Cable Europe welcomes the European Commission’s consultation on the evaluation and review of the ePrivacy Directive (ePD).
The Commission’s survey aims at gathering input for the evaluation process of the ePD and at seeking views on the possible solution for its revision.
Cable Europe supports the Commission’s exercise in the context of its REFIT programme and would like to present the comments below. They are in line with Cable Europe’s response to the Commission’s consultation on the review of the EU Telecoms Framework (submitted to the Commission in December 2015) and with the Joint Industry Statement on the ePD issued on 5 July 2016 together with ETNO, GSMA, ECTA, EuroISPA and other digital associations.
The ePrivacy Directive in light of the GDPR
The GDPR is the most recent response of the EU legislator to the challenges brought by technological developments and globalization which are revolutionizing the scale of the collection and sharing of personal data. The EU legislator acknowledged that such developments require a strong and more coherent data protection framework which is now enshrined in the GDPR. On the day of the adoption of the GDPR, the Commission stated ‘our work in creating first-rate data protection rules providing for the world’s highest standard of protection is complete’. Cable Europe agrees with the Commission that the horizontal (and technological neutral) rules of the GDPR are the state-of-the-art for protecting individuals and for enabling the Digital Single Market. Furthermore, Cable Europe also considers that the ePD should be repealed (see specific comments below). This approach is also put forward by academia, namely by Prof. P. Larouche, Prof. M. Peitz and Dr. N. Purtova in a recent CERRE study on ‘Consumer Privacy in Network Industries’.
In the view of our members, rather than focusing on revising the ePrivacy rules, the Commission should focus on the implementation of the new standards contained in the GDPR.
Level Playing Field
Firms in other sectors, such as Over-The-Top (OTTs) players, provide consumers similar functionalities as cable operators but they are not subject to sector specific data privacy rules, thereby distorting competition. However, our members consider that a level playing field among all market players does not necessarily need to be achieved by extending the ePD to OTTs as these are covered by the horizontal rules of the GDPR. In addition, the GDPR, by virtue of its territorial scope of application, protects data subjects also in cases where a controller or a processor is not established in the Union, which is particularly relevant in relation to global OTT players. Although we believe that the ePD should be repealed, if, and to the extent that any rules of the ePD survive, we consider that they should be extended to OTTs.
Most rules of the ePD are either addressed in the GDPR (or in other EU instruments), are out-of-date (and could be repealed), or, depending on the provisions concerned, could be re-instated in other EU legal instruments, such as the Unfair Commercial Practices Directive or the revised regulatory framework on electronic communications. More specifically:
- Article 7 (itemised billing), and Article 12 (directories), and Article 13 (unsolicited commercial communications) should be repealed or, if this solution is not endorsed by the EU legislator, should more comfortably sit in the revised regulatory framework on electronic communications.
- Article 11 (automatic call forwarding) should be deleted as it out-of-date.
- Article 5(1) on confidentiality of communications could be re-instated in another EU legal instrument, if close scrutiny suggested that the GDPR does not offer sufficient guarantees of protection. The same could apply in relation to Article 5(3) on cookies. Although our members do not support a review of the definition of Electronic Communications Services, we believe that a clarification is necessary in order to make confidentiality of communications apply to OTTs.
- Article 4 (security), article 6 (traffic data), article 9 (location data) should be deleted as these issues are now covered by the GDPR namely by its provisions on security, profiling, data breach notification, and the definition of personal data which now contains a specific reference to location data. In addition, the security obligations in the Framework Directive and in some cases also in the future Directive on Network and Information Security are also relevant for repealing Article 4.
* * *
This paper represents the views of the full members of Cable Europe, and not necessarily those of our associate members, partners or affiliates.