Brussels Privacy Hub Workshop Summary
What is to be done with the ePrivacy Directive?
Lina Jasmontaite, Brussels Privacy Hub, LSTS, VUB
On 27 October 2016, the Brussels Privacy Hub hosted a workshop on the ePrivacy Directive at the Institute of European Studies, the Vrije Universiteit Brussel. The workshop was part of the BPH Workshops Series on the Implementation of the GDPR. In particular, the workshop questioned: “What is to be done with the ePrivacy Directive?”. The timely question attracted 31 participants representing industry, civil society, academia and national data protection authorities.
The European Commission initiated the revision process of the ePrivacy Directive (Directive), shortly after the political agreement on the General Data Protection Regulation (GDPR) was reached in December 2015. The revision process aims at ensuring consistency of the Directive with the GDPR, provided that the two legislative tools constitute the EU Data Protection Framework. A revision of the Directive was also listed among the action points of the Digital Single Market Strategy. It is estimated that the European Commission will put forward its proposal to update the Directive in early 2017.
To attain the objective of the workshop and to answer the question “What is to be done with the ePrivacy Directive?”, three experts gave high-level presentations outlining the key concerns related to the ePrivacy Directive. In general, the expressed concerns can be grouped into i) aspects related to the protection of personal data and ii) aspects of security and confidentiality of communications. After the presentations, the participants engaged in a debate on the future of the ePrivacy Directive. In anticipation of the publication of a legislative proposal, the participants addressed the following topics:
- The scope of ePrivacy rules: One suggestion referred to extending the scope of the ePrivacy Directive by including the over-the-top service providers (OTT) as they offer Internet-based communications services. It was argued that by placing specific obligations on providers of public electronic communications networks, one would enhance the protection of privacy, personal data and confidentiality of communications. Also, some participants questioned whether security challenges posed by Internet of Things (IoT) applications and public Wifi access points should be addressed within the scope of ePrivacy rules?
- A governing instrument: The participants discussed the possibility of having a different regulatory instrument for the revised ePrivacy rules. It was suggested that a “Regulation” would be a more appropriate measure that could ensure better consistency and enforcement of the EU Data Protection Framework. Indeed, is a Directive an appropriate legislative measure, in light of the recently adopted GDPR?
- A more efficient enforcement mechanism: On several occasions the participants advocated for the allocation of one single national authority that would be responsible for the enforcement of ePrivacy rules. This would improve the current situation where in many Member Sates both telecommunications regulators and data protection authorities enforce ePrivacy rules. It was suggested that national data protection authorities would be best placed to ensure compliance with the ePrivacy rules.
The Brussels Privacy Hub intends to follow up on the revision process of the ePrivacy Directive and organise more debates after the European Commission publishes its proposal.