E-Privacy Directive

E-Privacy Directive

The Directive 2002/58/EC or e-Privacy Directive (ePD) – also known as the Privacy and Electronic Communications Directive, is a regulatory framework established by the European Union (EU) to protect the privacy of individuals. With similar functions to the General Data Protection Regulation (GDPR), the ePD remains in effect alongside the GDPR with the two complementing each other. The ePD regulates the processing of personal data, confidentiality of communications, and the use of cookies and plays a crucial role in ensuring a balance between technological advancements and individuals’ right to privacy. This article aims to provide an overview of the ePD, its relationship with the GDPR, and the future of the ePD.

What is the e-Privacy Directive?

The e-Privacy Directive, colloquially referred to as the Cookies Law is a piece of legislation established by the EU for the protection of individual privacy, especially in the field of electronic and digital communication. The ePD was originally enacted in 2002 and last revised in 2009, and it is still currently in effect as of the writing of this article. As such, the ePD operates in conjunction with and enhances the GDPR which came into effect in 2018.

What are the main contents of the e-Privacy Directive?

The e-Privacy Directive’s goal is to ensure the protection of the fundamental rights and freedoms, in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and electronic communication equipment and services.[1]

The ePD applies to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks, including public communications networks supporting data collection and identification devices.[2] In which the ePD lays out many different requirements and obligations for the service providers.

Security of processing

Electronic communications service providers are required to implement appropriate technical and organizational measures to provide appropriate security for their services. The service providers must also inform their clients when there is a risk of a security breach. When a breach occurs, the service provider must inform the competent national authority and if the breach is likely to adversely affect the personal data or privacy of a user or individual, the provider shall also notify the user or individual of the breach without undue delay.[3]

Confidentiality of communications

The listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data[4] by persons other than users, without the consent of the users concerned, shall be prohibited unless authorized by law as necessary, appropriate, and proportionate measures within a democratic society to safeguard national security, defense, public security, and the prevention, investigation, detection, and prosecution of criminal offenses or unauthorized use of the electronic communication system. Providers can still retain the traffic data for lawful business practice such as for the purpose of providing evidence of a commercial transaction or any other business communication.[5]

Traffic data can be retained for billing purposes for as long as the bill can be legally challenged. Service providers can also process traffic data for marketing and offering value-added services. The users must be informed of the types of traffic data processed, the purposes, and duration of the processing.[6]

Users are entitled to non-itemized billing[7] and being able to opt out of calling line identification.[8]

Where location data other than traffic data can be processed, such data may only be processed when they are made anonymous, or with the consent of the users to the extent and for the duration necessary for the provision of a value-added service. The service provider must inform the users, prior to obtaining their consent, of the type of location data to be processed, the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value-added service. The users must also have the option to opt out.[9]

Unsolicited communications

The use of automated calling and communication systems without human intervention, fax or electronic mail for the purposes of direct marketing may be allowed only in respect of subscribers or users who have given their prior consent. Where the email addresses of the users are obtained in the context of the sale of a product or a service, these electronic contact details can be processed for direct marketing of its own similar products or services provided that users clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details at the time of their collection and on the occasion of each message in case the customer has not initially refused such use.[10] This means that unsolicited communications can only be sent as a part of a regime that the users opted in and the users must have the option to object to such practice.

Cookies

Terminal equipment of users of electronic communications networks, such as cookies[11] can be a legitimate and useful tool such as in analyzing website marketing statistics, and verifying the identity of users.[12]

The use of electronic communications networks to store information or to gain access to information stored in the terminal equipment (e.g. cookies) of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information, inter alia, about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.[13] This means that cookies must be designed to adopt an opt-in regime that requires the consent of the users after having provided the users with appropriate information.

This acknowledgment and regulation of cookies is the reason why the ePD is commonly referred to as the Cookies Law.

The relationship between ePD and GDPR

As mentioned above, the ePD aims to create harmonization of national provisions in order to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector.

On the other hand, the GDPR has a similar goal of harmonizing the national provisions in order to protect the fundamental rights and freedoms of the individual regarding the protection of personal data.

Both of these documents concern the right to privacy, however, it can be observed that the GDPR has a much wider scope compared to the ePD. The ePD was enacted as complementary legislation alongside Directive 95/46/EC (also known as the Data Protection Directive and GDPR’s predecessor) and now it serves the same purpose for GDPR. This can be observed in Recital 12 of the ePD: “By supplementing Directive 95/46/EC, this Directive is aimed at protecting the fundamental rights of natural persons and particularly their right to privacy, as well as the legitimate interests of legal persons”. It is reasonable to view the ePD as lex specialis that compliments and overrides GDPR in specific situations since GDPR is the legi generali. Especially in terms of cookies, ePD would take precedence in most cases since it specifically calls out cookies in its provisions.

Direct references to the ePD can be found throughout the GDPR demonstrating that the GDPR was meant to coexist with the ePD. Recital 173 of the GDPR clearly states that GDPR should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council, including the obligations on the controller and the rights of natural persons.

For example, under the GDPR Recital 47, “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”, however, Article 13 of the ePD, as a general rule, requires consent to be obtained from data subjects in cases of direct marketing. This means that, when direct marketing communications are delivered through public communication networks and meet other ePD applicability criteria, special provisions of the directive will apply, and the data controller will have to obtain the data subject’s consent for direct marketing. In other cases, where the ePrivacy Directive provides for exemptions from the general requirement to obtain consent or where direct marketing messages are delivered through paper-based mail – general rules of the GDPR will apply.[14]

Article 95 of GPDR also further clarifies that it shall not impose additional obligations in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC. This means that if there is any section of the GDPR that duplicates the ePD, such as breach notification, the data controller would only have to comply with one document and not have to perform the same action again under the other.

The e-Privacy Regulation

Even though the ePD and GPDR can currently coexist and complement each other, the EU recognizes the need to update the ePD in order to increase the consistency of the EU’s privacy legislation. Recital 173 of the GDPR makes this clear by stating that: “In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation”. Indeed, a successor to the ePD has been in the works since the adoption of the GDPR and is expected to come out in the coming years.

Dubbed the “e-Privacy Regulation”, this piece of legislation is expected to replace the ePD with the aim of facilitating a Digital Single Market and ensuring consistency with the GDPR.[15] The e-Privacy Regulation shall be lex specialis to the GDPR and will particularise and complement the GDPR in regard to electronic communications data that qualify as personal data. All matters concerning the processing of personal data not specifically addressed by the proposal shall be covered by the GDPR.[16] This means that the upcoming e-Privacy Regulation will serve a similar purpose as its predecessor in that it will particularize and complement the provisions of GDPR in the field of electronic communications.

Some key points in the proposal of the e-Privacy Regulation include[17]:

• New players: privacy rules will, in the future, also apply to new players providing electronic communications services such as WhatsApp, Facebook Messenger, and Skype. This will ensure that these popular services guarantee the same level of confidentiality of communications as traditional telecom operators;
• Stronger rules: all people and businesses in the EU will enjoy the same level of protection of their electronic communications through this directly applicable regulation. Businesses will also benefit from one single set of rules across the EU;
• Communications content and metadata: privacy is guaranteed for communications content and metadata. Metadata — data that describes other data, such as author, date created, and location— has a high privacy component and should be anonymized or deleted if users did not give their consent unless the data is needed for billing.
• New business opportunities: once consent is given for communications data to be processed, traditional telecom operators will have more opportunities to provide additional services and to develop their businesses.
• Simpler rules on cookies: the cookies provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies that improve internet experience, such as cookies to remember shopping cart history or to count the number of website visitors.
• Protection against spam: this proposal bans unsolicited electronic communications by email, SMS, and automated calling machines. Depending on national law people will either be protected by default or be able to use a do-not-call list to stop marketing phone calls. Marketing callers will need to display their phone number or use a special prefix that indicates a marketing call.
• More effective enforcement: the enforcement of the confidentiality rules in the Regulation will be the responsibility of data protection authorities, already in charge of the rules under the GDPR.

As of the writing of this article, the e-Privacy Regulation has not been enacted and is still in the process of drafting and reviewing.

PrivacyCompliance prides itself on its team of experts having achieved numerous internationally recognized certifications such as CIPM, CIPP/E, CISA, CISM, CRISC®, ISO27001 Lead Auditor, etc. With tried-and-tested knowledge and capacity, PrivacyCompliance is confident in being able to provide in-depth and comprehensive solutions on personal data compliance and protection.

[1] E-Privacy Directive, Art 1.

[2] E-Privacy Directive, Art 3.

[3] E-Privacy Directive, Art 4.

[4] ‘traffic data’ means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof.

[5] E-Privacy Directive, Art 5.

[6] E-Privacy Directive, Art 6.

[7] E-Privacy Directive, Art 7.

[8] E-Privacy Directive, Art 8.

[9] E-Privacy Directive, Art 9.

[10] E-Privacy Directive, Art 13.

[11] ‘cookies’ is a common online tool that websites use to track the users’ online activities.

[12] E-privacy Directive, Recital 25.

[13] E-privacy Directive, Art 5(3).

[14] Konstantin Tiazhelnikov, ‘Interplay between the GDPR and ePrivacy Directive: practical summary’ (DPOrganizer, 12 October 2022) <https://www.dporganizer.com/blog/interplay-between-the-gdpr-and-eprivacy-directive-practical-summary/> accessed 1 December 2023.

[15] Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), point 1(1).

[16] ibid, point 1(2).

[17] European Commission, ‘Proposal for an ePrivacy Regulation’ <https://digital-strategy.ec.europa.eu/en/policies/eprivacy-regulation> accessed 2 December 2023.