May 302018

European Data Protection Board Releases Statement on the Revision of the ePrivacy Regulation

Wim Nauwelaerts and Paul Greaves
, , , ,

On 28 May 2018, the European Data Protection Board (the “EDPB”) released a statement on the revision of the ePrivacy Regulation (the “proposed Regulation”) and its impact on the protection of individuals in relation to the privacy and confidentiality of their communications. It is the first statement of substance by the EDPB since it was established by the EU General Data Protection Regulation on 25 May 2018.  The statement calls on the European Commission, Parliament and Council to work together to ensure a swift adoption of the proposed Regulation, which will replace the current ePrivacy Directive (the “Directive”).

The statement contains the EDPB’s advice and clarifications on some issues which have been raised during the development of the proposed Regulation, which is still in draft form. Key messages from the statement include that:

  1. Confidentiality of electronic communications requires protection beyond what is offered by the GDPR

The EDPB emphasizes the need for ‘broad prohibitions, narrow exceptions, and the use of consent’ within the proposed Regulation.

The EDPB thus rejects suggestions that the proposed Regulation should permit processing of electronic communications content and metadata on what some may consider open-ended grounds, such as on the basis of the ‘legitimate interests’ of an organisation.

The EDPB equally does not believe that organizations should be able to process electronic communications metadata based on the general purpose of the ‘performance of a contract’. The statement notes that consent would not be required, on the other hand, to process electronic communications metadata which have been fully anonymized in accordance with EU guidance.

  1. The proposed Regulation maintains rights and obligations which exist today under the Directive

In particular, the EDPB notes that:

  • Transmission services used for the provision of machine to machine services are already in the scope of the current Directive; and
  • The protection of terminal equipment is already a right (meaning that data controllers may only gain access to, or store information on subscribers’ devices under certain conditions).

The proposed Regulation maintains these rules, although it also includes new exceptions in areas where the EDPB considers there to be a limited privacy risk, such as in the context of security updates, and in the context of audience measurement.

  1. The proposed Regulation aims to ensure a uniform application across every Member State and every type of data controller

The EDPB emphasizes that the changes are designed to ensure an equal playing field for all types of data controllers, in a technology neutral way. In particular:

  • The proposed Regulation is aimed at bringing ‘Over-the-Top’ services within the scope of the rules, as the EDPB views these are functionally equivalent to traditional electronic communications services.
  • The proposed Regulation’s rules apply as soon as data relating to users’ behaviour are collected – whether or not users have created an account for a service.
  • Service providers will need to obtain consent compliant with GDPR consent requirements. Notably, the requirement to obtain ‘freely given’ consent should prevent service providers from implementing so-called ‘cookie walls’ which block users from receiving the service if they do not provide their consent (in fact, the EDPB appears to support an explicit prohibition on ‘cookie walls’).
  • Uniform application of the rules is achieved by aligning the sanctions and territorial scope of the proposed Regulation with those of the GDPR.
  1. The proposed Regulation must enforce the ‘consent’ requirement for cookies and similar technologies, and offer services providers technical tools which allow them to obtain that consent

In particular, the EDPB supports the inclusion of provisions within the proposed Regulation which:

  • Offer users control over the use of the storage capabilities of their terminal equipment;
  • Require a ‘privacy by default’ approach in relation to software settings; and
  • Permit web site and mobile applications to obtain users’ consent through the use of privacy settings.

To keep up with the latest on the GDPR, check out Sidley’s GDPR Monitor page.

Wim Nauwelaerts

wnauwelaerts@sidley.com

Paul Greaves

pgreaves@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.