The forthcoming European Regulation on Privacy and Electronic Communications

An overview on new regulations relevant for businesses

The Commission releases a draft Regulation to replace the Directive on Privacy and Electronic Communications. The amendment to the regulatory regime of the General Data Protection Regulation effects in new requirements regarding the provisioning of electronic communications and information services.

The Directive 2002/58/EC of the European Parliament and of the Council of June 12, 2002 (“e-Privacy Directive”) defines the legal framework for the legislation of the Member States of the European Union in the field of data protection and privacy in the use of electronic communications services and means. This area of regulation, which is particularly important for the internal digital market, has just recently drawn wide public attention when the e-Privacy Directive was amended by Directive 2009/136/EU ("Cookie Directive") in 2013, but not actively adopted by the German legislator subsequently.

Since the European Commission published its official proposal to reform the e-Privacy Directive on January 10, 2017 (COM [2017] 10 final - "Commission Proposal"), there is a current reason for both providers and users of Internet services to familiarize themselves with the most important innovations that the Commission Proposal will bring to the current legal situation.

In the overall context of European legislation, the current legislative impetus is an important part of the European Commission's global strategy for the digital single market (in another context, we reported here), which should contribute to the creation of optimal market conditions for digital networks and services. Despite the small amount of time that has elapsed since the Cookie Directive entered into force, the EU Commission sees a need for reforms, mainly due to two developments: first, to ensure that the specific sector of privacy and data protection in electronic communications will seamlessly integrate into the overall regulatory framework established by the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2017 (General Data Protection Regulation - “GDPR”); second, the regulatory inclusion of internet-based communications services (including the so-called "over-the-top" services in particular), whose social and economic relevance has steadily increased in recent years, but which have so far been excluded from the obligations of the e-privacy directive and whose regulatory inclusion therefore is an important issue for users of internet services and competing communications service providers alike.

The remainder of this article shall give a brief overview of the changes to the rights of internet users on the one hand, and to what extent the business of e-commerce merchants offering tele media and / or communications services on the other hand will be affected by the Commission Proposal.

1. Which companies are committed by the Commission Proposal?

In principle, regardless of the place where the company is based and registered, the Commission Proposal applies to all providers facilitating the use of electronic communications services for end-users in the European Union. This applies irrespective of whether the provider's service is delivered for consideration in form of payment.

It is also important to note that the Commission Proposal adopts the definition of the 'electronic communications service' of the proposal for a Directive of the European Parliament and of the Council on the European Code of Electronic Communications (COM [2016] 590 final – “Codex”), which provides the information required to date in art. 2 lit. c) that considerably expands the established definition for such services (see art. 2 lit. c) of the Directive 2002/21/EC and sec. 3 para. 24 of the German Telecommunications Act respectively) with the objective of establishing a uniformly applicable regulatory framework for all communications services independently of technical implementation.

In this way, the Commission Proposal - as it was previously the case under the e-Privacy Directive - obliges enterprises to offer information and communications services that are not telecommunications in the narrower sense or broadcasting (e.g. businesses running a company website), as well as providers of "classical" telecommunication services (e.g. voice telephony and SMS). In some cases, this does also include companies running communications services exclusively within their own intranets.

At the same time and for the first time, internet access providers as well as providers of so-called over-the-top services ("OTT services") are covered by the scope of application (see also recitals 15 and 17 of the Commission Proposal). OTT services are services and applications that are made available to the end-user via the open Internet and which, in the widest sense, enable individual communication among users; subcategories of such services include e-mail services (e.g. Gmail, web.de or GMX), instant messenger applications (e.g. WhatsApp, Facebook Messenger or Google Hangouts) and voice & video services (e.g. Skype). The regulatory integration of these services is welcome both from the point of view of consumers and providers of "classical" telecommunications services. Already within the framework of the consultation procedure preceding the Commission Proposal, a clear majority within civil society had expressed the view that communications services should be equally regulated by law, as far as they are functionally comparable from the perspective of end users. Given the rapidly growing importance of purely internet-based communications services for the actual communication behaviour of European consumers, the inclusion of OTT services will certainly help to protect the rights of European citizens to data protection and privacy more effectively in the field of online communications. At the same time, providers of "classical" telecommunications services seem to have successfully argued their case that OTT services must be subject to the same regulatory conditions in order to create competitive equality of opportunity.

Finally, it should be mentioned that the foregoing provisions will replace the existing privacy and advertising provisions of the German Telemedia Act (“TMG”), the German Telecommunications Act (“TKG”) and the German Unfair Competition Act (“UWG”), and to this extent bring about a significant change in the applicable national law.

2. To which kind of data does the Commission Proposal apply?

Whereas the decisive terms were previously distributed amongst the German Federal Data Protection Act (“personal data”), TKG (“traffic and location data”) and TMG (“stock and usage data”), the determination of the relevant rights and obligations of the parties now centers on the term of "electronic communications data" (see art. 4 para. 3 lit. a) of the Commission Proposal), distinguishing between actual communication content and corresponding metadata (i.e. data on the not content-related circumstances of the communication).

The processing of inventory data or usage data relevant to the business of most companies in the sense of sec. 14 et seq. TMG (e.g. customer relationship management data or data on time, duration and type of communication) will be regulated in the future as processing "electronic communication metadata". The question as to whether and, if so, how much effort can be attributed to such a metadata of a particular person plays, unlike the core data protection law, no central role in the Commission Proposal. However, the Commission seems to assume that the processing and use of metadata from a user’s terminal device does not require its user’s consent, provided that no interference with the privacy of the concerned user is to be expected (see recital 21 of the Commission Proposal). At the present state of the legislative process, the potential implications of this vaguely formulated assessment on data protection practice remain relatively unclear.

3. Under what conditions may companies process customer’s electronic communications data?

Art. 5 of the Commission Proposal provides for a general prohibition of processing and use of communication data. The same shall apply mutatis mutandis for access to the data processing functions of terminal equipment as well as the data from such devices (cf. art. 8 of the Commission Proposal). Respective processing actions shall be deemed permissible only where a statutory permission applies, or if the data subject has duly consented. The following is a brief overview of the future legal system and frameworks that companies must adhere to within the provision of their own websites and the use of tracking technology for advertising purposes.

a) Legal permissions and necessity of consent

The use of cookies and comparable tracking technologies should fall under the provisions of art. 8 para. 1 of the Commission Proposal, qualifying as a use of a storage function of the terminal equipment of the user.

For the use of cookies and comparable tracking for advertising purposes, art. 8 para. 1 of the Commission Proposal does not provide for a specific regulation, so that companies in the future are generally dependent on the user's consent. In this context, the question also arises as to whether companies may continue to rely upon sec. 15 para. 3 TMG for the purpose of creating pseudonyms of use profiles for advertising purposes. Due to this regulation, operators of websites in Germany were allowed to use cookies for advertising purposes on a regular basis if website visitors were informed about the type, scope and purpose of the use of the cookies when the website was called and as long as they did not make use of their right of objection. This should no longer be permissible in this form. The Commission Proposal, being directly applicable within the Member States of the European Union, does not provide for a similar stipulation. Thus, any production of pseudonymous user profiles for advertising purposes will require the concerned user to consent to such action by means of a voluntarily, informed, unambiguous declaration of consent, each limited to a particular (group of) case(s), and each explained by an affirmative action (cf. art. 9 para. 1 of the Commission Proposal; art. 4 para. 11 GDPR).

At the same time, the Commission Proposal provides for a number of cases in which the use of communication metadata remains permissible even without the user's consent. This applies in particular to necessary data processing for the detection or termination of fraudulent or abusive uses of the web services offered by the processing company (or of a corresponding contract), for the provision of the service and / or implementation of the communication process (in particular in the form of the use of session-restricted cookies), and for the enabling of measurements on data traffic to the website of the respective company.

b) Procedure for obtaining consent:

First of all it is important to point out that the Commission Proposal retains the basic requirement of a so-called opt-out procedure for acquiring consent to data processing, as it was already established by art. 2 para. 5 of the Cookie Directive (see recitals 3, 18 of the Commission Proposal and recital 3 GDPR).

Further legal clarity is also brought to the question under which circumstances consent can also be derived from the (privacy-)settings of software enabling electronic communications (e.g. internet browsers). The Article 29 Data Protection Working Party already pointed out that a browser setting could only be considered as due consent under data protection law if both the software and the specific tracking mechanism comply with the general data protection regulations (cf. Opinion 2/2010 on online behavioural advertising). The Commission Proposal takes up this approach and now clarifies that companies, in principle, may obtain consent to the use and processing of information via the (privacy-)setting of the browser installed on the end user device of the concerned user (cf. art. 9 para. 2). However, this only applies if the person concerned has had to change the browser setting actively in order to give the consent and the other conditions, such as voluntariness and prior information (etc.) are respected (cf. recital 24). It is also worth mentioning in this context that the Commission Proposal envisaged an increased involvement of software vendors, who shall become gradually obligated to gear the design and operation of their programs towards ensuring that users make efficient use of their data protection functions (cf. art. 10 and recitals 23 et seq.). However, unlike in a draft version of the Commission Proposal published in November 2016, software producers are not compelled to deliver their software products with certain default-settings; users must only be informed about the possibility to alter such settings and asked for a respective decision in the course of the installation process (cf. art. 10 para. 2 of the Commission Proposal).

With regard to the voluntariness of the consent to the processing of data from the use of internet or voice communication services, recital 18 of the Commission Proposal states that such consent shall not been deemed duly obtained when the concerned user had no real and free choice or cannot refuse or revoke his consent without incurring disadvantages. Accordingly, companies are also confronted with the question as to what extent the existing prohibition of "general coupling" of access and usability of their website and/or other services to consenting to the use of cookies (see recital 25 of the e-privacy directive) will be broadened in a manner also prohibiting to make the provision of their service dependent upon the users’ consent to the company's privacy policy.

4. Ad-blocking and e-mail marketing

Regarding the current practice of direct e-mail advertising with existing customers, the Commission Proposal will not bring any significant change in legal regulation; although it also provides for a general authorization reservation for direct advertising towards natural persons by means of electronic communications services, the exemption for e-mail addresses of existing customers already contained in art. 13 para. 2 of the e-privacy Directive is maintained (cf. art. 16 para. 2 of the Commission Proposal).

The Commission Proposal also introduces new movement into the controversy over the admissibility of an access denial against users of so-called ad-block programs. So far, it has been controversial to what extent this practice may be allowed to safeguard legitimate interests of the service providers concerned. The Commission has now made the statement that the determination of whether the user is using an ad-block program shall not constitute a use of data from the terminal device of the concerned user and thus does not require his prior consent (see recital 21). However, it seems premature to conclude on the appropriateness of implementing mechanisms of access denials towards users of ad-block programs. Considering that if the affected user decides to switch off his ad-block program in order to gain access to the website content, there may be doubts as to whether the consent given under these circumstances could be considered freely and therefore validly obtained.

Did you find this useful?