Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

Council e-Privacy Regulation Negotiations Critical for the Future of IoT and AdTech

Following the European Commission and European Parliament’s proposed versions of the EU Regulation on Privacy and Electronic Communications (the ePR), we are now waiting for the Council of the European Union to agree their position before discussions between the three bodies can begin. A discussion paper from the Bulgarian Presidency of the Council dated 11 January 2018 (the Paper) shows that the Council is still considering multiple options in relation to several critical issues. In particular:

  • The Commission’s draft of the ePR clarified that communications between machines (M2M communications) are subject to the same confidentiality protections as communications between humans. The Paper notes on-going debate around whether this is appropriate, and proposes that consideration is given to excluding some or all M2M communications from the scope of the ePR.
  • Current drafts of the ePR require that processing electronic communications metadata (other than for specified purposes) requires consent. This is more restrictive than the regime under the General Data Protection Regulation (GDPR), which provides several alternatives to consent which can be relied upon to process personal data. The Paper therefore proposes that consideration is given to allowing electronic communications metadata to be alternatively processed on the basis of:
    • Legitimate interest;
    • ‘Purpose compatibility’ (in line with Article 6(4) of the GDPR); or
    • In situations where the processing would be permitted under the GDPR.
  • Since 2009, European law has required that consent is obtained before using cookies or similar tracking technologies, unless certain limited exceptions apply. Current drafts of the ePR maintain this rule. The Paper proposes a discussion as to whether:
    • The use of cookies and similar tracking technologies should also be allowed on the basis of legitimate interest;
    • Whether the law should explicitly deal with whether it is acceptable for access to a website to be conditioned on the visitor consenting to the use of cookies;
    • Whether the exceptions to the consent requirement in current drafts of the ePR should be extended; or
    • Whether there should be a move to a harm-based approach.
  • The Paper also calls for discussion around potential modifications to the proposed centralised cookie consent mechanism, whereby browser providers would be required to allow users to accept or refuse consent for the use of tracking technologies on a generalized basis.

The Council will need to reach an agreed position on these issues before the trilogue. Given the importance of these issues to stakeholders, it is quite possible that this will not happen before the summer.

Is the GDPR Inadequate?

The Council discussions on the Draft ePR show a certain malaise as to why the GDPR is not already sufficient to deal with IoT and AdTech situations.  Hailed by many as the most comprehensive data protection framework in the world, the GDPR is flexible, technologically neutral, and fully capable of dealing with IoT and AdTech use cases. Why then is a supplemental regulation – less flexible than the GDPR – needed? Cookies and communications metadata will in most cases involve personal data, and therefore fall under the GDPR.  In cases not involving personal data – the case of connected industrial machines, for example – it seems hard to identify a fundamental right to privacy that requires specific legislation.

The e-Privacy Regulation draws its legitimacy from the fact that it protects not only personal data under Article 8 of the EU Charter, but also individuals’ “private and family life, home and communications” under Article 7 of the Charter.  Industrial machines talking to each other do not raise Article 7 privacy concerns. And for cases where IoT and AdTech involve personal data, the GDPR mechanisms, including data protection impact assessments, full information to data subjects and prior consent or opt-out rights, seem to provide a robust level of protection.

The original e-Privacy Directive of 2002 was designed to fill gaps left by the 1995 Data Protection Directive. But what gaps has the GDPR left? The Council discussions will hopefully provide a better answer to this question, so that the ePR can be more narrowly tailored to address the gap situations.