So, 2017 is full of promises! One of them is the proposed ePrivacy Regulation (officially, ‘Regulation on Privacy and Electronic Communications’) that the European Commission (EC) has suggested should replace the existing, old fashioned ePrivacy Directive (Directive 2002/58/EC on Privacy and Electronic Communications). The proposed ePrivacy Regulation – which would represent a signficant evolution in the EU privacy law framework – was indeed made public this week and is, for all privacy advocates and lawyers, an absorbing read.

The proposal as such comprises 35 pages. But there is obviously more than this document. One can also read the Ex-post REFIT ePrivacy Directive Evaluation (the results of the evaluation of the Directive carried out under the Regulatory Fitness and Performance Programme), as well as its Impact Assessment which is divided into 3 parts.

The object of this post is to highlight some of the changes that the ePrivacy Regulation could bring if it was adopted in its current proposed version.

The strategy pursued by the EC can be summed up in a few words: “Measured reinforcement of privacy/confidentiality and simplification,” also referred to as “Option 3”.

The first remark that I will make is that the EC has [for once] read quite carefully the recent judgments of the Court of Justice of the European Union (CJEU). You surely remember that just before Christmas the CJEU had, in its Tele2 Sverige judgement, outlawed general and indiscriminate obligations to retain traffic and location data covering all persons, all means of electronic communication and all data without any distinctions, limitations or exceptions for the purpose of combating crime… while recognising the validity of targeted retention obligations (commented about here). In the wake of this CJEU decision, commentators have debated whether general retention obligations could still be validly adopted by EU Member States.

Well, this what the EC says at p. 3 of its proposal:

“Member States are free to keep or create national data retention frameworks that provide, inter alia, for targeted retention measures, in so far as such frameworks comply with Union law, taking into account the case-law of the Court of Justice on the interpretation of the ePrivacy Directive and the Charter of Fundamental Rights.” [my emphasis]

Remember the words of the leaked version of the proposed ePrivacy Regulation? This is what the EC had written before the Tele2 Sverige judgment:

“Therefore, Member States will remain able to establish or maintain national data retention legislation, so far as they comply with the general principles of the Union law, including the respect of fundamental lights under the Charter.”

The EC is thus taking a more exact position, isn’t it? And can we now really criticise the proposed ePrivacy Regulation for not creating a harmonised regime for data retention obligations?

Second, and this was clear to many already, the EC proposes to extend the scope of the existing ePrivacy Directive by targeting over-the-top service providers (OTT providers). As you might remember, this necessity was in some ways also clear to the CJEU itself, which in Tele2 Sverige AB had conceived the domain, rationae personae, of the principle of confidentiality of communications quite broadly.

Notably, Recital 12 of the proposed ePrivacy Regulation specifies that the principle of confidentiality should apply to “the transmission of machine-to-machine communications.”

For the beauty of it, I’ll reproduce Article 5, where the new formulation of the principle of confidentiality sits:

“Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation.”

The proposed ePrivacy Regulation is not ‘simply’ about creating a more stringent framework for Internet and online service providers. It is also about creating effective and sensible protection. This thus means that at least one set of existing rules needs to be loosened:

“For example, the consent rule to protect the confidentiality of terminal equipment failed to reach its objectives as end-users face requests to accept tracking cookies without understanding their meaning and, in some cases, are even exposed to cookies being set without their consent.” (p.5)

This is the aim of Article 8 entitled “Protection of information stored in and related to end-users’ terminal equipment.”

What is particularly fascinating, for those interested in the distinction between content of communications and metadata, moreover, is that the concept of ‘metadata’ is now on the verge of getting legal recognition. The expression ‘traffic data’ is indeed suggested to be replaced by that of ‘electronic communications metadata’.

Article 4(3)(c) defines ‘electronic communications metadata’ in the following way:

“‘electronic communications metadata’ means data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication.”

Recital 2 adds:

“These metadata includes the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc…”

And Recital 14:

“Electronic communications metadata may include information that is part of the subscription to the service when such information is processed for the purposes of transmitting, distributing or exchanging electronic communications content.”

Furthermore, just as the CJEU did it in Tele2 Sverige, the EC acknowledges that “metadata derived from electronic communications may also reveal very sensitive and personal information.” (Recital 2).

Nevertheless, it would seem that the EC is going further than the CJEU in relation to this issue, as in the end the latter decided in Tele2 Sverige to maintain a hierarchy between content and metadata, as explained in my previous post on Tele2 Sverige.

With this said, the category of ‘electronic communications content’ (as opposed to its metadata) seems to be defined quite narrowly in the proposed e-Privacy Regulation, at least in comparison to some prior understanding.

Article 4(3)(a) states that:

“‘electronic communications content’ means the content exchanged by means of electronic communications services, such as text, voice, videos, images, and sound.”

This definition would thus be narrower than that of packet payload (compare my earlier post on that distinction) and would exclude certain types of application-level metadata, but arguably not all types of application-level metadata, such as subject lines of emails for example.

Yet, as a reminder, in the UK, URLs are considered content data. See, for example, the Acquisition and Disclosure of Communications Data Code of Practice issued by the UK Home Office (para. 2.25).

Could this narrow definition proposed by the EC be problematic at all? This can be debated, as with the proposed ePrivacy Regulation it now seems that communications content and metadata are broadly speaking set on the same level: both interferences with content or metadata can lead to interception [and, the “or” in that phrase is important].

Recital 15 specifies that:

“Interception of electronic communications data may occur, for example, when someone other than the communicating parties, listens to calls, reads, scans or stores the content of electronic communications, or the associated metadata for purposes other than the exchange of communications.”

And, as if it was not clear, the following sentence adds that “Interception also occurs when third parties monitor websites visited, timing of the visits, interaction with others, etc., without the consent of the end-user concerned.”

This is quite significant, as if I take, for example, the old definition of ‘interception’ to be found in the UK RIPA (section 2), one only finds references to the content of communications (interferences so that “some or all of the contents of the communications is made available”).

The new UK definition of ‘interception’ to be found in section 4 of the new Investigatory Powers Act (IPA) of 2016 is drafted along the same lines and targets relevant acts the effect of which “is to make any content of the communication available, at a relevant time, to a person who is not the sender or intended recipient of the communication.”

Recital 15 makes it clear that interception targets communications in transit: “The prohibition of interception of communications data should apply during their conveyance, i.e. until receipt of the content of the electronic communication by the intended addressee. Interception.”

Does it mean that it could become easier for certain competent authorities to access certain types of application-level metadata data, such as URLs?

Generally speaking, would it become easier with the proposed ePrivacy Regulation for providers of electronic communications services to process metadata than it was before?

There seems to be a short answer to this question. Recital 17 states that “[v]is-à-vis Directive 2002/58/EC, this Regulation broadens the possibilities for providers of electronic communications services to process electronic communications metadata, based on end-users consent.” [I am wondering, is this really true? Isn’t it the case that there is a broadening even in cases in which there is no consent?]

Article 6 of the proposed ePrivacy Regulation deals with the processing of electronic communications data in general. (Electronic communications data comprises both metadata and the content of communications). Reading Article 6, it seems that:

1. It would be possible to process the contents of communication “to maintain or restore the security of electronic communications networks and services, or detect technical faults and/or errors in the transmission of electronic communications, for the duration necessary for that purpose.”
2. Metadata can be processed without consent when “it is necessary to meet mandatory quality of service requirements pursuant to [Directive establishing the European Electronic Communications Code] or Regulation (EU) 2015/212011 for the duration necessary for that purpose”.

Remarkably, Recital 18 reads as follow:

“End-users may consent to the processing of their metadata to receive specific services such as protection services against fraudulent activities (by analysing usage data, location and customer account in real time).”

Yet, Article 6(2)(b) provides that:

“Providers of electronic communications services may process electronic communications metadata if:…

it is necessary for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communications services.”

What do readers think? Is the EC a good pupil?

Sophie Stalla-Bourdillon