May 302018

European Data Protection Board Releases Statement on the Revision of the ePrivacy Regulation

Wim Nauwelaerts and Paul Greaves
, , , ,

On 28 May 2018, the European Data Protection Board (the “EDPB”) released a statement on the revision of the ePrivacy Regulation (the “proposed Regulation”) and its impact on the protection of individuals in relation to the privacy and confidentiality of their communications. It is the first statement of substance by the EDPB since it was established by the EU General Data Protection Regulation on 25 May 2018.  The statement calls on the European Commission, Parliament and Council to work together to ensure a swift adoption of the proposed Regulation, which will replace the current ePrivacy Directive (the “Directive”).

The statement contains the EDPB’s advice and clarifications on some issues which have been raised during the development of the proposed Regulation, which is still in draft form. Key messages from the statement include that:

  1. Confidentiality of electronic communications requires protection beyond what is offered by the GDPR

The EDPB emphasizes the need for ‘broad prohibitions, narrow exceptions, and the use of consent’ within the proposed Regulation.

The EDPB thus rejects suggestions that the proposed Regulation should permit processing of electronic communications content and metadata on what some may consider open-ended grounds, such as on the basis of the ‘legitimate interests’ of an organisation.

The EDPB equally does not believe that organizations should be able to process electronic communications metadata based on the general purpose of the ‘performance of a contract’. The statement notes that consent would not be required, on the other hand, to process electronic communications metadata which have been fully anonymized in accordance with EU guidance.

  1. The proposed Regulation maintains rights and obligations which exist today under the Directive

In particular, the EDPB notes that:

  • Transmission services used for the provision of machine to machine services are already in the scope of the current Directive; and
  • The protection of terminal equipment is already a right (meaning that data controllers may only gain access to, or store information on subscribers’ devices under certain conditions).

The proposed Regulation maintains these rules, although it also includes new exceptions in areas where the EDPB considers there to be a limited privacy risk, such as in the context of security updates, and in the context of audience measurement.

  1. The proposed Regulation aims to ensure a uniform application across every Member State and every type of data controller

The EDPB emphasizes that the changes are designed to ensure an equal playing field for all types of data controllers, in a technology neutral way. In particular:

  • The proposed Regulation is aimed at bringing ‘Over-the-Top’ services within the scope of the rules, as the EDPB views these are functionally equivalent to traditional electronic communications services.
  • The proposed Regulation’s rules apply as soon as data relating to users’ behaviour are collected – whether or not users have created an account for a service.
  • Service providers will need to obtain consent compliant with GDPR consent requirements. Notably, the requirement to obtain ‘freely given’ consent should prevent service providers from implementing so-called ‘cookie walls’ which block users from receiving the service if they do not provide their consent (in fact, the EDPB appears to support an explicit prohibition on ‘cookie walls’).
  • Uniform application of the rules is achieved by aligning the sanctions and territorial scope of the proposed Regulation with those of the GDPR.
  1. The proposed Regulation must enforce the ‘consent’ requirement for cookies and similar technologies, and offer services providers technical tools which allow them to obtain that consent

In particular, the EDPB supports the inclusion of provisions within the proposed Regulation which:

  • Offer users control over the use of the storage capabilities of their terminal equipment;
  • Require a ‘privacy by default’ approach in relation to software settings; and
  • Permit web site and mobile applications to obtain users’ consent through the use of privacy settings.

To keep up with the latest on the GDPR, check out Sidley’s GDPR Monitor page.

Wim Nauwelaerts

wnauwelaerts@sidley.com

Paul Greaves

pgreaves@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.