Executive Summary of the preliminary Opinion of the European Data Protection Supervisor on the review of the ePrivacy Directive (2002/58/EC)

(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2016/C 378/09)

EXECUTIVE SUMMARY

This Opinion outlines the position of the EDPS on the key issues relating to the review of Directive 2002/58/EC on privacy and electronic communications (the ePrivacy Directive), in response to a request of the European Commission.

We need a new legal framework for ePrivacy, but we need a smarter, clearer and stronger one: we need more clarity but also better enforcement. We need it to ensure the confidentiality of our communications, a fundamental right enshrined in Article 7 of the Charter of Fundamental Rights of the European Union. In addition, we also need provisions to complement, and where necessary, specify in more detail, the protections under the General Data Protection Regulation (GDPR). Furthermore, we also need to maintain the current, higher level of protection where the ePrivacy Directive provides more specific safeguards than the GDPR. The definitions of the GDPR, its territorial scope, the mechanisms for cooperation between enforcement authorities and for consistency, as well as the possibility to provide flexibility and guidance, should be available for ePrivacy.

The scope of the new legal framework must be extended. This is to take account of technological and societal changes and to ensure that individuals be afforded the same level of protection for all functionally equivalent services, irrespective whether they are provided, for example, by traditional telephone companies, by Voice over IP services or via mobile phone messaging apps. Indeed, there is a need to go even further and protect not only ‘functionally equivalent’ services, but also those services that offer new opportunities for communication. The new rules should also unambiguously continue to cover machine-to-machine communications in the context of the internet of Things, irrespective of the type of network or communication service used. The new rules should also ensure that the confidentiality of users' communications will be protected on all publicly accessible networks, including Wi-Fi services in hotels, coffee shops, shops, airports and networks offered by hospitals to patients, universities to students, and hotspots created by public administrations.

Consent should be genuine, offering a freely given choice to users, as required under the GDPR. There should be no more ‘cookie walls’. Beyond a clear set of exceptions (such as first party analytics), no communications should be subject to tracking and monitoring without freely given consent, whether by cookies, device-fingerprinting, or other technological means. Users must also have user-friendly and effective mechanisms to provide and revoke their consent within the browser (or other software or operating system).

In order to better protect the confidentiality of electronic communications, the current consent requirement for traffic and location data must also be maintained and strengthened. The scope of this provision should be broadened to cover everyone and not just traditional telephone companies and internet service providers.

The new rules should also clearly allow users to use end-to-end encryption (without ‘back-doors’) to protect their electronic communications. Decryption, reverse engineering or monitoring of communications protected by encryption should be prohibited.

Finally, the new rules on ePrivacy should protect against unsolicited communications and should be updated and strengthened, requiring prior consent of recipients for all types of unsolicited electronic communications, independent of the means.

I.   INTRODUCTION AND BACKGROUND

This preliminary Opinion (Opinion) is in response to a request of the European Commission (Commission) to the European Data Protection Supervisor (EDPS), as an independent supervisory authority and advisory body, to provide an opinion on the review of the ePrivacy Directive (1).

The consultation of the EDPS was carried out in parallel with a public consultation held by the Commission, which was open until 5 July 2016 (2). The Commission also requested the opinion of the Article 29 Data Protection Working Party (WP29), to which the EDPS contributed as a full member (3).

This Opinion contains the preliminary position of the EDPS on the review of the ePrivacy Directive, focusing on those issues where his opinion has been specifically requested by the Commission. The Opinion also constitutes the EDPS contribution to the public consultation and as such, may also address other issues not specifically requested by the Commission in its request for an opinion. We may also provide further advice in subsequent stages of the legislative procedure.

The review of the ePrivacy Directive is one of the key initiatives of the Digital Single Market Strategy (4), aimed at reinforcing trust and security in digital services in the EU with a focus on ensuring a high level of protection for citizens and a level playing field for all market players across the EU.

The review seeks to modernise and update the ePrivacy Directive as part of the wider effort to provide a coherent and harmonised legal framework for data protection in Europe. The ePrivacy Directive particularises and complements Directive 95/46/EC (5), which will be replaced by the recently adopted General Data Protection Regulation (GDPR) (6). The ePrivacy Directive sets forth specific rules, with the main objective of ensuring the confidentiality and security of electronic communications. It also protects the legitimate interests of subscribers who are legal persons.

XI.   CONCLUSIONS

The importance of confidentiality of communications as laid down in Article 7 of the Charter is growing with the increased role that electronic communications play in our society and economy. The safeguards outlined in this Opinion will play a key role in ensuring the success of the Commission's long term strategic objectives outlined in its DSM Strategy.

(1)  Ref. Ares(2016)2310042 – 18.5.2016.

(2)  See https://ec.europa.eu/digital-single-market/en/news/public-consultation-evaluation-and-review-eprivacy-directive. The questionnaire is available at: https://ec.europa.eu/eusurvey/runner/EPRIVACYReview2016.

(3)  WP29 Opinion 3/2016 on the evaluation and review of the ePrivacy Directive (2002/58/EC) (WP240) adopted on 19 July 2016.

(4)  A Digital Single Market Strategy for Europe, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee, and the Committee of the Regions, 6 May 2015 (COM(2015) 192 final) available at: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52015DC0192&from=EN.

(5)  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).

(6)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).