EDPS com­ments on the review of the e‑privacy directive

The Euro­pean Data Pro­tec­tion Super­vi­sor (EDPS) today (July 25, 2016) issued his preli­mi­na­ry opi­ni­on on the review of the E‑Privacy Direc­ti­ve 2002/58/EC (Opi­ni­on 5/2016) was published. In this, the EDPS empha­si­zes that the scope of the new e‑privacy pro­vi­si­ons must be exten­ded so that their app­li­ca­ti­on is not limi­ted to elec­tro­nic com­mu­ni­ca­ti­ons via tra­di­tio­nal tele­com­mu­ni­ca­ti­ons and Inter­net ser­vice providers.

The scope of the new legal frame­work must be exten­ded. This is to take account of tech­no­lo­gi­cal and socie­tal chan­ges and to ensu­re that indi­vi­du­als are affor­ded the same level of pro­tec­tion for all func­tio­n­al­ly equi­va­lent ser­vices, irre­spec­ti­ve whe­ther they are pro­vi­ded, for examp­le, by tra­di­tio­nal tele­pho­ne com­pa­nies, by Voice over IP ser­vices or via mobi­le pho­ne messaging apps. Inde­ed, the­re is a need to go even fur­ther and pro­tect not only ‘func­tio­n­al­ly equi­va­lent’ ser­vices, but also tho­se ser­vices that offer new oppor­tu­nities for com­mu­ni­ca­ti­on. The new rules should also unam­bi­guous­ly con­ti­nue to cover machi­ne-to-machi­ne com­mu­ni­ca­ti­ons in the con­text of the Inter­net of Things, irre­spec­ti­ve of the type of net­work or com­mu­ni­ca­ti­on ser­vice used. The new rules should also ensu­re that the con­fi­dentia­li­ty of users’ com­mu­ni­ca­ti­ons will be pro­tec­ted on all publicly acces­si­ble net­works, inclu­ding Wi-Fi ser­vices in hotels, cof­fee shops, stores, air­ports and net­works offe­red by hospi­tals to pati­ents, uni­ver­si­ties to stu­dents, and hot­spots crea­ted by public administrations.

Con­sent should be genui­ne, offe­ring a free­ly given choice to users, as requi­red under the GDPR. The­re should be no more ‘coo­kie walls’. Beyond a clear set of excep­ti­ons (such as first par­ty ana­ly­tics), no com­mu­ni­ca­ti­ons should be sub­ject to tracking and moni­to­ring without free­ly given con­sent, whe­ther by coo­kies, device-fin­ger­prin­ting, or other tech­no­lo­gi­cal means. Users must also have user-friend­ly and effec­ti­ve mecha­nisms to pro­vi­de and revo­ke their con­sent wit­hin the brow­ser (or other soft­ware or ope­ra­ting system).

Fur­ther­mo­re, the EDPS empha­si­zed that the new e‑privacy pro­vi­si­ons are inten­ded to com­ple­ment and – whe­re necessa­ry – spe­ci­fy the pro­tec­tion stan­dards of the Gene­ral Data Pro­tec­tion Regulation.