The timing of the European Commission's (EC's) initiative to consult on the reform of the ePrivacy Directive is not surprising. The EC has waited for final approval of the General Data Protection Regulation, which will come into force in 2018. A first assessment of the documents suggests that over-the-top (OTT) providers should expect a heavier regulatory burden when guaranteeing the secrecy of communications data once the EC comes up with a proposal of reform. However, the issue of data retention, which is a key instrument to help public authorities tackle crime, is strikingly absent; this will require the EC to take further action in due course.
The issue of data retention is strikingly absent from the consultation documents
Having finally put to bed the reform of the data protection framework, the EC is rightly looking at updating more specific rules related to privacy in communications data by launching a consultation on the reform of the ePrivacy Directive. The directive dates back to 2002, with some updates passed in 2009. It complements the Data Protection Directive of 1995, which will fall away in 2018 when the newly approved Data Protection Regulation comes into force, and is part of the regulatory framework for electronic communications.
It is the right time to consider updates to this piece of legislation, for at least two reasons. First, the EC will have to ensure the new rules are consistent with the new data protection regulation. Second, the EC is currently engaging in the complex, but necessary, task of reviewing the whole regulatory framework for communications to ensure that it captures the most recent market developments.
In particular, any update or replacement of the ePrivacy Directive will have to take account of the current role of OTT providers in the communications landscape. The consultation launched by the EC during 2015 on a possible reform of the electronic communications framework shows that the EC is mindful of the impact of OTT providers in the market from a competition perspective. However, OTT communications providers should now expect that the EC will aim to impose obligations on them similar to the ones that were enforced on telcos in terms of secrecy and the protection of communications data. Not only will this help level the playing field between OTT providers and telcos, but it will also aim to enhance consumers' privacy and protection, as OTT communications continue to play an increasingly important role in the market.
In the consultation questionnaire, the EC is asking respondents whether the updated framework should apply to OTT providers, unlike the current one. The background document to the consultation also notes that national legislation in some countries has already been updated to reflect such a change, as shown by the Information Society Code adopted in Finland at the beginning of 2015.
The consultation on the ePrivacy Directive could have also been an opportunity to reconsider the role of communications providers in helping public authorities to tackle crime. The now-demised Data Retention Directive, which applied to telcos until the European Court of Justice struck it down in 2014, was in derogation to the ePrivacy Directive. Not only was it seen as disproportionate by the European Court of Justice, but it was also considered burdensome by telcos, which had to retain data for a long and often unnecessary period of time. However, this issue is strikingly absent in the consultation and in the related background document.
Given that states are trying to legislate on the same matter on their own, the EC should have included the topic of data retention in the consultation. The EC should now start to come up with a better framework, which should also require OTT providers to cooperate with authorities while not turning into a permanent snoopers' charter.
Data Protection Tracker: 4Q15, TE0007-000955 (December 2015)
Regulatory Developments in Data Protection and Data Retention in the EU, TE009-000987 (July 2013)
Luca Schiavoni, Senior Analyst, Regulation