Skip to Content

Cybersecurity & Standards, European Policy, Free Expression, Government Surveillance

CDT’s Analysis of the European Commission’s proposed ePrivacy Regulation

The Center for Democracy and Technology (CDT) welcomes the European Commission’s proposal for a Regulation on Privacy and Electronic Communications (COM(2017)10) of 10 January 2017 (the ePR) to replace the 2002 ePRivacy Directive (ePD). The ePD “particularises and complements” the 1995 Data Protection Directive, and with the replacement of that Directive by the General Data Protection Regulation (GDPR) in April 2016 arises the need to review and update the ePD.

In general, we support the Commission’s initiative to update and rewrite the ePD. We agree with many of the motivations and intentions behind it. However, we offer a number of observations about the approach taken by the Commission that we suggest should be taken into account as the proposal is considered by the European Parliament and the Council of Ministers.

We agree with the need to update the ePD in light of the adoption of the GDPR and developments in communications technology and business models. In particular, we agree with the necessity to provide clear safeguards for protecting confidentiality of communications. At the same time, we are concerned that the extremely broad scope of the draft ePR could create a number of unintended consequences for technologies that do not involve interpersonal communications, as well as conflicts with the GDPR. Further, the ePR provisions on online tracking are well-intentioned, but very detailed and prescriptive, and focus overwhelmingly on traditional website use and tracking via browser-based cookies; it is not clear that this approach will help enhance user control and transparency. The ePR’s exclusive reliance on consent in this context may be too restrictive given its broad coverage and may inhibit uses of data that have broad societal benefits. On this point, it is inconsistent with the GDPR, which not only reaffirms multiple legal bases for processing information but also acknowledges the privacy-protecting value of pseudonymisation in addition to anonymisation. The result is that the ePR may make some data uses completely unfeasible. Further, we fear that the draft ePR expands the ability of public sector agencies (not only law enforcement) to access a much wider set of electronic communications data than was the case under the ePD, and finally we argue that the ePR should recognize the ability of users and providers to use strong encryption technology to protect communications confidentiality.