Proposal for an ePrivacy Regulation: what progress for data protection in electronic communication?

This post is also available in: frFrançais (French)

Reforming data protection since 2012, the European Union adopts news tools to protect the right to privacy of European citizens. Initiated by the General Data Protection Regulation, work is continuing with the proposal for a Regulation on ePrivacy and electronic communicationIn January, the EC published a proposal of Regulation relating to the respect of privacy and protection of personal data in electronic communication, that will abrogate the directive 2002/28.

On 11 April 2017, the LIBE Commission organised a hearing on this proposal to prepare a report; Ms Marju Lauristin (S&D) is the rapporteur. The aim was to furnish to the LIBE Commission different concerned actors’ points of views.

The EC recalled that the regulation was motivated by the will to reinforce the protection of fundamental rights, harmonisation of legislation and coherence with the GDPR. Many people welcomed the proposal, qualified as ambitious by the European Data Protection Supervisor (EDPS)[1].

Applicability. The tool was particularly appreciated. Preferring a regulation to a directive, the EC proclaimed its willingness to harmonise legal frameworks in the Member States, in view of the direct applicability of the regulation.

Necessary protection. The speakers underlined that the regulation protects not only European citizens but also trade secrets. Above all, they presented the right to privacy as a key element of freedom of expression and information, necessary for the proper functioning of a democracy.

Extended protection. The Regulation reinforces the protection of European citizens. The scope of action has been extended to take into account the technical changes and to include over-the-top services such as WhatsApp or Facebook. The text strengthens competencies of the supervisory authorities and the European Data Protection Board (the amount of the penalties for example).

However, the proposal is not sufficient for a full and consistent protection.

Different protection. The EDPS is concerned by the different levels of protection depending on the types of data. It may create weaknesses in terms of protection. Moreover, many definitions will come from the European Electronic Communications Code[2]: definitions, decided in a different context, may fail to ensure an effective protection of fundamental rights.

Wi-Fi tracking. For Frederik Zuiderveen, an academic, clarifying Article 8 is necessary to be sure that it will be interpreted as a total prohibition of tracking (as with Bluetooth for example) in the street without consent.

Tracking walls. Consent should not be mandatory. Ban of tracking walls, which force users to consent to access a service or to pay, should be included in the proposal. Protection of personal data should not be a paying right.

Privacy by design. To go further, the proposal should block, through default parameters of browsers, third-party cookies as well as access to information for third persons.

AEDH is applauding the reinforcement of protection of European citizens’ personal data. Even if the proposal seems seducing; it is necessary to remain vigilant and to add new elements (tracking walls, Wifi tracking and default parameters). The vigilance is all the more necessary since digital industry lobby has, these last months, shown its capacity for action: the first draft of the EU’s ePrivacy law reform has been leaked and was much more ambitious. It included a default configuration avoiding storage and access to information stored in devices as well as collective redress. What matters now is for civil society to be heard to convince the Members of the European Parliament to reinforce such protection.



[2] On 14 September 2014, the European Commission presented a proposal on European Electronic Communication Code.