Skip to Content

European Policy, Privacy & Data

Draft EU ePrivacy Regulation Ambitious, Well-Intentioned… But Too Broad and Prescriptive

In January 2017, the European Commission released its draft ePrivacy Regulation (ePR). This legislation is intended to replace the ePrivacy Directive, adopted in 2002 and updated in 2009. According to the Commission, the ePR is necessary not only to keep pace with technological and market changes but also to ensure the legal protections around confidentiality of communications are consistent with the General Data Protection Regulation (GDPR). Readers will recall that the GDPR – adopted last year and coming into effect next year – governs personal data collected and processed about EU residents, while the existing ePrivacy Directive and this newly proposed ePR are specific to communications content as enshrined by the right to respect for private life under Article 7 of the EU Charter of Fundamental Rights.

The draft is very complex, ambitious and broad in scope. In our analysis, CDT makes a number of observations and suggestions.

Overall, we support the Commission’s decision to rewrite and update the aging 2002 ePrivacy Directive. The Directive defines electronic communications services narrowly and does not take account of the plethora of new internet-based voice communication and messaging services. As these services have evolved, it is appropriate to safeguard the confidentiality of communications across the full range of technologies. Traditional telecommunications services are protected against unwarranted interception, monitoring, and interference by third parties, and legal protection should also apply to new internet-based communications services. With the new ePrivacy Regulation, the Commission intends to ensure the confidentiality and high level of protection for personal data in today’s electronic communications environment. We applaud the ambition and intention behind the proposal.

However, the draft Regulation has such a broad scope that it covers not only interpersonal communications services but also machine-to-machine communications and applications across the Internet of Things, regardless of whether or not they involve the transmission of personal data. With such a broad scope arises the possibility of unintended consequences for both the existing online ecosystem and unduly inhibiting innovative new products and services. Further, the broad scope of services included, and the broad definition of data included in the draft ePR raises the prospect that almost all personal data may become subject to ePR rules, rather than the rules adopted in the 2016 General Data Protection Regulation.

The draft ePR reflects policymakers’ justified concerns about the privacy risks associated with pervasive and opaque tracking of people’s online activities. We share these concerns. The objective must be a digital environment in which users can trust the digital and communications services they use. It is essential that users understand how data about them is collected, used and shared when they engage with digital products and services. They must be able to make informed decisions about what services they wish to engage with and under what terms. The rules should enable transparency and control for end users and at the same time enable provision of a broad range of innovative communications and other digital services and products.

While the ePR acknowledges this larger goal, the ePR provisions are largely focused on regulating the use of cookies, used for traditional website interactions. They include very specific rules on how browsers should perform with regard to first-party and third-party cookies. These very prescriptive proposals are unlikely to be relevant with regard to the many new forms of connected devices and the services they will be used for. The proposed rules may be too detailed and not flexible enough to accommodate the innovation that is needed in order to create the transparency and use control solutions we would like to see.

Further, in our reading of the proposal, we are concerned that the draft ePR does not adequately protect against broad access by public sector authorities to personal data under the regulation. Under current rules, only law enforcement authorities can request personal data subject to warrants or court orders, but the draft ePR seems to enable public sector agencies to access much broader categories of data for a much broader range of purposes (e.g., taxation, healthcare, and social services). We would like to see the protections strengthened in this area. Finally, we think the proposal should state affirmatively the right of both end users and service providers to use encryption technology to secure communications. Politicians from several countries have called for various types of “backdoors” that would allow the state access to encrypted communications. This would seriously undermine the security of online communications. In our view, the ePR must address this concern and provide strong safeguards.

Much debate will be taking place about the draft ePR. We hope our paper can serve to inform this debate and that policymakers will take the points we raise into consideration.