] Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1–22).

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

2.1.   Legal basis

Article 16 and Article 114 of the Treaty on the Functioning of the European Union (“TFEU”) are the relevant legal bases for the proposal.

Article 16 TFEU introduces a specific legal basis for the adoption of rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, by the Member States when carrying out activities falling within the scope of Union law, and rules relating to the free movement of such data. Since an electronic communication involving a natural person will normally qualify as personal data, the protection of natural persons with regard to the privacy of communications and processing of such data should be based on Article 16.

In addition, the proposal aims at protecting communications and related legitimate interests of legal persons. The meaning and scope of the rights under Article 7 of the Charter shall, in accordance with Article 52(3) of the Charter, be the same as those laid down in Article 8(1) of the European Convention for the Protection of Human Rights and Fundamental Freedoms (“ECHR”). As regards the scope of Article 7 of the Charter, the case-law of the Court of Justice of the European Union (“CJEU”)[1] and of the European Court of Human Rights[2] confirm that professional activities of legal persons may not be excluded from the protection of the right guaranteed by Article 7 of the Charter and Article 8 of the ECHR.

Since the initiative pursues a twofold purpose and that the component concerning the protection of communications of legal persons and the aim of achieving the internal market for those electronic communications and ensure its functioning in this regard cannot be considered merely incidental, the initiative should, therefore, also be based on Article 114 of the TFEU.

2.2.   Subsidiarity

Respect for communications is a fundamental right recognised in the Charter. The content of electronic communications may reveal highly sensitive information about the end-users involved in the communication. Similarly, metadata derived from electronic communications may also reveal very sensitive and personal information, as expressly recognised by the CJEU[3]. The majority of Member States also recognise the need to protect communications as a distinct constitutional right. Whilst it is possible for the Member States to enact policies which ensure that this right is not breached, this would not be achieved in a uniform way in the absence of Union rules and would create restrictions on cross-border flows of personal and non-personal data related to the use of electronic communications services. Finally, to maintain consistency with the GDPR, it is necessary to review the ePrivacy Directive and adopt measures to bring the two instruments in line.

The technological developments and the ambitions of the DSM strategy have strengthened the case for action at the Union level. The success of the EU DSM depends on how effectively the EU brings down national silos and barriers and seize the advantages and economies of a European digital single market. Moreover, as the internet and digital technologies know no borders, the dimension of the problem goes beyond the territory of a single Member State. Member States cannot effectively solve the problems in the current situation. A level playing field for economic operators providing substitutable services and equal protection of end-users at Union level are requirements for the DSM to work properly.

2.3.   Proportionality

To ensure the effective legal protection of respect for privacy and communications, an extension of scope to cover OTT providers is necessary. While several popular OTT providers already comply, or partially comply with the principle of confidentiality of communications, the protection of fundamental rights cannot be left to self-regulation by industry. Also, the importance of the effective protection of privacy of terminal equipment is increasing as it has become indispensable in personal and professional life for the storage of sensitive information. The implementation of the ePrivacy Directive has not been effective to empower end-users. Therefore the implementation of the principle by centralising consent in software and prompting users with information about the privacy settings thereof is necessary to achieve the aim. Regarding the enforcement of this Regulation, it relies on the supervisory authorities and the consistency mechanism of the GDPR. Moreover, the proposal allows the Member States to take national derogatory measures for specific legitimate purposes. Thus, the proposal does not go beyond what is necessary to achieve the aims and complies with the principle of proportionality as set out in Article 5 of the Treaty on European Union. The obligations put on affected services are kept to a level as minimum as possible, while not impinging on the fundamental rights concerned.

2.4.   Choice of the instrument

The Commission puts forward a proposal for a Regulation in order to ensure consistency with the GDPR and legal certainty for users and businesses alike by avoiding divergent interpretation in the Member States. A Regulation can ensure an equal level of protection throughout the Union for users and lower compliance costs for businesses operating across borders.

[1] See C-450/06 Varec SA, ECLI:EU:C:2008:91, §48.

[2] See, inter alia, ECHR, judgments Niemietz v Germany, judgment of 16 December 1992, Series A n° 251-B, §29; Société Colas Est and Others v France, no 37971/97, §41; ECHR 2002-III; Peck v The United Kingdom no 44647/98, §57, ECHR 2003-I; and also Vinci Construction and GTM Génie Civil et Services v. France, n°s. 63629/10 and 60567/10, § 63, 2 April 2015.

[3] See footnote 7.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

3.1.   Ex-post evaluations/fitness checks of existing legislation

The REFIT evaluation examined how efficiently the ePrivacy Directive has contributed to adequate protection of the respect for private life and confidentiality of communications in the EU. It also sought to identify possible redundancies.

The REFIT evaluation concluded that the above objectives of the Directive remain relevant. While the GDPR ensures the protection of personal data, the ePrivacy Directive ensures the confidentiality of communications, which may also contain non-personal data and data related to a legal person. Therefore, a separate instrument should ensure effective protection of Article 7 of the Charter. Other provisions, such as the rules on the sending of unsolicited marketing communications, have proven to remain relevant too.

In terms of effectiveness and efficiency, the REFIT evaluation found that the Directive has not fully met its objectives. The unclear drafting of certain provisions and ambiguity in legal concepts have jeopardized harmonization, thereby creating challenges for businesses to operate cross-border. The evaluation further showed that some provisions have created an unnecessary burden on businesses and consumers. For example, the consent rule to protect the confidentiality of terminal equipment failed to reach its objectives as end-users face requests to accept tracking cookies without understanding their meaning and, in some cases, are even exposed to cookies being set without their consent. The consent rule is over-inclusive, as it also covers non-privacy intrusive practices, and under-inclusive, as it does not clearly cover some tracking techniques (e.g. device fingerprinting) which may not entail access/storage in the device. Finally, its implementation can be costly for businesses.

The evaluation concluded that the ePrivacy rules still have EU added-value for better achieving the objective of ensuring online privacy in the light of an increasingly transnational electronic communications market. It also demonstrated that overall the rules are coherent with other relevant legislation, although a few redundancies have been identified vis-à-vis the new GDPR (see in Section 1.2).

3.2.   Stakeholder consultations

The Commission organised a public consultation between 12 April and 5 July 2016 and received 421 replies[1]. The key findings are the following[2]:

  • Need for special rules for the electronic communications sector on confidentiality of electronic communications:4% of the responding citizens, consumer and civil society organisations and 88.9% of public authorities agree, while 63.4% of industry respondents do not agree.
  • Extension of scope to new communications services (OTTs): 76% of citizens and civil society and 93.1% of public authorities agree, while only 36.2% of respondents from industry favour such an extension.
  • Amending the exemptions to consent for processing traffic and location data:1% of citizens, consumer and civil society organisations and 36% of public authorities prefer not to broaden the exemptions, while 36% of the industry favour extended exemptions and 2/3 of industry advocate the mere repeal of the provisions.
  • Support for solutions proposed to the cookie consent issue:2% of citizens and 63% of public authorities support imposing obligations on manufacturers of terminal equipment to market products with privacy-by-default settings activated, while 58.3% of industry favour the option to support self/co-regulation.

In addition, the European Commission organised two workshops in April 2016, one open to all stakeholders and one open to national competent authorities, addressing the main questions of the public consultations. The views expressed during the workshops reflected the outcome of the public consultation.

To obtain views from citizens, a Eurobarometer survey on ePrivacy[3] was conducted throughout the EU. The key findings are the following[4]:

  • 78% say it is very important that personal information on their computer, smartphone or tablet can only be accessed with their permission.
  • 72% state that it is very important that the confidentiality of their e-mails and online instant messaging is guaranteed.
  • 89% agree with the suggested option that the default settings of their browser should stop the sharing of their information.

3.3.   Collection and use of expertise

The Commission relied on the following external expert advice:

  • Targeted consultations of EU expert groups: Opinion of the Article 29 Working Party; Opinion of the EDPS; Opinion of the REFIT Platform; views of BEREC; views of ENISA and views of members of the Consumer Protection and Cooperation Network.
  • External expertise, particularly the following two studies:
  • Study “ePrivacy Directive: assessment of transposition, effectiveness and compatibility with proposed Data Protection Regulation” (SMART 2013/007116).
  • Study “Evaluation and review of Directive 2002/58 on privacy and the electronic communication sector” (SMART 2016/0080).

3.4.   Impact assessment

An impact assessment was carried out for this proposal on which on 28 September 2016, the Regulatory Scrutiny Board issued a positive opinion[5]. To address the recommendations of the Board, the impact assessment explains better the scope of the initiative, its coherence with other legal instruments (GDPR, EECC, RED) and the need for a separate instrument. The baseline scenario is further developed and clarified. The analysis of the impacts is strengthened and made more balanced, clarifying and reinforcing the description of the expected costs and benefits.

The following policy options were examined against the criteria of effectiveness, efficiency and coherence:

  • Option 1: Non-legislative (“soft law”) measures;
  • Option 2: Limited reinforcement of privacy/confidentiality and simplification;
  • Option 3: Measured reinforcement of privacy/confidentiality and simplification;
  • Option 4: Far-reaching reinforcement of privacy/confidentiality and simplification;
  • Option 5: Repeal of the ePrivacy Directive.

Option 3 was, in most aspects, singled out as the preferred option to achieve the objectives, while taking into account its efficiency and coherence. The main benefits are:

  • Enhancing the protection of confidentiality of electronic communications by extending the scope of the legal instrument to include new functionally equivalent electronic communications services. In addition, the Regulation enhances end-user’s control by clarifying that consent can be expressed through appropriate technical settings.
  • Enhancing protection against unsolicited communications, with the introduction of an obligation to provide the calling line identification or a mandatory prefix for marketing calls and the enhanced possibilities to block calls from unwanted numbers.
  • Simplifying and clarifying the regulatory environment, by reducing the margin of manoeuvre left to the Member States, repealing outdated provisions and the broadening of the exceptions to the consent rules.

The economic impact of Option 3 is expected to be overall proportionate to the aims of the proposal. Business opportunities related to the processing of communications data are opened up for traditional electronic communications services, while OTT providers become subject to the same rules. This implies some additional compliance costs for these operators. However, this change will not substantially affect those OTTs that already operate on the basis of consent. Finally, the impact of the option would not be felt in the Member States that have extended these rules to OTTs already.

By centralising the consent in software such as internet browsers and prompting users to choose their privacy settings and expanding the exceptions to the cookie consent rule, a significant proportion of businesses would be able to do away with cookie banners and notices, thus leading to potentially significant cost savings and simplification. However, it may become more difficult for online targeted advertisers to obtain consent if a large proportion of users opt for “reject third party cookies” settings. At the same time, centralising consent does not deprive website operators of the possibility to obtain consent by means of individual requests to end-users and thus maintain their current business model. Additional costs would ensue for some providers of browsers or similar software as these would need to ensure privacy-friendly settings.

The external study identified three distinct implementation scenarios of Option 3, according to the entity who will establish the dialogue box between the user having chosen “reject third-party cookies” or “do-not-track” settings and websites visited wishing the internet user to reconsider his/her choice. The entities who could be put in charge of this technical task are 1) software such as internet browsers; 2) the third party tracker; 3) the individual websites (i.e. information society service requested by the user). Option 3 would lead to overall savings in terms of compliance cost compared to the baseline scenario of 70% (€948.8 million savings) in the first scenario (browser solution), implemented in this proposal. Cost savings would be lower in other scenarios. As overall savings largely derive from a very significant decrease of the number of affected businesses, the individual amount of compliance costs for one business is expected to incur – on average – would be higher than today.

3.5.   Regulatory fitness and simplification

The policy measures proposed under the preferred option address the objective of simplification and reduction of administrative burden, in line with the findings of the REFIT evaluation and Opinion of the REFIT Platform[6].

The REFIT Platform issued three sets of recommendations to the Commission:

  • The protection of a citizen’s private life should be strengthened through an alignment of the ePrivacy Directive with the General Data Protection Regulation;
  • The effectiveness of citizens protections against unsolicited marketing should be enhanced by adding exceptions to the ‘consent’ rule for cookies;
  • The Commission addresses national implementation problems and facilitates the exchange of best practice amongst the Member States.

The proposal includes specifically:

  • Use of technologically neutral definitions to apprehend new services and technologies to ensure that the Regulation is future-proof;
  • Repeal of the security rules to eliminate regulatory duplication;
  • Clarification of scope to help eliminate/reduce the risk of divergent implementation by Member States (point 3 of the Opinion);
  • Clarification and simplification of the consent rule for the use of cookies and other identifiers, as explained in Sections 3.1 and 3.4 (point 2 of the Opinion);
  • Alignment of the supervisory authorities with the authorities competent to enforce the GDPR and reliance on the consistency mechanism of the GDPR.

3.6.   Impact on fundamental rights

The proposal aims to make more effective and increase the level of protection of privacy and personal data processed in relation with electronic communications in accordance with Articles 7 and 8 of the Charter and ensure greater legal certainty. The proposal complements and particularises the GDPR. Effective protection of the confidentiality of communications is essential for exercising the freedom of expression and information and other related rights, such as the right to personal data protection or the freedom of thought, conscience and religion.

[1] 162 contributions from citizens, 33 from civil society and consumer organisations; 186 from industry and 40 from public authorities, including competent authorities enforcing the ePrivacy Directive.

[2] The full report is available: https://ec.europa.eu/digital-single-market/news-redirect/37204.

[3] 2016 Eurobarometer survey (EB) 443 on e-Privacy (SMART 2016/079).

[4] The full report is available: https://ec.europa.eu/digital-single-market/news-redirect/37205.

[5] http://ec.europa.eu/transparency/regdoc/?fuseaction=ia.

[6] http://ec.europa.eu/smart-regulation/refit/refit-platform/docs/recommendations/opinion_comm_net.pdf.

4. BUDGETARY IMPLICATIONS

The proposal has no implications for the Union budget.

5. OTHER ELEMENTS

5.1.   Implementation plans and monitoring, evaluation and reporting arrangements

The Commission will monitor the application of the Regulation and submit a report on its evaluation to the European Parliament and to the Council and the European Economic and Social Committee every three years. These reports will be public and detail the effective application and enforcement of this Regulation.

5.2.   Detailed explanation of the specific provisions of the proposal

Chapter I contains the general provisions: the subject matter (Article 1), the scope (Articles 2 and 3) and its definitions, including references to relevant definitions from other EU instruments, such as the GDPR.

Chapter II contains the key provisions ensuring the confidentiality of electronic communications (Article 5) and the limited permitted purposes and conditions of processing such communications data (Articles 6 and 7). It also addresses the protection of terminal equipment, by (i) guaranteeing the integrity of the information stored in it and (ii) protecting information emitted from the terminal equipment, as it may enable the identification of its end-user (Article 8). Finally, Article 9 details the consent of end-users, a central lawful ground of this Regulation, expressly referring to its definition and conditions as provided by the GDPR, while Article 10 imposes an obligation on providers of software permitting electronic communications to help end-users in making effective choices about privacy settings. Article 11 details the purposes and conditions for the Member States to restrict the above provisions.

Chapter III concerns the rights of end-users to control the sending and reception of electronic communications to protect their privacy: (i) the right of end-users to prevent the presentation of the calling line identification to guarantee anonymity (Article 12), with its limitations (Article 13); and (ii) the obligation for providers of publicly available number-based interpersonal communication to provide for the possibility to limit the reception of unwanted calls (Article 14). This Chapter also regulates the conditions under which end-users may be included in publicly available directories (Article 15) and the conditions under which unsolicited communications for direct marketing may be conducted (Article 17). It also relates to security risks and provides for an obligation upon providers of electronic communications services to alert end-users in case of a particular risk that may compromise the security of networks and services. The security obligations in the GDPR and in the EECC will apply to the providers of electronic communications services.

Chapter IV sets out the supervision and enforcement of this Regulation and entrusts it to the supervisory authorities in charge of the GDPR, in view of the strong synergies between general data protection issues and confidentiality of communications (Article 18). The powers of the European Data Protection Board are extended (Article 19) and the cooperation and consistency mechanism foreseen under the GDPR will apply in case of cross-border matters related to this Regulation (Article 20).

Chapter V details the various remedies available to end-users (Articles 21 and 22) and the penalties that can be imposed (Article 24), including the general conditions for imposing administrative fines (Article 23).

Chapter VI relates to the adoption of delegated and implementing acts in accordance with Article 290 and 291 of the Treaty.

Finally, Chapter VII contains the final provisions of this Regulation: the repeal of the ePrivacy Directive, the monitoring and review, the entry into force and application. Concerning the review, the Commission intends to evaluate, inter alia, whether a separate legal act remains necessary in the light of legal, technical or economic developments and taking into account the first evaluation of Regulation (EU) 2016/679 which is due by 25 May 2020.