Article 29 Working Party Opinion on the Proposed EU ePrivacy Regulation
The Article 29 Working Party (WP29) has released an Opinion on the Proposed EU ePrivacy Regulation, intended to replace the ePrivacy Directive and complement the upcoming EU General Data Protection Regulation (GDPR).
The Working Party’s Opinion on the proposed EU ePrivacy regulation was largely positive, welcoming the “choice for a regulation as the regulatory instrument” in keeping with the theme of seeking harmonization of data protection law across the EU.
WP29 noted that the proposed regulation “provides clarity for supervisory authorities and organizations alike,” ensuring GDPR consistency and acknowledging areas like the “protection of confidential communication and terminal equipment” that are not already addressed by the GDPR.
The Working Party offered its support of the proposed regulation’s “principled approach” of “broad prohibitions and narrow exceptions,” its strong focus on consent requirements, and its expansion in coverage to include Over-The-Top (OTT) providers like online video streaming services.
WP29 expressed satisfaction with the proposed regulation’s recognition that “metadata may reveal very sensitive data.”
Areas of Concern
The Working Party’s Opinion expressed areas of “grave concern” that the proposed regulation would “lower the level of protection enjoyed under the GDPR” and, as such, will likely need to be addressed in the legislative process.
First, the WP29’s Opinion is that the proposed regulation’s rules around WiFi tracking do not go far enough to ensure consistency with the GDPR’s focus on data subject rights. As a solution, the Working Party proposes that the European Commission “promote a technical standard for mobile devices to automatically signal an objection against such tracking.”
Second, the Working Party seeks a prohibition on processing communications data (including content and metadata) “without the consent of all end-users (senders and recipients),” with an exception for the processing of content and metadata for the user’s “purely personal purposes.”
Third, WP29 has requested “an explicit prohibition on tracking walls,” which are barriers used by some websites to block visitors unless they agree to third-party tracking. The reason for this is that tracking walls amount to “take it or leave it choices that force users to consent to tracking if they want to have access to the services,” and therefore interfere with European notions of fundamental rights of freedom of expression, and the right to access information.
Finally, the Working Party would like the required terminal equipment and software to offer “privacy protective settings” by default, with the ability for users to adjust these settings during setup, as well as browser settings that enable users to signal specific consent, and mandatory adherence to Do Not Track.
WP29 expects that their concerns will be addressed throughout the legislative process as we await the arrival of May 2018.