Directive 2002/58/EC on privacy and electronic communications (“ePrivacy Directive”) contains a specific set of rules on the processing of personal data in the electronic communications sector. The ePrivacy Directive complements Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and provides amongst others for specific rules with regard to the processing of traffic data and location data and data breach notifications that only apply to telecom providers.
Directive 95/46/EC is expected to be replaced soon by a new General Data Protection Regulation (GDPR) that is currently being heavily debated within trilogue meetings between the Commission, the Council and the Parliament. The GDPR is meant to apply to all players offering services to European citizens, notwithstanding the sector they are active in, and aims to achieve a full and horizontal harmonisation in the area of privacy, based on the principle of technology neutrality.
ETNO, the association representing Europe’s main telecom operators, fully supports this idea, but is convinced that harmonised privacy rules will not be possible as long as the ePrivacy Directive continues to exist next to the GDPR. Although the European Commission has announced that the ePrivacy Directive is slated for review after the adoption of the GDPR, ETNO continues to call for the directive to be amended within the scope of the GDPR.
Against this background, ETNO has requested that we investigate the technical and legal feasibility of addressing the regulatory asymmetries created by the ePrivacy Directive and to propose a solution in light of the current on-going discussions related to the GDPR.
While analysing the legal implications of the co-existence of the ePrivacy Directive - which mainly targets the telecom sector - and the GDPR - which applies to all data controllers - we observed that the ePrivacy Directive only contains six data protection related articles. It can no longer be justified to retain these articles or, in some cases, to retain them outside the GDPR. The six articles can be divided into two groups:
Articles that have become redundant, notably art. 6 (traffic data), art. 9 (location data) and article 4 and Regulation 611/2013 (data breach notifications); and
Articles that should be integrated in the GDPR, notably art. 5 § 1-2 (confidentiality of communications), art. 5 § 3 (cookies) and art. 13 (unsolicited communications).
As the GDPR provides for a high level of protection for the processing of personal data, in a converged telecommunications landscape there is no longer a rationale to treat the processing of traffic data and location data by telecom providers on the one hand and all other data controllers (including OTT players offering functionally equivalent services) separately on the other hand. Furthermore it does not make sense to maintain dissimilar data breach notifications rules under the ePrivacy Directive and the GDPR, as this creates an undesired and overly complex situation for telecom providers, stakeholders and regulating authorities.
While the aforementioned rules were revolutionary and justified at the time of their adoption, today, it makes little sense to single out one particular sector. For as long as the ePrivacy Directive co-exists with the GDPR, there will be an unlevel playing field between all market players, consumers will not experience comparable digital privacy online and the competitive position of European telecoms operators will be compromised, possibly until 2020 if European legislators do not take immediate action.
Furthermore, the existing rules on cookies apply to all website operators while the rules on unsolicited communications (spam) apply to anyone considering to send such communications. The current scope of the ePrivacy Directive is therefore already broader than just the telecom sector, for which it was initially put in place.
The confidentiality of the communications principle however only applies to traditional voice and SMS services, not to competing OTT voice and messaging services. In regard of the increasing use of such services by digital consumers (and also to a great extent by youngsters), it is no longer justifiable that the confidentiality of such digital communications not be legally guaranteed.
Considering the current patchwork of diverging national implementations of the ePrivacy Directive (notably concerning cookies) and in order to ensure the confidentiality of digital and non-digital communications, it is highly recommended to integrate the aforementioned articles into the GDPR.
A call for action
In a recent study commissioned by the Commission and assessing the effectiveness of the ePrivacy Directive and its compatibility with the GDPR, several of the above-mentioned issues were flagged as well. However, the proposed solution to the existing unlevel playing field is surprising and undesired. Instead of aiming for a full and horizontal harmonisation of data protection rules, the study proposed to retain the current dual regime and even to enlarge the current scope of the ePrivacy Directive by including ‘information society services’. If one of the main objectives of the GDPR is to meet the challenges resulting from the rise of new technologies and the increasing importance of ‘information society services’, incorporating the latter into the ePrivacy Directive implies that the GDPR will not meet all of its objectives, and will not offer a sufficiently high level of protection.
We propose to repeal the redundant data protection related articles in the ePrivacy Directive, and combine the still relevant rules into one document, notably the GDPR. It follows from the aforementioned considerations that only little legislative changes are required to combine all data protection rules in the GDPR. Such incorporation is not only feasibly but highly recommendable as it would remedy legal uncertainty on several points and be in line with good policy making practice.
We consider the on-going review of the EU Data Protection legal framework to be a unique opportunity to achieve a true level playing field in order to ensure that technologically neutral principles apply to all stakeholders. We therefore encourage policymakers to take into account ETNO’s arguments and proposal. It cannot be denied that in today’s converged world, the distortions between sectors are not justifiable and this particular example of asymmetry needs to be addressed without delay.
For more information on the conducted feasibility study and on the amendments proposed to the GDPR, please liaise with ETNO or the authors of this blog post. A copy of the full study can be found here.
By Patrick Van Eecke and Raf Schoefs, for ETNO #ThinkDigital, 26.08.2015
Prof. Dr. Patrick Van Eecke is a partner at the global law firm DLA Piper UK LLP (Brussels office) and professor of European Information Technology and Communications Law at the law faculty of the University of Antwerp. Raf Schoefs is a lawyer at DLA Piper UK LLP (Brussels office). E-mail addresses: firstname.lastname@example.org and email@example.com.