After the approval of the General Data Protection Regulation (GDPR) and the Data Protection Directive for Law Enforcement Agencies (LEDP), the reform of data protection and privacy in the European Union (EU) now reaches the next step: the review of the e-Privacy Directive (Directive 2002/58/EC on privacy and electronic communications).
The e-Privacy Directive contains specific rules on data protection in the area of telecommunication in public electronic networks. It is hugely important, as it is the only EU legislation that regulates confidentiality of communications. Unsurprisingly, after the huge lobby against the GDPR, parts of the telecoms and online industries are now hard at work, to completely destroy the e-Privacy Directive.
The purpose of the legislation is to “complement and particularise” matters covered by the general data protection legislation (formerly the 1995 Directive on Data Protection, the predecessor of the GDPR). Specifically, the ePrivacy Directive regulates aspects related to the right to confidentiality of communications and the right to freedom of expression. The importance of these fundamental rights (in addition to the right to data protection) in the increasingly interconnected environment of Big Data and the Internet of Things is obvious. Because of the impact that this norm has on EU citizens, EDRi advocates for the update of the ePD, to make it as future proof and effective as possible in light of the latest legal and technological developments.
As a minimum, the revision should take into consideration the following issues:
- As an instrument to refine and give meaning to both general data protection law and the fundamental rights to privacy of communications and freedom of expression, maintaining and modernising the Directive is essential.
- The new instrument replacing the ePD should be a Regulation, rather than a new Directive.
- There is a need for new, clearer rules on the use of technical mechanisms for what is often called “behavioural advertising” or “online tracking”.
- References to “value added services” and “publicly available communication services” need to be reviewed in the light of recent technological developments.
- Definitions need to be aligned with the GDPR/LEDP.
- Geographical information, traffic data, location data and any other personal data processed should be reduced to the least-precise (least-granular, least-invasive) type needed for the relevant (initial or subsequent) purpose for which they are collected and used and deleted as soon as they are no longer needed for the initial or subsequent purpose, in line with the principles of “data minimisation” and “purpose limitation.
- The exemptions in Article 15 of the e-Privacy Directive need to be harmonised.
- Data Protection Authorities, not Telecoms Regulators, should be in charge of enforcing the successor of the e-Privacy Directive.
In order to inform policy makers about the importance of the instrument and the reforms that are needed, we have produced the following analysis. Our analysis details the main issues that the instrument replacing the ePD should cover and why.
Regarding the need to maintain a specific legal instrument on e-communications and other similar questions, we are also preparing a “FAQ” document on the ePD that will be published soon here.