On 12 April 2016, the European Commission launched a public consultation (the “Consultation“) on the ePrivacy Directive (2002/58/EC; the “epD“). Interested parties who wish to participate have until 5 July 2016 to submit responses to the Commission’s 33 questions.
The Consultation marks the next step in European data protection reform, arriving shortly after policymakers finally completed four years of arduous negotiations over the General Data Protection Regulation (“GDPR“). Data protection reform is a key part of the comprehensive Digital Single Market Strategy launched by the European Commission in May 2015 (for an overview of open, closed and future consultations regarding the Digital Single Market, have a look here).
The Commission intends to use the results of the Consultation to inform a new legislative proposal on ePrivacy by the end of 2016.
What is the ePrivacy Directive?
The epD has been in force since 2002, and was last amended in 2009. It sets out specific privacy and data protection rules for the electronic communications sector, although some of its provisions have a much wider application. In particular, it:
- Prohibits the interception of communications over public networks without consent or lawful authority;
- Imposes security and data breach notifications on the electronic communications sector;
- Requires that consent is obtained before information is accessed or stored on users’ devices (this requirement applies to cookies as well as newer technologies such as device fingerprinting);
- Regulates direct marketing by phone, email, text or fax; and
- Imposes restrictions on how traffic and location data may be used.
What’s in the Consultation?
The Consultation is split into two sections. The first half is aimed at gathering input for the Commission’s on-going evaluation of the effectiveness, efficiency, relevance and coherence of the epD. The second half asks for interested parties’ views on possible changes to the law.
In background materials released alongside the Consultation, the Commission outlines four areas it has identified as requiring attention. These issues inform the questions raised in the Consultation:
- Ensuring consistency with the GDPR, for example in relation to personal data breach provisions;
- Accounting for new market and technological realities, for example by considering whether Voice over IP and instant messaging providers should be subject to ePrivacy requirements;
- Enhancing security and confidentiality of communications in light of growing cyber-security risks and the rise of new tracking technologies such as digital fingerprinting; and
- Contributing to the Digital Single Market by addressing inconsistent enforcement and fragmentation between Member States.
Time for a new cookie jar?
Given the wide applicability of the requirement to obtain consent before deploying cookies or similar technologies (and recent enforcement actions in some European jurisdictions), question 24 of the Consultation may be of particular interest. The Commission notes arguments that the current requirements unduly disrupt user experience, and asks respondents for their views on a number of alternatives, such as:
- Requiring providers of browsers to turn third party cookies off by default;
- Defining mechanisms for expressing user choices over whether they would like to be tracked;
- Mandating standards organisations to produce Do Not Track standards;
- Prohibiting specific ‘abusive’ behaviours, such as unsolicited recording by smart home devices, regardless of consent; and/or
- Supporting self-co regulation.
This Consultation offers those with an interest in the regulation of cookies, or in the epD more widely, a chance to be heard.