The European Data Protection Supervisor (EDPS) today (July 25, 2016) issued his preliminary opinion on the review of the E‑Privacy Directive 2002/58/EC (Opinion 5/2016) was published. In this, the EDPS emphasizes that the scope of the new e‑privacy provisions must be extended so that their application is not limited to electronic communications via traditional telecommunications and Internet service providers.
The scope of the new legal framework must be extended. This is to take account of technological and societal changes and to ensure that individuals are afforded the same level of protection for all functionally equivalent services, irrespective whether they are provided, for example, by traditional telephone companies, by Voice over IP services or via mobile phone messaging apps. Indeed, there is a need to go even further and protect not only ‘functionally equivalent’ services, but also those services that offer new opportunities for communication. The new rules should also unambiguously continue to cover machine-to-machine communications in the context of the Internet of Things, irrespective of the type of network or communication service used. The new rules should also ensure that the confidentiality of users’ communications will be protected on all publicly accessible networks, including Wi-Fi services in hotels, coffee shops, stores, airports and networks offered by hospitals to patients, universities to students, and hotspots created by public administrations.
Consent should be genuine, offering a freely given choice to users, as required under the GDPR. There should be no more ‘cookie walls’. Beyond a clear set of exceptions (such as first party analytics), no communications should be subject to tracking and monitoring without freely given consent, whether by cookies, device-fingerprinting, or other technological means. Users must also have user-friendly and effective mechanisms to provide and revoke their consent within the browser (or other software or operating system).
Furthermore, the EDPS emphasized that the new e‑privacy provisions are intended to complement and – where necessary – specify the protection standards of the General Data Protection Regulation.