Back in January, the Commission published a proposal for a Regulation on Privacy and Electronic Communications (the “E-Privacy Regulation”) to replace the current E-Privacy Directive (2002/58/EC). This was after the proposal had initially been leaked right before the Christmas holidays in 2016, which I commented on in a previous blog post here on our Hannes Snellman blog. Now, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (the “LIBE Committee”) has published a draft report proposing amendments to the initial proposed Regulation, providing an interesting read for those in the privacy field.
As a run-through, the E-Privacy Regulation will be adopted to particularise and complement the new General Data Protection Regulation (the “GDPR”) and will function as a lex specialis to the GDPR as regards electronic communications data consisting of personal data. It will include provisions extending the application of the regulation to new players in electronic communications services (such as electronic communications services on social media), provisions simplifying the current rules on cookies, as well as regulation guaranteeing the privacy of both content and metadata as regards electronic communications.
In its report, the LIBE Committee has proposed some significant changes to the Commission’s regulation proposal as well as many smaller specifications and changes to the original text. Mainly, the aim of the changes proposed by the LIBE Committee is to increase privacy protection for users and to ensure the protection of fundamental rights of private life and the protection of personal data. The Committee considers that the Commission’s proposal needs to be amended in order to avoid lowering the high level of protection afforded by both the GDPR and the Charter of Fundamental rights as well as the European Convention on Human Rights. One of the most crucial amendment proposals is that the Committee proposes to limit member states’ possibility to introduce supplementing and clarifying national legislation (included in recital 7 of the original proposal). The report’s other main amendment proposals include the following:
- Multiple definitions are added for clarification and in order to enable the regulation to be a stand-alone instrument and not dependent on the Electronic Communications Code.
- Several restricting amendments are made to Article 6 regarding the conditions allowing for interference with the right of confidentiality of communication in order to process data in specific circumstances.
- It is clarified that confidentiality of electronic communications shall also be ensured with regard to communications stored or processed by terminal or other equipment (e.g. cloud storage, free Wi-Fi and hotspots) as well as machine-to-machine communications (e.g. the IoT environment).
- Do-Not-Track mechanisms are proposed to be technologically neutral, and the Committee also proposes going back to the privacy by default regulations regarding these mechanisms (that were included in the leaked draft but then subsequently removed).
- A new obligation to make methods of anonymisation and further aggregation public for parties involved in the processing of location data and other metadata is introduced in order to enhance transparency.
- Clarifications are made to the scope of unsolicited communications such as direct marketing.
While many of the amendments intend to make sure that the draft proposal is in line with the GDPR, the LIBE Committee’s report also proposes multiple changes that will need further review and discussion. The proposal is now awaiting a Committee decision, and the final form of the Regulation is expected by this autumn, so that it would be in place by 25 May 2018 when the GDPR becomes applicable. However, since the changes proposed by the LIBE Committee are quite significant, it remains to be seen if the schedule for finalising the regulation will turn out to be too ambitious.
Associate at Hannes Snellman