The Article 29 Working Group held a meeting on April 4, 2017 Opinion on the planned ePrivacy Regulation published. The ePrivacy Regulation (“Regulation on Privacy and Electronic Communications”) has been available since the beginning of 2017 in the Draft before (here available). It is intended to implement the “Cookie Directive” (RL 2009/136/EC) replace. It is furthermore compatible with the GDPR coordinated (to a certain extent), is also to enter into force on May 25, 2018 and displaces In its scope of application (the processing of electronic communications data in the provision and use of electronic communications services) divergent provisions of the GDPR.
The working group welcomes the legal form of the planned regulation (directly applicable regulation) and its principle-based approach. It also welcomes the application to so-called over-the-top (OTT) services, i.e., the electronic transmission of third-party content such as movies via the Internet without a network operator being directly involved in the control or distribution of the content (according to the Weko in the investigation regarding sports in pay TV against Swisscom, among others, RPW 2016/4). Examples are Skype or Facebook.
The Working Party, on the other hand, fears a decrease in the level of protection provided by the GDPR for the following four areas or processing operations:
- WiFi and Bluetooth tracking: Here, Art. 8(2)(b) of the ePrivacy Regulation only requires a clear indication, whereas the GDPR usually requires consent and an appropriate limitation of tracking is missing;
- Analysis of communication data evaluation: Article 6 of the ePrivacy Regulation wrongly differentiates between the processing of content data and that of marginal data; both are equally sensitive. In both cases, processing should in principle only be permissible with the consent of all parties involved (sender and recipient), insofar as the processing is not necessary for the main purpose of the communication, i.e., in particular for handling the communication, ensuring data security and maintaining the required service quality. Only some specific services are to be permitted with the consent of the service user only (i.e., without the consent of other parties involved).
- Software providerThe following standards must be met in order to ensure compliance with the privacy by default (cf. Art. 25 (2) GDPR). Art. 10 of the ePrivacy Directive only requires that users can make privacy-friendly settings, but not that these settings must be provided by default.
- Coupling tracking and service accessA “take it or leave it” offer of websites or services is to be prohibited, i.e. an offer whose access is only possible with consent to tracking.
The opinion of the Article 29 Working Party contains further points where improvements should also be made in order to improve the protection of the persons concerned.
In contrast, the draft of the ePrivacy Regulation has been met with a positive response from the business community. harsh criticism encountered. Bitkom, an important industry association, has in a Statement from February 6, 2017 criticized the following points in particular:
-
Parallel regulations to the GDPR are to be rejected in principle, such as own requirements for consent or the use of location data;
- the application of the ePrivacy Regulation also to electronic Communication between legal entities and between machines (M2M) is not necessary and threatens new business models;
- in general, the Specifications too strict;
- the introduction of the regulation on the May 25, 2018 does not allow companies sufficient time to prepare;
- Self-regulatory measures should be given greater support.