Legally and politically important
Not cleared from scrutiny; further information requested; drawn to the attention of the Culture, Media and Sport Committee and the Joint Committee on Human Rights
Proposed Regulation on Privacy and Electronic Communications repealing Directive 2002/58/EC
Articles 16 and 114 TFEU; ordinary legislative procedure; QMV
Culture, Media and Sport
(38455), 5358/17 + ADDs 1–6 , COM(17) 10
6.1The content of electronic communications (e-comms) may reveal sensitive information about the individuals involved in the communication, from personal experience to medical conditions, sexual preferences, religious and political views. Disclosure could result in personal and social harm, even economic loss. The same applies to metadata derived from e-comms, including numbers called, websites visited, geographical location, time, date and durations of calls. This allows inferences to be drawn about private lives of the persons concerned. E-comms data may also reveal commercially sensitive information concerning business.
6.2The proposed Regulation aims to update the existing ePrivacy Directive which was adopted in 2002. The Directive supplemented the 1995 Data Protection Directive by providing more specific privacy rules for the e-comms sector. These included rules on itemised billing and on unsolicited marketing calls and emails. Later amendments of the Directive have added new provisions about information being stored on and accessed from the user’s computer (such as cookies), and requirements about reporting data breaches. The Directive was transposed into UK law through the Privacy and Electronic Communications Regulations (PECR), which were last updated in 2016.
6.3The proposal is linked to the new General Data Protection Regulation (GDPR) and therefore also has some relevance to the other data protection proposal addressed in chapter 5 of this Report, adapting GDPR rules for EU institutions, agencies and bodies.
6.4The main changes under the new proposal include:
6.5The Government provides us with an initial but comprehensive view of the proposal. However, it does not provide an impact checklist, nor address Brexit implications and only mentions in passing the recent CJEU ruling in Watson which concerned the current ePrivacy Directive.
6.6We thank the Minister for Digital and Culture (Matthew Hancock) his comprehensive Explanatory Memorandum on this important proposal.
6.7The Government has said that the UK will comply with the new data protection Regulation by 25 May 2018, before Brexit. This is the date when the Commission also intends this proposal to apply, once adopted. In the light of this we would be grateful if the Minister could confirm whether the Government:
6.8The Minister recalls in his account of the Commission’s review of the existing ePrivacy Directive:
“In addition, the evaluation also found potential overlaps with the GDPR, such as the provisions for data security and data breach notifications. The reform thus aims to remove contradictions and duplications between the instruments, reduce discretion for member states, as well as clarify the application of certain provisions.”
However, the respective scopes of the new GDPR and the proposed Regulation are not entirely clear to us and, by extension, may not be clear to duty-holders and data subjects. We are concerned about legal uncertainty which may become even more important after Brexit when the UK will have to consider what, if any, EU data protection law it wishes to retain in the longer term as UK law. So when the Minister next writes, please could he clarify, using practical examples where possible, when data relating to “electronic communications”, including metadata would fall to be considered:
We would also be very interested to learn in due course whether there are any adverse consequences that might flow from scenarios (a)-(c), in terms of the level of legal protections provided to UK citizens or burdens imposed on UK business.
6.9We note that the Minister questions whether it would have been better for the Commission to have chosen a Directive instead of a Regulation as the legal instrument for this new proposal. Given the proposal’s close links with the GDPR, we consider that adopting a different legislative form to the GDPR would create unhelpful enforcement and other consistencies for Data Protection Authorities like the Information Commissioner’s Office.
6.10The Minister states at paragraph 46 of his EM:
“The government will fully consider the impact of the proposal on stakeholders and the Information Commissioner’s Office.”
There are also various statements made by the Minister in his EM about the Government assessing further whether the proposal is adding value or imposing disproportionate burdens in various areas. We therefore request the Minister to provide us with a copy of the Government’s Impact Checklist as soon as possible. It is clearly important that the UK is not burdened with having to comply with EU legislation that imposes unnecessary burdens for UK business, public authorities or regulators for what might only be a short period before Brexit.
6.11In his Explanatory Memorandum, the Minister welcomes consultation with interested parties, but we would be interested to learn what formal and structured consultation the Government has undertaken with stakeholders so far. Did stakeholders feed into any Government submission to the Commission’s REFIT consultation? If possible, it would be helpful for us to see a copy of any submission.
6.12We note that, just like the GDPR, the proposal will apply to providers outside the EU if they offer electronic communications services to EU end users. We observe that this extraterritoriality has the potential to affect the UK after Brexit, regardless of the specifics of the future UK-EU relationship.
6.13We draw the Minister’s attention to paragraphs 6.22–6.26 of this Report where we analyse the CJEU’s preliminary ruling in the case of Watson v Secretary of State for the Home Department. This is clearly relevant to Article 15 of the current ePrivacy Directive and the drafting of Article 11 of the proposed Regulation (together with corresponding Recital 26). Could the Minister confirm that the proposed Article 11 strikes the right balance between the need to protect the fundamental rights of EU citizens to the standard of the EU Charter and the needs of Member States to retain data for national security and law enforcement purposes? We ask this particularly because, as the Minister himself highlights, there is no specific derogation in the proposal relating to data retention. This is striking considering the legal gap created when the Data Retention Directive was invalidated by the CJEU in the Digital Rights Ireland judgment.
6.14In the meantime we ask the Minister to keep us informed of developments in the negotiations of this proposal.
6.15We retain this document under scrutiny but draw it and this chapter to the attention of the Culture, Media and Sport Committee and the Joint Committee on Human Rights.
Proposal for a Regulation of the European Parliament and Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications): (38455), + ADDs 1–6, COM(17) 10.
6.16Two developments form the background to the proposed Regulation: the Commission’s REFIT review and the recent CJEU rulings in the data protection case of Watson and others v Home Secretary.
6.17As part of preparation for the reform of the ePrivacy Directive, the Commission launched a public consultation on reform from 12 April 2016 until 5 July 2016. It also undertook an evaluation of the Directive, its purpose, and functioning, under the Regulatory Fitness and Performance Programme (REFIT). The Commission concluded from its evaluation that the ePrivacy Directive provided added value to the existing data protection framework through its specific emphasis on confidentiality of electronic communications and protection for legal persons.
6.18However, it also identified various areas that merited reform due to being out of step with commercial, market, technological, and legal developments. In particular, the evaluation identified the rise and growth of “OTT” services and applications as being a key issue. The Commission therefore earmarked regulation of OTT services within the new proposal as a way of tackling the competitive advantage they are currently enjoying over electronic communications providers under the current Directive.
6.19The evaluation also highlighted the development of technologies such as the Internet of Things, device fingerprinting, and mobile device Wifi tracking since the Directive was implemented. The Commission observes that although the GDPR would cover processing by these technologies if it involved personal data, it is unclear to what extent they are captured by the ePrivacy Directive. The reform thus aims to clarify how obligations apply to the new forms of processing and simplify and remove any outdated areas.
6.20The Commission also assessed the legal framework for the ePrivacy Directive, including its implementation, enforcement, and relation to the GDPR. It held that the current rules, in particular the “cookie” provisions, had been applied in different ways by Member States, and that a split of supervision responsibilities between data protection authorities and telecoms regulators caused issues for enforcement. This had led to a fragmentation of standards across the EU.
6.21Lastly, the Commission identified difficulties with how the existing rules worked in practice, in particular the provisions for consenting to cookies and the restrictions on unsolicited marketing calls. Since the “cookie law” amendment in 2009, many websites had put up banners on their website either asking users to consent to cookies or informing them about it. The Commission’s evaluation indicated that the current rules were somewhat inflexible towards cookies that posed a low risk to the user’s privacy and may also lead to “consent fatigue” on the part of users. For the provisions on unsolicited marketing calls, the evaluation identified that they were not fully succeeding in protecting individuals from unwanted marketing calls. The reform thus aims to enhance protection from such calls as well as simplifying the existing provisions for consenting to cookies.
6.22On 21 December the CJEU gave its ruling in Watson and others v Secretary of State for the Home Department. This was in response to a request for a preliminary reference made by the UK Court of Appeal in the course of the judicial review (JR) challenging the UK’s Data Retention and Investigatory Powers Act 2014 (DRIPA). The UK reference was joined with a Swedish reference, the Tele2 Sverige proceedings, which raised similar questions.
6.23DRIPA was introduced in the UK, as an emergency measure, following the CJEU’s invalidation of the Data Retention Directive (DRD) in the Digital Rights Ireland case. It authorises the Home Secretary to require public telecommunications operators to retain all communications data (but not its content) for a maximum period of 12 months.
6.24The subsequent JR and the preliminary ruling concerned whether this general obligation is compatible with EU law, in particular the current ePrivacy Directive 2002/58/EC) and Articles 7 and 8 of the Charter (rights to private and family life and data protection respectively).
6.25The CJEU ruled that general retention obligations are prohibited by EU law and only targeted retention can be required for the purpose of fighting serious crime and subject to further strict conditions: retention had to be limited to what was strictly necessary as reflected in the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted. Additionally, the Court commented that review of the 2002 Directive can only take into account the provisions of the Charter and as such, Article 52(3) of the Charter does not prevent EU law from providing more extensive protection than the ECHR.
6.26The judgment has direct implications for the Investigatory Powers Act 2016 (IPA) while the UK remains a Member State and could also affect the important data protection elements of any Brexit agreements
6.27Article 15(1) of the Directive entitled “Application of certain provisions of Directive 95/46/EC” currently provides for exceptions to the confidentiality of e-comms:
“Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system....To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph (our underlining). All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.”
6.28New Article 11(1) of the proposal (and its corresponding Recital) appears to have been drafted to take into consideration the CJEU’S Watson judgment on DRIPA and Digital Rights Ireland judgment on the Data Retention Directive, adding a specific reference to needing to respect “the essence of the fundamental rights and freedom” in a democratic society. However, as the Minister highlights in his Explanatory Memorandum, there is no specific derogation for data retention, which seems to us striking given the invalidation of the DRD in Digital Rights Ireland. Article 11(1) states:
“Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 5 to 8 where such a restriction respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1)(a) to (e) of Regulation (EU) 2016/679 [the GDPR] or a monitoring, inspection or regulatory function connected to the exercise of official authority for such interests.”
6.29Recital 26 explains this provision more fully:
“....this Regulation should not affect the ability of Member States to carry out lawful interception of electronic communications or take other measures, if necessary and proportionate to safeguard the public interests mentioned above, in accordance with the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms, as interpreted by the Court of Justice of the European Union and of the European Court of Human Rights.”
6.30The ruling highlights the following possible post-Brexit implications for the UK in the field of data protection and ePrivacy:
6.31Reflecting the Commission’s REFIT conclusions, the key changes in the proposal include:
6.32In an Explanatory Memorandum of 31 January 2017, the Minister of State for Digital and Culture (Matthew Hancock) first gives an account of the Commission’s review of the current Directive (paragraphs 6.17–6.21) and identifies the key changes in the proposal (paragraph 6.31).
6.33He then rehearses the Government’s standard statement on the UK’s position in the EU as a Member State following the Referendum outcome. He clarifies that if the Commission succeeds in its aim of having the proposal come into force in May 2018 with the GDPR, and exit negotiations are still ongoing, then the proposed Regulation will be directly applicable in the UK before Brexit.
6.34The Minister sets out the policy implications for the UK of the proposal under the following headings.
6.35The proposal aims to level the playing field as between OTT providers and e-comms providers by:
6.36The Minister adds that the Government:
6.37The Commission proposals aim to reduce the amount of cookie consent pop-ups and banners by simplifying the existing rules. The Minister says that the Government:
6.38The Commission proposal aims to tackle nuisance calls and other unsolicited marketing communication such as email spam. The Minister comments that:
6.39The proposal requires specific legal bases for processing electronic communications data, which must be erased immediately after the communication is complete, unless a further justification for retaining it remains.
6.40The Minister explains that the term “electronic communications data” replaces the previous definitions of traffic data and location data, which were found to confuse users and industry according to the Commission’s evaluation. The new definition is itself broken up into two categories: metadata and content data. The proposal permits processing without consent if it is to maintain security of the service or to detect errors after the communication has been sent. However, it places restrictions on “content scanning”, including services that scan email messages to remove certain material. The Government wants to consider these proposals further. It will look particularly at whether an unwarranted burden is placed on providers by the requirement to consult the supervisory authority for scanning services that the user has already consented to.
6.41The Minister explains that the current rules permit Member States to set their own administrative fine levels. The proposal limits the types of fines for which Member States have discretion, and it establishes a tiered system for other infringements. The Government will review the proposed tier-based fine sanction to ensure that it is comprehensible, and that the suggested sanctions match the gravity of the infringement.
6.42The proposal also requires data protection authorities to be the sole regulator in Member States, and for the GDPR’s one stop shop system, including the European Data Protection Board (EDPB) to be used for cross-border disputes. While the Information Commissioner’s Office currently regulates PECR, the Government will consider carefully any further burden that the proposals may place on it, and on the workload of the EDPB.
6.43The Minister describes how the proposal sets out a list of purposes for which Member States may legislate derogations or restrictions of various articles in the measure. He observes that the list of restrictions or derogations is not completely aligned with those of the GDPR. Derogations missing from the proposal but allowed by the GDPR include processing for the protection of the data subject or the rights and freedoms of others, as well as processing to prevent breaches of ethics for regulated professions.
6.44The Commission proposal notes that it has maintained the substance of the derogations in the ePrivacy Directive as well as bringing them up to date with the GDPR.
6.45The Minister says that the proposal’s explanatory memorandum highlights these derogations in the context of there being no specific provisions for data retention. It observes that the derogations permit Member States to have national data retention frameworks, provided that these comply with relevant obligations, including case-law of the Court of Justice of the European Union, such as Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others; and Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB and Secretary of State for the Home Department.
6.46He adds that the Government will carefully scrutinise the proposed list of derogations and assess whether it may need to cover more processing situations, such as those envisaged under the GDPR derogations.
6.47The Minister explains that the Commission has chosen to replace the Directive with a directly applicable Regulation in order to achieve greater harmonisation of the rules and avoid legal confusion with the GDPR. He highlights that the Government is not convinced that a Regulation is required to achieve the proposal’s goals. It will also scrutinise areas of overlap with the GDPR to see if further simplification can be made.
6.48The Minister states that the proposals will apply to providers outside the EU if they offer e-comms services to EU users. This aligns the proposal with the GDPR and also ensures that more OTT providers, who are often located in third countries, are covered. He says that the Government will carefully review the extraterritorial extension of the scope.
6.49The Minister now comments on the Commission’s Impact Assessment. He says:
6.50The Minister reassures us that the Government will assess the potential financial impact of the proposal, including any further costs for the Information Commissioner’s Office.
6.51The Minister says that the Government will welcome the views of interested parties to inform its approach to the proposed reform.
47 Cookies are small pieces of data that a browser can be asked to save/store when a user visits a website. Cookies will then allow the website to recognise the device when a user visits again and so to gain a better idea of his/her preferences over time and to use the information for targeted advertising. There are many types of cookies, classified according to their lifespan or to which domain is hosting the cookies.
48 By a 2009 Directive (2009/136/EC) and Commission Regulation (611/2013).
51 Proposed Regulation on the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies and on the free movement of such data and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC: (38446), 5034/17, COM(17) 8.
52 In other words, without having to pay them.
53 They fall outside of the definition of “electronic communications services “under the current ePrivacy Directive.
54 These have become popular substitutes for traditional telecoms services, e.g. online chat applications instead of mobile SMS, and Voice over IP technology (VoIP) instead of telephone calls.
55 Joined Cases: Tele 2 Sverige AB v Post- och telestyrelsen; Watson and Others v Secretary of State for the Home Department.
56 For example, when the Minister gave evidence to the Internal Market Sub-Committee of the Lords’ European Union Committee on 19 January 2017, see .
57 Joined Cases: Tele 2 Sverige AB v Post- och telestyrelsen; Watson and Others v Secretary of State for the Home Department.
58 Charter of Fundamental Rights of the European Union.
59 Joined cases C-293/12 and C-594/12.
60 Joined Cases: Tele 2 Sverige AB v Post- och telestyrelsen; Watson and Others v Secretary of State for the Home Department.
61 Joined Cases: Tele 2 Sverige AB v Post- och telestyrelsen; Watson and Others v Secretary of State for the Home Department.
63 Digital Rights Ireland and Others.
64 Article 15 of the Directive provided for exceptions to the confidentiality of e-communications. However, as Member States took diverging approaches to Article 15, the Data Retention Directive (“DRD” 2006/24) was enacted. Once the CJEU ruled that the DRD was invalid for being incompatible with the EU Charter of Fundamental Rights, this left question as to what Member States could require as part of national regimes for data retention under Article 15, in the light of the Charter.
65 DRIPA was subject to a sunset clause providing for the Act to be repealed on 31 December 2016. During its passage, the Government committed to bringing forward new legislation to provide an updated framework for the use by the security and intelligence agencies, law enforcement and other public authorities of investigatory powers to obtain communications data. The new IPA legislation received Royal Assent on 29 November. It followed a review by the Independent Reviewer of Terrorism Legislation, David Anderson QC, into the existing laws relating to investigatory powers. IPA contains powers covering the interception of communications, the retention and acquisition of communications data, and equipment interference for obtaining communications and other data. It also makes provision relating to the security and intelligence agencies’ retention and examination of bulk personal datasets. Many of IPA’s provisions are now in force, including those in Part 4 relating to the retention of communications data.
66 Together with Schrems and Digital Rights Ireland.
67 See footnote 23.
68 £16,987,000, based on an exchange rate of € 1= £ 0.84935.
69 On 23 June, the EU referendum took place, and the people of the United Kingdom voted to leave the European Union. Until exit negotiations are concluded, the UK remains a full member of the European Union and all the rights and obligations of EU membership remain in force. During this period, the Government will continue to negotiate, implement, and apply EU legislation. The outcome of the exit negotiations will determine what arrangements apply in relation to EU legislation in future once the UK has left the EU.
70 This is composed of representatives of the national data protection authorities (DPA), the EDPS and the European Commission.
71 Our understanding is that first party cookies are those placed by the visited website and essentially aim at improving efficiency and the user’s experience. Third party cookies are those hosted by a domain that is not the same as the visited page’s domain and are used by advertising networks to monitor behaviour and target advertising.
10 February 2017