Alongside the 1995 Data Protection Directive (DPD) sat the 2002 ePrivacy Directive (ePD), explaining how the DPD should be applied in the specific context of electronic communications. In fact, particularly after it was amended in 2009, the ePD did a bit more than that, as it turned out to be a convenient place to insert new ideas such as breach notification and incident response during the lengthy process of developing the General Data Protection Regulation (GDPR).
In 2016 the GDPR text was finally agreed, incorporating most of the ideas from the ePrivacy Directive. Nonetheless, following consultation, the European Commission proposed that the GDPR, too, should have an accompanying ePrivacy Regulation (ePR) for the electronic communications sector. According to the Commission this was needed to deal with:
- New Players: Over-the-Top services that look like phone/messaging but are currently regulated differently;
- Stronger Rules: Regulation rather than Directive;
- Regulating both content and metadata;
- New Business Opportunities: all based on user consent;
- Cookie simplification: to address the problem of “cookie fatigue”;
- Spam protection: opt-in for marketing by all electronic media (not just email), possible mandatory marking;
- Enforcement: by Data Protection Authorities rather than Telecoms Regulators.
The Commission’s draft was published in January 2017, with the intention that it would come into force alongside the GDPR on 25th May 2018. That didn’t happen. In December 2017 the European Parliament agreed that 168 amendments were needed. These are generally more privacy-protecting than the Commission’s draft, for example on tracking/cookie walls and privacy by design. As of July 2018, the European Council is still discussing its proposed amendments to the Commission draft, in many cases heading in the opposite direction from the Parliament. In the meantime, the combination of new GDPR and ten-year-old ePD – which was never supposed to exist – is becoming increasingly awkward to work with.
Since there’s still quite a way to go before the bodies even start to discuss how to reconcile their differences, it’s worth identifying the areas where there is general agreement, so a reasonably clear legislative future to design for, versus those where there is still disagreement, so likely to be continuing uncertainty. Of the areas most relevant to educational institutions, the following seem pretty clear:
- Opt-in location-based services. All parties seem happy that an app that tells me where the nearest free terminal is, or guides me to my next lecture, should be fine. The actual design of those apps can make a significant difference to the risk they represent;
- Counting mobile devices in a location. All parties seem to agree that some types of “statistical counting” are acceptable; identifying popular hotspots seems to be the least intrusive of these. As discussed below, though, applications that involve tracking devices over time are more contentious;
- Cookie classes. All the kinds of cookies that were exempt from the consent under the ePD are likely to retain that status (though many will require notice under the GDPR). As proposed by Regulators in their 2012 Opinion, “audience measuring” has been added to the exemption, though it is not clear how far this can be combined with other uses such as advertising. The ICO’s notice on its own website analytics is worth keeping an eye on.
- Security. There is general agreement on the principle that using communications data to improve the security of systems is a good thing. The actual text that is supposed to enable this is, however, a self-contradictory mess!
By contrast there are still significant differences between the positions of Commission, Parliament and Council on the following, so planning in these areas should include the possibility that the law may change significantly:
- Location tracking. Applications that record a sequence of locations of a mobile device cover a wide range of privacy intrusion, and it’s not clear where the boundary of legal acceptability will be drawn. Legislators all seem to like queue-measuring applications – recording how long devices are stationary before moving to the other side of an airport security check, for example – but academics have also discovered that just four or five location points may be sufficient to uniquely identify an individual. Any plans in this area should ensure that they include strong privacy safeguards: data minimisation, short retention times, technical and organisational controls, etc. And be aware that they may become unlawful as the result of either a legislative decision (in which case there will probably be a (de-)implementation period) or court ruling (in which case there will not);
- Cookie walls. The ePR is clear that some cookies require consent; the GDPR is clear that consent cannot be linked to the provision of a service. Yet there is still a considerable range of views on whether it is lawful for a website to refuse service to those who do not accept additional cookies. Websites should at least ensure that they know which cookies are, and are not, necessary for the technical operation of the service. And probably have a Plan B for the latter (if any) in case separate, opt-in, consent does become a legal requirement.
- Browser requirements. Since the original 2002 Directive, it has been envisaged that websites would be able to rely on browser settings to obtain consent. In other words “if you accepted my cookie, it must be because you’ve positively consented (via browser settings) to that”. Unfortunately for that idea, pretty much all browsers accept cookies by default. The Commission and Parliament proposals would finally have opened up this possibility by requiring browser defaults to reject (most) cookies but, after many months of discussion, the Council now seems to have decided the whole thing is too hard and is proposing deleting that Article. That means websites probably do still need to obtain opt-in consent for any cookies that aren’t covered by the exemptions (see ‘Cookie classes’ above) and users will still suffer from “consent fatigue”.
- Marketing. I wasn’t sure whether to include this in ‘clear’ or ‘unclear’ since it seems highly unlikely that the current situation will change. Post-Regulation there will still be endless discussions over what constitutes marketing, whether sending to business addresses counts, what constitutes a valid ‘opt-in’, etc. There may even be a new definition to debate, if the final text differentiates between advertising that is “sent” versus “presented”…