The Proposed E-Privacy Regulation and AdTech: An Update

This article is an update to my previous article ‘The e-Privacy Regulation: An Overview’ to set out the current position.

Introduction

The e-Privacy Regulation (“ePR”) will replace Directive 2002/58/EC (Directive on Privacy and Electronic Communications), or the “e-Privacy Directive”. The e-Privacy Directive protects the confidentiality of electronic communications and applies to publicly available electronic communications services, including metadata, tracking technologies such as so-called ‘cookies’, and direct marketing by electronic means. 

The General Data Protection Regulation (EU) 2016/679 (“GDPR”) was introduced to bring the law up to date with technological advancements. The intention is that the rules relating to electronic communications data will also be updated to extend to new technological developments since the e-Privacy Directive was enacted, such as web-based email and messaging services, the use of Voice over Internet Protocol and to address developments such as the tracking of online behaviour.

In the United Kingdom (“UK”), the Privacy and Electronic Communications Regulations 2003 (“PECR”) implements the e-Privacy Directive. The UK has left the European Union (“EU”) and the e-Privacy Directive no longer applies. However, the PECR has been preserved in UK law as retained EU law by way of section 2 of the European Union (Withdrawal) Act 2018. The UK will introduce legislation to update the PECR in due course, although there have been no announcements that indicate when this can be expected. The GDPR is also preserved as retained EU law and is now referred to as the ‘UK GDPR’ (see my previous blog article ‘Brexit and Data Protection in the UK’).

As the UK has left the EU the ePR, when it comes into force, will not be applicable in the UK. However, the ePR will apply to the processing of electronic communications data or personal data of end users who are in the EU, regardless of whether or not the processing takes place in the EU, or whether or not the service provider is established or located in the EU. For those businesses in the UK caught by this provision, they will need to comply with the ePR.

The proposals in the ePR

The ePR will affect those businesses that provide ‘over-the-top’ services (e.g. Whatsapp, Skype, Zoom), the internet of things, and browsers. It will also affect any business that operates websites and advertises using electronic methods, where the end users are in the EU. Like the GDPR, the ePR includes large fines for failing to comply.

The first draft of the ePR was introduced by the EU Commission in January 2017 and has been in negotiations ever since. There have been numerous changes to the draft text and there is no guarantee that this more recent draft will become EU law. However, in February 2021, there was a significant step forward when agreement was reached on a text and it was adopted (see here). The draft text includes the following:

  • Extends the scope of the rules on electronic communications data to include machine-to-machine data transmitted via a public network.
  • Introduces the concept of compatibility in further processing of metadata: any further use of metadata must be in line with the original purpose for its use (but cannot be used to create a profile of the end user, or shared unless anonymised).
  • Specifies conditions where processing on end-users’ terminal equipment without consent will be allowed.
  • Requires service providers to carry out Data Protection Impact Assessments before sharing anonymised electronic communications data with third parties and to provide users with more information.
  • Permits ‘cookie walls’ only where certain conditions are met.
  • Enables users to provide consent to the use of cookies by ‘whitelisting’ particular providers in their browser settings.

Data protection and privacy concerns

There are two main issues that have been a hurdle in reaching agreement on the draft text: data retention and ‘legitimate interests’ in the use of electronic communications data.

Pro-privacy advocates would like the ePR to require the erasure of all electronic communications content, or its anonymisation, when it is no longer necessary for the initial purpose of the processing. This would include metadata when it is no longer needed to transmit the communication, except where it is needed for the purposes of billing and kept for only a specified amount of time. This approach would not include a national security exemption and is in line with the recent case law of the Court of Justice of the European Union that set limits to the retention of mass data for national security purposes (see my blog article ‘mass surveillance of electronic communications: recent developments’).

The draft ePR however proposes in Article 7(4): “Union or Member state law may provide that the electronic communications metadata is retained, including under any retention measure that respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society, in order to safeguard the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the safeguarding against and the prevention of threats to public security, for a limited period.”There were also concerns about the inclusion in a previous draft of the ePR permitting reliance on legitimate interests to process electronic communications content and metadata from an end user’s terminal equipment without consent. This has been removed in the most recent draft and reflects the position of the European Data Protection Board (“EDPB”) that stated in 2018 its objection to the processing of metadata on open-ended grounds (see here).

Cookies and Direct Marketing

Cookies have been a controversial topic for some time. The issue has been the use of cookies and other tracking methods used by companies on their websites, to profile the website users and then sell this information to third parties for advertising purposes (often referred to as ‘adTech’). This method for generating revenue may be crucial to certain businesses. However, the onward sharing of data to a large number of companies has raised concerns about transparency and data security.

The introduction of the GDPR has made cookie compliance more complex for companies that rely on AdTech. First, the GDPR broadens the definition of personal data, such that online identifiers come within its remit (Article 4(1) GDPR and UK GDPR, Recital 30 GDPR). As such, the use of tracking methods that are employed to either directly or indirectly identify a person through email addresses, unique cookie identifiers, an IP address or any other identifier generated by an operating system, must comply with the GDPR/UK GDPR.

Second, while the PECR requires consent for the use of such cookies, the GDPR introduces a higher standard for consent. This means that for the use of those cookies that require consent under the e-Privacy Directive/PECR, the consent has to be explicit, clear, concise and easily withdrawn. The EDPB guidelines on consent in May 2020 made clear that making access to a website conditional on accepting cookies (a so-called “cookie wall”) does not constitute valid consent.

Despite the GDPR’s impact on cookie walls, they are not disappearing any time soon. The proposed draft ePR permits cookie walls so long as the website visitor is provided with clear, precise and user-friendly information about the purposes of the cookies. There must also be an equivalent offer by the provider that does not involve the consent to the use of the user’s data for additional purposes. The draft ePR also requires there to be alternatives to the service so that any imbalance of power between the end-user and the service provider can be redressed.

The e-Privacy Directive permits a “soft opt-in” to direct marketing where the persons are existing customers who had not opted out of marketing messages, and where they are given the opportunity to opt out in subsequent marketing communications. The latest version of the ePR does not change this approach and so it appears that companies will continue to be able to use the ‘soft opt in’ option for electronic marketing.

Recent developments in AdTech

In general, there is growing fatigue with cookie consent. The public has also become more aware of the use of cookies in targeted and personalised advertising and concerned with the amount of onward sharing of their personal data. At the beginning of this year the UK Information Commissioner’s Office (“ICO”) resumed its investigation into the practices of the AdTech industry and real-time bidding (see here).

However another development may be more damaging to the AdTech industry than any changes in regulation or future investigation. A significant step has recently been taken by Apple Inc (“Apple”). In April, Apple introduced a global application (‘app’) tracking policy that obliges developers to request permission from end users to track them. With the introduction of iOS 14, apps must provide a prompt to the user before they retrieve the Identifier for Advertisers (“IDFA”), which is a string of numbers unique to the user’s device that is used to track the user across their use of the internet. There are also additional pro-privacy measures that have been introduced by Apple, for example prohibiting the sale of location data or email addresses to data brokers and the sharing of any unique identifiers with third-party advertising networks.

This development makes it much easier for users of Apple’s devices to opt out of tracking. Since its introduction it is estimated that around 95% of users worldwide are opting out (see here). However, Apple’s iOS operating system accounts for only around 13% of global market share. Google’s Android operating system is dominant, with the remaining market share.

Google has also announced plans to phase out third-party cookies on its Chrome browser to replace them with its ‘Privacy Sandbox’. Google is trying to address the problems with cookies whilst at the same time allowing targeted advertising. Rather than the deployment of cookies, Google will allow companies to utilise five application programming interfaces (“APIs”) where they will be able to access aggregated user data. User data will be stored in their own browser and no data will be sent elsewhere. But there are concerns that Google’s dominant position in online advertising means that it introduces these changes at the expense of its competitors. The UK Competition and Markets Authority is investigating Google’s Privacy Sandbox to ensure it does not distort competition (see here). 

When will the ePR come into effect?

The ‘trilogue’ negotiations between the EU Council, the EU Parliament and the EU Commission on the finalised text will now begin. It is anticipated that there will be some conclusion by the end of the year, but this is by no means certain. When an informal trilogue agreement is reached, the European Parliament will then have to formally adopt its first reading position at a plenary session, followed by the Council.

The ePR, once it becomes EU law, will come into force around two years later, giving companies time to put into effect the new rules.

If you would like any further information or advice, I can be contacted at: mstock@privacylawbarrister.com