DIGITALEUROPEs initial views on the European Commissions proposal for an ePrivacy Regulation final

OVERALL VIEWS

The ePR will have far reaching effects on how electronic communications and many online services operate in the EU. The Regulation will extend obligations that are significantly more stringent than what currently apply to telecom operators to all over-the-top (“OTT”) communications services, machine-to-machine (“M2M”) applications, and content services with communications capability such as video games, dating apps and ecommerce sites with built-in chat features. It will also require browsers, mobile apps and many other types of software enabling electronic communications to obtain end-users’ opt-in consent upon installation, effectively disregarding other legal bases for data processing. Such a wide extension of both scope and the nature of the obligations will have a significant impact on all industry sectors relying on data driven innovation.

While we recognise the importance of the confidentiality of communications as a component of the right to respect for one’s private and family life, it is not clear what is so specific about the sectors covered by this Regulation that requires a standalone instrument independent from the horizontally applicable GDPR. The GDPR includes both an explicit ‘integrity and confidentiality’ principle and implicit confidentiality protections in the grounds for processing personal data. Moreover, the GDPR is technology and sector neutral, determines safeguards and requirements according to the risk presented and makes a specific distinction for high-risk data. Other sectors are arguably processing more sensitive data – such as healthcare or finance – but are quite rightly determined to be sufficiently covered by the general framework.

We would also like to recall that the Charter of Fundamental right treats the right to privacy and the protection of personal data and the right to the confidentiality of communication as equally important rights. It is thus unclear why the protections afforded by the GDPR are considered insufficient and require a significant rewrite in the ePR proposal.

We believe the proposed ePR should be withdrawn and the current ePrivacy Directive (“ePD”) be repealed.