The ePrivacy Directive was last updated in 2009 to provide clearer rules on customers' rights to privacy and confidentiality of communications online. It introduced the requirement to notify the competent national authorities, and in specific cases the concerned individuals, of personal data breaches and enabled people to take legal action against spammers. It ensured consumers were better informed about 'cookies' MEMO/09/568). The Directive also allows exemptions to certain privacy rules where law enforcement and national security is concerned. The digital landscape has evolved significantly since then. Many Europeans use internet-based voice and messaging services instead of, or in addition to, their mobile phones or fixed connections. In parallel, the EU has started a modernisation process of the data protection framework, culminating in the agreement on the General Data Protection Regulation (GDPR) last December (press release).
Through the consultation the Commission seeks to gather views on the effectiveness, efficiency relevance, and coherence of the current EU rules, and also on possible approaches for the revision of the Directive. It asks for input on scope; on how to ensure security and confidentiality of communications; on the rights of subscribers (e.g. to receive non-itemised bills and to be included in a directory); on unsolicited commercial communication; and on ways to improve the implementation and enforcement of the Directive. The consultation is open until 5th July 2016.
Commission seeks views
The Commission is specifically seeking input from telecom operators and other service providers, public authorities, consumer associations, citizens, businesses, equipment makers and academics. The reform of the ePrivacy rules will also be discussed in a stakeholder workshop in Brussels on 12 April. This spring, the Commission will also conduct a Eurobarometer survey on ePrivacy to see how Europeans feel about their privacy and confidentiality of communications as well as possible policy actions.
The ePrivacy review
The review of the ePrivacy Directive has several objectives:
- Ensuring consistency between the ePrivacy rules and the future General Data Protection Regulation. This implies assessing the existence of any duplication, redundancy, inconsistencies or unnecessary complexities of existing rules (e.g. personal data breach notifications).
- Assessing the need to update the ePrivacy rules, where necessary, in light of the new market and technological reality. The ePrivacy Directive only applies to traditional telecoms providers. New players which have become prominent in the electronic communications sector, e.g. providing instant messaging and voice over IP (also known as "over-the-top providers"), are currently not required to respect key provisions of the ePrivacy Directive.
- Enhancing security and confidentiality of communications throughout the EU. The ePrivacy Directive ensures security and confidentiality of communications for instance by guaranteeing protection against intrusions into users' devices. Under Article 5(3) of the Directive, storing information, or accessing information already stored in user's device requires his or her permission. The effectiveness of this provision has been contested and new tracking techniques, such as device fingerprinting, may not be properly covered by the existing rule. Finally, it has been argued that the list of exceptions to the consent rule needs to be extended to other non-invasive storing/accessing of information such as web-analytics. These are some of the aspects that will be carefully assessed in the evaluation and review of these provisions.
The Data Protection Directive 95/46/EC is the central legislative instrument in the protection of personal data in Europe. It will be replaced in 2018 by the General Data Protection Regulation (GDPR) ensuring modernised rules fit for the digital age.
The e-Privacy Directive complements the Data Protection Directive by, among others, setting-up specific rules concerning the processing of personal data in the electronic communication sector. It does so, for example, by requiring users’ consent before their traffic and location data can be used for commercial purposes. All matters not specifically addressed in the ePrivacy Directive are covered by the Data Protection Directive (and in the future by the GDPR). For example, this is the case of the rights of individuals such as the right to obtain access, rectification or erasure of their personal data.