EUROPE: e-Privacy Regulation; towards stricter rules for online marketing and IoT communications?

The Article 29 Working Party has issued an Opinion on the draft e-privacy regulation proposed by the European Commission on January 10, 2017 (we have previously commented on the draft regulation).

Among other things, the WP 29 appreciated the choice of a regulation rather than a directive, to make it fully complementary with the GDPR. It also appreciated the decision to align Over-the-Top (OTT) providers with telecoms operators with regard to confidentiality of communications, as well as the attempt to update the rules for online tracking. And it welcomed the extension of the regulation to machine-to-machine interaction, although the M2M provisions should be further expanded.

The WP 29 also raised some concerns about the fact that, if not changed, the regulation may in certain instances lower the protections granted by the GDPR. Such concerns may lead to stricter provisions or interpretations on, among other things, WiFi tracking, content and metadata, tracking walls, and privacy by default for terminal equipment and software.

More in particular, as for WiFi (and Bluetooth) tracking, the WP29 calls for the promotion of technical standards for mobile devices so that they can automatically signal an objection to such tracking, as the potential offer of an opt-out would pose an excessive burden on citizens.

Only in a limited number of circumstances are data controllers allowed to track physical movements without the consents of the individuals concerned, for instance when counting customers inside a location for security checks and provided that data are anonymized as soon as the statistical purposes are fulfilled.

In this respect, it should also be noted that the WP29 requires a data protection impact assessment to be carried out even when anonymization measures are applied.

The WP29 prompts that any content and metadata should be processed with the consent of all end users (senders and recipients) and be awarded the same level of protection. For instance, sending an email or other kind of personal communication from another service to an end-user who has personally consented to the processing of his or her content and metadata when signed up to a mail service would not constitute valid consent from the sender.

Besides, according to the WP29, metadata are too narrowly defined, as they should include also all data processed for the purposes of transmitting electronic communications content.

The WP29 added that the so-called tracking walls (the practice of denying access to a website or a service unless users consent on tracking on other websites or services) should be explicitly prohibited. This because not only internet access and mobile telephony, but also certain OTT are essential services.

Furthermore, there can be no valid consent through non-specific browser settings. A granular consent would be necessary: this means, for instance, that it the option to solely “accept (or refuse) all cookies” would be invalid. The WP29 also recommended to make it compulsory to implement technical mechanisms (including the “do not track” standards or other blacklists), also ensuring that when a denial is provided, no further consent requests can be made by the same organization for at least 6 months.

According to WP29 the draft regulation should be interpreted as affording at least the same or higher level of protection than the GDPR. Given that the sanctions provided by the draft regulation are aligned with those set out in the GDPR (although not yet fully harmonized), stricter interpretations affecting M2M, online marketing, geo localization and similar services will no doubt be a source of concern for many sectors, well beyond the electronic communication services industry.