The ePrivacy Regulation: Cookie setting from banner to browser

In response, the European Commission has proposed an ePrivacy Regulation seeking to balance these interests, presented on 10 January 2017. The Proposal has not come without controversies, as many, including tech companies or the Member of the European Parliament Axel Voss, argue that an ePrivacy Regulation is redundant in light of the recently adopted General Data Protection Regulation (GDPR).

 

Given the rapid technological progress, the two main pillars of the data protection legal framework in the EU, the Data Protection Directive and the ePrivacy Directive, need to be updated. The GDPR will repeal the Data Protection Directive from May 2018 onwards and set the general data protection rules in the EU. The proposal for an ePrivacy Regulation reviews the European rules for personal data processing in electronic communications and extends the scope of the ePrivacy Directive to apply whenever information is collected from users’ devices, including to services provided by OTTs. It should enter into force simultaneously with the GDPR, but many consider this deadline to be extremely ambitious.

 

​

The proposal for an ePrivacy Regulation foresees that software should abide by a ‘privacy by design’ principle allowing users to (i) choose their privacy settings upon installation, (ii) change them at any given moment, and (iii) be reminded of this possibility every six months. This principle is favourable to online advertisers, as opposed to a ‘privacy by default’ system that would prevent web browsers from storing web tracking tools – such as cookies – in the absence of users’ active choice. Cookies are small text files downloaded to the users’ browsers as they surf the web to carry information about the websites visited.

​

Cookies are subject to a prior consent rule allowing their use if (i) necessary for carrying out the electronic communication, (ii) provide an online request by the user (e.g., maintaining language settings), (iii) measure web audience, or (iv) upon users’ consent.

​

The sanctions for activities such as breaches of communications confidentiality requirements or failures in privacy-by-default obligations are much higher. In the first case, penalties may reach up to 4% of total worldwide annual turnover of the breaching firm’s preceding financial year or up to €20 million, whichever is higher, and for the second case, 2% or €10 million.

​

The Proposal introduces an obligation to identify the marketing nature of unsolicited communications (spam) in the case of marketing phone calls by adding a phone number or pre-fix that identifies them as such. Member States keep the prerogative to decide if the protection will be by default (opt-in) or if people will have to ask to be put on a do-not-call list (opt-out). For other types of unsolicited communications, such as e-mails, text messages, and calls from automated machines, prior consent is needed.  

​

The Proposal allows for new business possibilities, such as using metadata, with consumers’ consent. Metadata includes information on the websites visited, location, date and duration of phone calls, etc., from which conclusions may be drawn on individuals’ habits and private lives. This may lead to new services, for example traffic information based on heat maps that show the presence of individuals.  

 

​

While the Commission has extended an olive branch to businesses by establishing a ‘privacy by design’ system, the private sector is still not satisfied with the result. Even though businesses may continue using data driven advertising in order to fund free online content, they criticise the core provisions of the ePrivacy review. The private sector still believes that the ePrivacy Regulation covers the same issues as the GDPR, which may create legal uncertainty.

​

Further, as the ePrivacy Regulation does not include provisions on data retention, the harmonisation of the ePrivacy field will remain incomplete. Several Members of the European Parliament – such as Axel Voss, shadow rapporteur for the GDPR – agree, whereas others, such as Jan Philipp Albrecht, rapporteur for the GDPR, consider that the rights protected are different: protection of personal data in the case of the GDPR, and secrecy and integrity of communication systems in the case of the proposal for an ePrivacy Regulation.

​

The Commission’s intention was to remove cookie banners, which were strongly criticised by consumers, and has done so by moving the cookie consent settings from banners to browsers. Now the consumer must choose their privacy settings on their device when installing the software. It is yet to be seen if this new configuration is indeed more user-friendly. Businesses believe that the periodical reminders to consumers (every six months) of the possibility to withdraw consent will be damaging for online advertising, and still be bothersome for consumers.

​

​

All in all, this reform, welcomed by citizens, civil society and public authorities, and heavily criticised by the private sector, seems to have been watered down since its leaked version in December 2016. Consumers may be reassured that their privacy is being protected even when using the latest technologies, such as OTTs, since the Regulation’s stricter sanctions will incentivise compliance. Stakeholders can still take action to make their voices heard by the European Parliament and the Council of Ministers, so that their concerns are taken into account and the final text is more business-friendly.

 

​

By Pilar Córdoba Fernández and Katherine Dagg