The ePrivacy draft regulation, published by the European Commission on Jan. 10, updates and upgrades Directive 2002/58/EC (the “ePrivacy directive”), the source of the infamous “cookies banner.” Under its official name – Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications, the draft ePrivacy regulation reorganizes and even re-conceptualizes the system of protecting the privacy of electronic communications.
Armed with equally large fines and equally wide territorial application, the future ePrivacy rules may end up overshadowing the GDPR in the age of the internet of things due to their wide material scope of application which could potentially cover all data related to connected devices.
Protecting the fundamental right to confidentiality
With the proposal for an ePrivacy regulation distinct from the GDPR, the EU makes it clear that the two sets of rules correspond to different fundamental rights: The GDPR is primarily an expression of the fundamental right to the protection of personal data as enshrined in Article 8 of the EU Charter of Fundamental Rights, while the ePrivacy draft regulation details the right to respect for private life, as enshrined in Article 7 of the Charter (see Recital 1 of the proposal).
This differentiation is of great consequence, affecting the manner in which EU courts will interpret and apply the rules. The protection of the right to private life is construed so as to restrict interferences to the private life to the minimum, whereas the right to the protection of personal data is construed so as to provide for “rules of the road” on how personal data must be used.
A telling example of ePrivacy rules intended to protect private life is the reference in the draft to the fact that “terminal equipment of end-users of electronic communications networks and any information relating to the usage of such terminal equipment … are part of the private sphere of the end-users requiring protection under the Charter of Fundamental Rights of the EU and the European Convention of Human Rights” (emphasis added). (Recital 20)
In addition, many member states (e.g., Germany, Italy, Netherlands, Greece, Romania, Denmark, Belgium, Poland, Estonia, Bulgaria, Czech Republic) provide in their Constitutions for a separate right to the “secret of correspondence” (distinct from the right to respect for private life), which can be restricted under limited situations and usually only for objectives of public safety. The rules of the proposal fall under the scope of this particular right, being thus capable of igniting national constitutional reviews – for instance, concerning the rules that allow access to content of communications.
Electronic communications data and information on smart devices, the centerpiece of the ePrivacy framework
The new system of protecting the confidentiality of communications is built around two concepts:
- “Electronic communications data,” which includes electronic communications content and electronic communications metadata; and
- “Information related to the terminal equipment of end-users.”
Article 2(1) of the proposal establishes that the regulation “applies to processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end-users”.
This represents an important change compared to the current regime of the ePrivacy directive, which is centered on processing personal data (see Article 3(1) of Directive 2002/58). For the new rules to be applicable, it will not matter whether the data going through electronic communications channels fall under the GDPR definition of personal data or not. Recital 4 of the proposal explains that “electronic communications data may include personal data as defined in [the GDPR],” meaning they may also not include personal data.
This article was originally published on iapp.org. Read the rest of the article HERE.
Pingback: Highlights of the draft LIBE report on the ePrivacy Reg | pdpEcho