What is the e-Privacy Directive?
The e-Privacy Directive (ePD) is a Directive covering specific privacy and data protection issues in the electronic communications sector. It was adopted in 2002 and revised in 2009. The official text of the current version can be found here.
Why do we need this instrument?
The ePD was created to ensure privacy and to protect personal data in the electronic communications sector by “complementing and particularising” matters covered in a general way by the main legal instrument, the Directive on Data Protection, now the General Data Protection Regulation (GDPR). For example, the confidentiality of the content of communications and information which is stored or accessed on an individual’s device is protected under the ePD. The GDPR does not specifically cover this.
Confidentiality of communications is very complex. It covers not just your right to privacy and data protection, but also your freedom of communication and freedom of expression. Without legislation providing clarity on what these fundamental rights mean in this complex environment, the protection of confidentiality and security of communications would be less predictable and less enforceable. Lack of precise rules also makes it more difficult for companies to develop new and innovative services.
Isn’t the General Data Protection Regulation (GDPR) enough?
Although the GDPR covers many issues related to data protection, it does not cover, directly and precisely, the right to privacy and, in particular, the right to freedom of communication, which are two distinct fundamental rights. Therefore, the ePD is a necessary layer of precision to ensure predictable, effective protection of rights that are not covered precisely enough in the GDPR. Furthermore, the ePD also covers activities for which the processing of personal data is not the main issue at stake, such as the sending unsolicited messages (for example email spam or direct marketing). It also provides a framework for protecting the security of information stored on an individual’s device. It is important to remember that the ePD is not about creating new rights, but complementing existing rules, for the good of individuals and businesses alike.
The need for legislation on privacy and security of personal data in the electronic communications sector is increasing. Online tracking and the monitoring of e-mails for advertising purposes are on the rise, while telecommunications companies try to emulate internet companies by cashing in on the masses of customer data they hold, including location information. Furthermore, the ePD needs to be updated to meet the latest technological developments, such as the use of instant messaging instead of SMS or e-mail.
Which fundamental rights are affected by the ePD?
- The fundamental right to confidentiality of communications, enshrined in Article 7 of the Charter
The new instrument replacing or revising the ePD should expressly clarify that this principle applies fully to data relating to online activities and communications, including traffic and location data as currently defined in the e-Privacy Directive. Furthermore, it should also apply to any similar data created or used in the online environment, such as location data, browsing data, e-book usage patterns, mobile app use, search queries, etc. and any new data produced therefrom. The new instrument should also bring clarity with regard to the implementation of privacy by design and by default in this context.
- The fundamental rights to protection of personal data and freedom of expression, as enshrined in Article 8 of the Charter
For most people in the EU the easiest way to access information involves the internet. To protect this, the revised instrument should ban obligations to consent to tracking of one’s activities and subsequent profiling and automated decision-making (for example by accepting cookies before being allowed to enter a website). This is particularly important when accessing information regarding issues linked to sensitive data or when accessing website or services provided by the public sector.
What activities are covered in the ePD?
- the confidentiality and security of communications
- traffic and location data produced by personal devices
- tracking of users, including by using personal devices (e.g. for behavioural advertising purposes)
- security measures in personal devices
- itemised billing
- calling line identification
- public and private directories
- spam and unsolicited calls for marketing purposes
- data breach notifications (later specified by EU Regulation 611/2013)
Which aspects need an update?
All aspects of the eDP related to online activities – such as the confidentiality and security of communications and personal devices, and the tracking of users – need to be updated to correspond to new and potential future technological developments. The rules on itemised billing, directories of users, and unsolicited communications need to be reassessed, to check if they are in line with the GDPR. Some of its aspects, such as how data breaches should be dealt with, do not require a specific legislation and can be removed. Therefore this could be solved by referring to the GDPR, to avoid redundancy.
I am tired of banners telling me to accept cookies. Will this bring more of these?
The ePD currently tries to give users some control over online tracking. However, it does so in a rather blunt way. In light of experience and technological developments, the provision regulating cookies in the ePD should be refined and allow for user friendly mechanisms for expressing consent.
As we have explained in a previous blogpost, one of the ways you leave digital traces behind while surfing online are cookies. They are bits of information that get automatically installed into your device while visiting websites. Revised rules regulating cookies in the ePD should allow smoother browsing by removing obligations for consent for cookies that do not involve the collection and further processing of personal data, such as the tracking of users and devices via third parties. This would apply, for example, to statistics related to which parts of a website are visited the most collected by the owner of a website (“first party analytic cookies”) that do not involve unnecessary processing of personal information. Generally, we refer to the guidelines on cookies issued by the Article 29 Working Party on this regard.
How is this connected to the protection from mass surveillance?
We can unquestionably expect an expanding use of personal electronic devices (like smartphones, tablets, personal computers) and related technologies that are connected to the Internet (for example the Internet of Things). This development creates new opportunities for communicating online, but also bears risks for confidentiality and other fundamental rights. Online communications often involve many parties and cross national borders, without users being fully aware of these facts.
We agree with the European Data Protection Supervisor (EDPS) that number and frequency of requests from governments to internet services (Twitter, Gmail and any others) should be made public so that individuals get a clearer picture on how these invasive powers by governments are used in practice. If the public is aware of the government’s conduct, it will be in a better position to hold the government accountable. More transparency in this context could therefore help with restoring people’s trust in the electronic communications sector.
How does it relate to the security of my electronic devices, such as my smart phone?
The GDPR includes security obligations when it comes to the processing of personal data, while the ePD allows for the inclusion of security obligations that are more specifically tailored to our online communications. These security obligations should not only apply to electronic communications providers (telecoms), but should also cover, for example, app developers and the suppliers of individuals’ electronic devices. The companies behind apps and devices are not always the main legally responsible actors. However, given their important role protecting the security and confidentiality of personal communications, they should also be subject to security requirements. More specifically, we refer to the recommendations about security and privacy requirements for operating system suppliers, device manufacturers and other relevant stakeholders issued by the Article 29 Working Party in its Opinion 8/2014 on the Internet of Things.
This FAQ has been prepared jointly by the EDRi Brussels office and EDRi members Open Rights Group, fIPR, Bits of Freedom, Access Now, Panoptykon and Privacy International.