The DG CONNECT Privacy team is currently reviewing the e-Privacy Directive (2002/58/EC), which was adopted in 2002 and reviewed in 1999. The Directive was specifically addressed to telecoms companies, and looks to regulate issues such as cookies, treatment of traffic data, and confidentiality of information.
The review process is in its initial stages: public consultations are being held until July 5th, which is the deadline for responses. In order to find out more this, we had a Q&A session with Rosa Barcelo, Head of Unit Digital Privacy and Data Protection and Céline Deswarte, Policy Officer, European Commission.
After obtaining a Ph.D. in law in 1999 and working in for several private law firms, Rosa Barcelo joined the European Data Protection Supervisor in 2006 as a Legal Adviser. She then moved to the European Data Protection Unit where she was appointed Head of Unit in 2011. Céline Deswarte joined the eHealth Unit of DG CNECT in 2011 and the ePrivacy team of the unit Trust and Security in 2015, she primarily focuses on the view of the ePrivacy Directive.
Application Developers Alliance: When talking about the European Commission, we think about a single entity; however, each initiative or proposal is the product of a strong collaboration between DG's and Directorate's. Could you explain to mobile developers what the DG Connect's "Trust and Security Unit" is, and what does your team focus on?
Rosa Barcelo: DG CONNECT is the DG in charge of the new technologies. In this respect, it conducts crucial reforms such as the electronic communications framework package but also supports the funding of research and innovation in Europe through the Horizon 2020 programme.
The unit Cyber Security & Digital Privacy is part of the Directorate in charge of addressing online societal challenges. The cybersecurity side of the unit is responsible for the Directive dealing with the security of network and information systems, which should be adopted very soon and is considered as an important step in raising the level of cybersecurity in Europe. The team also coordinates the cybersecurity contractual public-private partnership (cPPP) that will be launched in June this year, as announced by the Digital Single Market Strategy. The main purpose of this partnership is to stimulate the competitiveness and innovation capacities of the digital security and privacy industry in Europe.
The Digital Privacy part of the unit deals with the review of the ePrivacy Directive, as well as various privacy issues emerging in the context of digital technologies.
Application Developers Alliance: After the adoption of the GDPR, the European Commission aims to review the e-Privacy Directive, always defined as lex specialis. What does it mean, and what is this piece of legislation about? What does it currently regulate?
Céline Deswarte: The ePrivacy Directive is a lex specialis legislation as it particularises and complements the Data Protection Directive (which will be replaced in 2018 by the General Data Protection Regulation, recently adopted) by, among others, setting up specific rules concerning the processing of personal data in the electronic communication sector (i.e. the telecom sector). It does so, for example, by requiring users’ consent before their phone numbers can be listed in a public directory, or by setting rules on spam. It also requires prior consent for storage of or access to any information stored on smart devices, when this is not necessary for the transmission of the communication or for the provision of an information society service requested by the internet user. This is generally done by storing cookies, spyware, malware, or hidden identifiers, etc. The rule seeks to protect the privacy of users' terminal equipment/smart devices, which nowadays is used to store a wide range of very personal information (pictures, contacts, etc).
The Directive allows for the information to be offered once, thus, excluding the need for website's to obtain informed consent in subsequent connections. In practice, the rule is implemented via cookie banners. The privacy risk caused by these identifiers is real. In fact, a survey carried out by national authorities competent to enforce the ePrivacy Directive showed that websites place many cookies not necessary to provide the service. More than 16,000 cookies were set across 478 websites; 70% of which primarily sought to track citizens online and to develop profiles of their lives, in order to serve them with tailored advertising
Finally, as it is lex specialis, anything that is not specifically addressed in the ePrivacy Directive is regulated by default by the Data Protection Directive; soon to be replaced by the General Data Protection Regulation (hereafter the "GDPR").
Application Developers Alliance: What are the goals that the European Commission aims to achieve through the review of the e-Privacy Directive?
Céline Deswarte : The review of the ePrivacy Directive started just after the political agreement on the GDPR.
The review of our Directive first seeks to guarantee legal certainty for all players and to provide a coherent and harmonised legal framework for data protection in Europe. This will be achieved by seeking in particular consistency between an ePrivacy instrument and the newly adopted GDPR. This implies considering whether some of the provisions of the ePrivacy Directive are already sufficiently covered by the GDPR (e.g. personal data breach notification duties).
Another important objective of this review is ensuring a level playing field for all market players. This means that it is crucial that providers of electronic communications services (i.e. traditional telecoms companies), and information society service providers using the Internet to provide communication services (e.g. text messaging services, voice over IP) have to comply with the same rules, given that they compete with one another. Currently, only traditional telecom providers have to comply with the rules of the ePrivacy Directive. This objective is obviously linked to the underlying need of updating the legislation in the light of technological developments and ensuring also that the text is future-proof to pass the test of time.
Finally, we will also look into possible measures to make Europe more trusted and secure online, for instance by increasing overall the confidentiality of communications, which is a key principle of the ePrivacy Directive.
Application Developers Alliance: The public consultation on the e-Privacy Directive closes on July 5th When can we read the results and understand the actions the Commission will undertake in the future?
Rosa Barcelo: The Commission intends to publish the responses soon after with a short summary. A more detailed staff working document will be released by the end of the year at the same time as our impact assessment that should accompany a possible legislative proposal.
Application Developers Alliance: How could industries, entrepreneurs, digital start-ups help and assist institutions when developing the most effective and progressive policies on innovation?
Rosa Barcelo: The Commission is currently undergoing a wide consultation exercise of all the interested stakeholders through the launch of a public consultation that you mentioned, a Eurobarometer survey to be conducted during this summer, 2 workshops with stakeholders that took place in April and finally through numerous ad hoc meetings. We, of course, encourage entrepreneurs and digital start-ups to provide their input via one of these channels.