New EU legislation on e-privacy: what will happen with cookies?
Wednesday, 11 January 2017
The European Commission is proposing new legislation to ensure stronger privacy in all electronic communications. The proposed Regulation on Privacy and Electronic Communications will replace the so-called ePrivacy directive from 2009 and is expected to increase the protection of people’s private life and open up new opportunities for business.
The Commission refers to a recent Eurobarometer survey in which 92% of the respondents said that it is important or very important that personal information on their computer, smartphone or tablet can only be accessed with their permission. The same percentage also stated that it is important or very important that the confidentiality of their e-mails and online instant messaging is guaranteed.
“Our proposals will complete the EU data protection framework,” said First Vice-President Timmermans yesterday (10 January). “They will ensure that the privacy of electronic communications is protected by up to date and effective rules, and that European institutions will apply the same high standards that we expect from our Member States.”
According to the proposal, privacy rules will now also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber. Privacy will be guaranteed for both content and metadata derived from electronic communications (e.g. time of a call and location).
The proposal bans unsolicited electronic communication by any means, e.g. by emails, SMS and in principle also by phone calls if users have not given their consent. As regards spam, Member States may opt for a solution that gives consumers the right to object to the reception of voice-to-voice marketing calls, for example by registering their number on a do-not-call list.
The so-called “cookie provision”, which has resulted in an overload of consent requests for internet users, will be streamlined. New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks.
However, no consent is needed for non-privacy intrusive cookies improving internet experience or tracking user behavior (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.
Expecting objections from both internet companies and internet users, Andrus Ansip, the EU Digital Single Market Commissioner, said that the draft regulation strikes the right balance. “It provides a high level of protection for consumers, while allowing businesses to innovate.”
With the presentation of the proposals yesterday, the Commission is calling on the European Parliament and the Council to work swiftly and to ensure their smooth adoption by 25 May 2018. The new rules will be enforced by the Data Protection Authorities in the Member States.