DIGITALEUROPE views on the Review of the ePrivacy Directive

EXECUTIVE SUMMARY

DIGITALEUROPE as the voice of Europe’s digital technology industry welcomes the opportunity to work closely with the EU Institutions as they review and assess the ePrivacy Directive (“ePD”). Our members are committed to the highest standard of data protection, privacy, security and integrity of the digital ecosystem. However, for Europe to attract and sustain the world’s best technology companies that can contribute to a strong digital economy, businesses need a regulatory environment which is not only predictable, but avoids unnecessary burdens and overlaps with existing legislation. As the EU Institutions continue to understand and consider the future role of the ePD, DIGITALEUROPE believes any future actions by policy makers should take into consideration the following:

1. The Future of ePrivacy – The priority of the review should be to achieve simplification of the legal framework and consistency with other legal instruments. To the extent that any of the provisions of the ePD are still necessary, these could be integrated into other legal instruments, such as the European Electronic Communications Code.

2. Scope – The potential extension of scope to cover OTTs, IoT devices, and M2M communications is not necessary to ensure the appropriate level of protection for consumers.

3. Security – The security provisions under the GDPR have the exact same objectives as the ePD. Keeping Article 4 or any version of this provision would only duplicate existing requirements.

4. Traffic & Location Data – Maintaining a separate set of rules on traffic and location data and extending it to some new services would considerably increase legal uncertainty, as two sets of regulatory requirements would be now applicable to the exact same data sets.

5. Ensuring Confidentiality of Communications – A more focused approach on confidentiality requirements is needed when considering the practical implications on network operators and providers of services who rely on third party connections. If a broad expansion of confidentiality occurs, derogations must be provided to allow for legitimate activities of service providers.

6. Confidentiality & Law Enforcement – The right to the confidentiality of communication should not only apply to the commercial context alone. The protection granted by the Charter is universal and should also be ensured in the law enforcement and national security context. Any mandate requiring service providers to reverse engineer, provide back doors and any other measures to weaken their security/encryption measures should be explicitly prohibited.

7. Device Data (including “Cookies”) – Any suggestions that would seek to prohibit businesses from preventing access to their services if the user refuses to accept a cookie must be avoided. This would not only disproportionately interfere with the freedom to conduct a business and the freedom of contract, but also undercut the EU’s competitiveness in the data-driven and knowledge-based digital economy.

8. Enforcement – Enforcement powers should be conferred on the public agency that is the most competent in the matter at hand. Issues related to personal data should solely be dealt with by national data protection authorities.