Review of the ePrivacy Directive

Briefing 03-02-2017

The technological, economic and social landscape has significantly changed since the adoption of Directive 2002/58 on privacy in electronic communications. In spite of targeted amendments adopted in 2009, the current text of the directive does not entirely reflect recent evolutions in the sector and in consumers' habits. Some of the most notable changes in this respect include the entry of new types of players on the market and the widespread usage of internet-based services, such as instant messaging, with a potential impact on the effectiveness of existing ePrivacy rules. In addition, the adoption of the General Data Protection Regulation in 2016 has altered the legislative framework on data protection, possibly calling into question the relevance and continued coherence of the ePrivacy Directive with the new legislation. Evidence collected to evaluate the effectiveness, efficiency, coherence, relevance and EU added value of Directive 2002/58, as well as the feedback gathered by the European Commission through targeted workshops, an online public consultation and a Eurobarometer survey, have confirmed the existence of various challenges. These were also raised during a dedicated conference organised by the European Parliament in 2015. In particular, some of the key provisions of the directive have not been fully effective in delivering the intended levels of confidentiality and protection envisaged by the legislator. This is the case of Article 5(3), for instance, on cookies and other techniques to store and access information on users' equipment, a point that was raised on various occasions also by the Members of the European Parliament. Moreover, it appears that some parts of Directive 2002/58 have become technologically obsolete or that better legal approaches have been adopted in the meantime. Finally, an analysis of the implementation of EU ePrivacy rules in the Member States pointed to various degrees of legal fragmentation, the coexistence of different levels of protection across the EU, and a complex governance structure with responsibilities for implementation and enforcement allocated to different types of authorities, at times even within the same country. Overall, this has contributed to a lack of legal certainty and clarity, and the absence of a level playing field across Europe. On the other hand, the EU added value and the overall relevance of having dedicated provisions protecting privacy and ensuring the practical application of Article 7 of the Charter of Fundamental Rights of the European Union, was repeatedly confirmed. Indeed, a modernisation of the current rules is a central component of the EU's digital single market strategy, and is expected to restore and increase citizens' and businesses' trust in the digital environment. On 10 January 2017, the European Commission adopted a proposal to repeal Directive 2002/58 and replace it with a regulation to address several of the issues outlined above, to simplify existing rules and to make them future-proof. The co-legislators will now have the task of finding a balance between the various conflicting positions and expectations that have emerged throughout the process leading to the directive's review.