Data Protection Report - Norton Rose Fulbright

The Article 29 Working Party (WP29) has issued an opinion on the evaluation and review of Directive 2002/58/EC (the ePrivacy Directive). In its opinion, WP29 notes the need for a thorough revision of the rules in the ePrivacy Directive to take into account the technological developments in the digital market and the recent adoption of the General Data Protection Regulation (the GDPR).


Since 2002, the ePrivacy Directive has provided a set of security and privacy measures to be applied specifically in the context of electronic communications in the EU. These measures were laid down to “particularise and complement” the Data Protection Directive 95/46/EC.

In its opinion dated July 19, 2016, WP29 notes the need for the ePrivacy Directive to be reviewed and for a new legal instrument that is consistent across the EU, which supplements and complements the obligations of the GDPR, and which is broad enough to cover the wide range of electronic communications services that exist today.


The specific recommendations of WP29 with regards to the review of the ePrivacy Directive are as follows:

Extending the Scope of the New ePrivacy Instrument

The way in which people communicate has changed significantly since 2002, and WP29 stresses the need for the scope of the new ePrivacy instrument to extend beyond traditional electronic communication services (such as internet service providers and telecom operators) to also cover “functionally equivalent services,” such as internet telephony (Voice over IP), webmail, and instant messaging.

WP29 also notes the need to provide clearer definitions of the terms “public electronic communications network,” “electronic communications services,” and “information society services” in order to extend the application of the revised ePrivacy instrument to these functionally equivalent services. This is required to ensure that there is no legal loophole in the protections afforded to communication secrecy in modern electronic communication services and infrastructure. In addition, WP29 recommends clarifying the meaning of “publically accessible private communications networks” to ensure that all publicly available networks and services (including WiFi services in hotels, shops and trains, and in networks offered by universities) are brought within the scope of the confidentiality requirements in the ePrivacy Directive. It also hints at harmonising the rules to achieve a consistent level of protection for both individuals and business subscribers.

Protecting the Confidentiality of Electronic Communications

Article 5 of the ePrivacy Directive sets out the requirement for communications to be kept confidential and for any interception or surveillance of communications to be undertaken only with the consent of the users concerned (unless an exception on the consent requirement applies). WP29 recommends that this restriction on the interception / surveillance / monitoring of electronic communications content is extended to ensure that:

  • Users are protected against interception of their communications regardless of whether they are direct electronic communications between users or communications within a defined user group (e.g. a conference call); and
  • The terms “interception” and “surveillance” are interpreted in the broadest technological sense, to include the injection of unique identifiers to the communication.

WP29 also recommends that the current exceptions to the consent requirement are reviewed to ensure that they are sufficiently precise. In particular, it should be clear that the use of data for advertising, marketing, product innovation or research purposes should never be allowed to override the requirement of prior consent for the interception of communication and related traffic data.

Broadening the Cookie Consent Rules

WP29 recommends rephrasing the cookies consent rule in Article 5(3) of the ePrivacy Directive so that it is as technologically neutral as possible and captures all tracking techniques used on smartphones and Internet of Things (IoT) objects. WP29 wants to ensure that the rules governing the collection of information from user devices or objects do not depend on the type of device or object owned by the data subject or on the technology employed by an organisation. These rules should also apply irrespective of whether data is stored inside of the terminal equipment or is processed elsewhere and made available through the relevant device. It may be hard to get consent from users of IoT objects and, if WP29’s recommendation on the cookies consent rule is adopted, it will be interesting to see how it will be complied with in practice.

Whilst recommending the broadening of the cookies consent rules, WP29 also invites the European Commission to consider the circumstances in which cookie consent will not be required, especially where the processing would have little or no impact on the right of users to the protection of their communication secrecy and private life.

Merging the Traffic and Location Data Rules

For the sake of clarity, WP29 recommends merging the provisions in the current ePrivacy Directive on traffic data and location data and requiring user consent for the processing of all these metadata, including when they are generated through sensors in user devices. At the same time, WP29 also recommends that the new ePrivacy instrument should include specific exceptions to the consent requirement to allow for processing of traffic and location data that causes little or no impact on users’ rights to secrecy of communications and private life.

Making the Consent Requirements More Robust

WP29 believes that the prior consent of the user should remain a key principle in the new ePrivacy instrument regarding the collection of metadata and content data and the use of tracking techniques.

At a general level, WP29 recommends that the new ePrivacy instrument should clearly refer to the GDPR provisions dealing with the definition, conditions and forms of the consent. More specifically, it recommends that the new ePrivacy instrument should prohibit “take it or leave it” approaches to consent that do not give users real choice regarding their processing and undermine the principle of freely given consent.

WP29 also recommends that instead of relying on website operators to obtain consent on behalf of third parties, manufacturers of browsers and other software or operating systems should be encouraged to enable effective user empowerment by developing and offering control tools within the browser that allow users to easily express and withdraw their consent. Again, this will be challenging in the context of IoT objects.

Further details on WP29’s recommendations regarding consent in the context of unsolicited communications are set out in section 8 below.

Protecting the Security of Electronic Communications

WP29 recommends that the security provisions in the revised ePrivacy instrument should not only protect the security and confidentiality of communications while in transit or stored, but also protect the security of end user devices. Among other things, WP29 endorses the development of minimum security or privacy standards for networks and services and the extension of the security requirements to apply to all software used in connection with the provision of communication services and to IoT objects. WP29 also recommends that “privacy by design” and “privacy by default” (as referenced in the GDPR) is applied in this context.

Deleting Specific Data Breach Rules

WP29 recommends that the provisions in the ePrivacy Directive around the notification of data breaches should be deleted to avoid duplication with the requirements in the GDPR and so one common baseline regime will apply across sectors and the EU.

Harmonising the Provisions on Unsolicited Communications and Electronic Marketing

WP29 recommends that the rules on unsolicited communications are rephrased to take into account new developments in how unsolicited communications are conducted. In particular, the new provisions should require the prior consent of recipients for all types of unsolicited communications, independent of the means (e.g. e-mail, behavioural advertising, voice or video calls, fax, text and direct-messaging).

In line with Article 7 of the GDPR, WP29 notes that it should be as easy to withdraw consent as it is to give it and that users should be able to implement such revocation simply (e.g. through the use of systems that provide an effective solution for a user-friendly revocation of consent), free of charge and without having to state a reason. WP29 also notes that consent must be specific. In particular:

  • Consent for inclusion in marketing lists to be used by third parties can be legally valid only if such consent is separated from, and not combined with, the consent for first party communications; and
  • The categories of products for which electronic communication may be sent and the categories of recipients must be clearly described before obtaining the consent, including where an organisation sends unsolicited communications on behalf of another.

Finally, WP29 notes that the current exception in Article 13(2) of the ePrivacy Directive around sending marketing communications to existing customers for similar products and services should be limited to a “reasonable level of marketing communications” and that parties should not be allowed to bombard users with an excessive number of marketing calls or messages. To this end, it also notes that the definition of “similar products and services” would benefit from clarification.

Harmonising the Provisions on Directories or Subscribers

Article 12 of the ePrivacy Directive gives users a right to determine whether their personal data are included in a public directory. WP29 notes that, because the wording of this article was prepared in a time where people used paper copies of telephone directories or called directory services, there is uncertainty around whether equivalent services from social networking or other information society services are within scope. It therefore recommends that the article is modernised and clarified to include all kinds of directory services and all kinds of service identifiers.

Harmonising the Enforcement Requirements

To ensure consistent and coordinated regulation and enforcement, WP29 recommends that the national data protection authorities are the competent authorities with regard to the new ePrivacy instrument. It also notes that sanctions should be harmonised to match with the sanctions provided in the GDPR.

Our Take

WP29’s opinion on how the ePrivacy Directive should be updated is not binding on the European Commission, and we will not know which recommendations are adopted until the European Commission provides its first draft of the updated Directive (which is expected by the end of 2016). Nevertheless, as with similar WP29 opinions preceding the adoption of the GDPR, it provides a good indication of how regulators will seek to interpret the existing legal framework– for  example, the UK Information Commissioner’s new Direct Marketing Guidance references some of the unsolicited communications innovations – and what the developments in the future legal framework might be.

The WP29’s focus on aligning with the GDPR is welcome for those who must interpret and implement the rules, but overall the picture is one of greater restriction on the use of communication data. The devil will be in the detail, and the challenge facing the European Commission will be how to draft the law to ensure that it remains relevant for future developments in technology, but also does not stifle innovation or impact user experience by imposing unworkable and cumbersome requirements.

In its news update on August 4, 2016, the European Commission published the first results of the ePrivacy public consultation, summarising at a high level the responses that it received. We will continue to monitor the European Commission’s publications and report on developments in this area.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.