The draft E-Privacy Regulation (EPR) that the European Commission published in January contains a number of flaws that will, hopefully, be addressed and corrected. Nine flaws can be clearly identified, chances are that there are futher flaws that need to be pinpointed and discussed.

1. Art. 5 – Protection against communication instead of protection of communication

Art. 5 EPR extends the scope of the Regulation to “data processing”. European citizens are to be protected not only from “interception and surveillance” (Art. 5 E-Privacy Directive) but – more generally from the “processing of electronic communications data”.

This is a major flaw. Interception and surveillance are serious interferences in confidential communications. Mere data processing does clearly not constitute such an interferecnce.

On the contrary: The “processing of electronic communications data” is what telecommunication is all about. Telecommunication needs to be protected against interference by the state and by providers. European citizens do, however, not need to be protected against telecommunication. The EPR should protect telecommunication but not protect citizens against telecommunication.

2. Art. 6 – Restrictions make sense for metadata but not for content

While it makes sense to demand a legal justification for the processing of metadata (parallel to Art. 6 GDPR), such justification should not be necessary for “communication content”. Asking for such justification, in essence, means that the use of telco services will, on principle, be illegal and only lawful when the conditions of Art. 6 (1) or Art. 6 (3) EPR are met. Again, this comes down to protecting citizens against communication instead of protecting communication against interference, interception and surveillance.

3. Art. 6 (1) and (3) – It is unclear under which conditions consent is required

Art. 6 (3) (a) EPR demands both “consent” of end-user(s) and the necessity of data processing as conditions for the “processing of electronic communications content”. At the same time, Art. 6 (1) (a) EPR only demands “necessity” for the „processing of electronic communications data” (which includes content, Art. 4 (3) (a) EPR). Therefore, it is unclear if and under what conditions consent is necessary. Moreover, it is unclear whose consent is necessary – just the consent of the person sending a message or also the recepient’s consent?

4. Art. 6 (3) (b) – Demanding consent for scanning means demanding the spammer’s consent for spam filters

Art. 6 (3) (b) EPR is overbroad and unclear. According to the provision, the provider who wants to scan messages needs the consent of both the person who sent the message and of the recipient. This would mean that software that filters out spam mails may only be used if the spammers have given consent to such use. As spammers have no reason or incentive to do so, we could all expect our e-mail accounts to be flooded with spam mails for lack of legal spam filter technology.

Art. 6 (3) (b) EPR also demands the anonymization of personal messages before they are scanned without defining the standard of such anonymization. Should such standard demand that re-identification is made impossible, such a standard will often be impossible to meet. The content of electronic messages is mostly personal, sometimes very personal, and re-identifaction will often be easy even when the name of sender and recipient are erased.

5. Art. 6 – The relevance of the GDPR is unclear

As Art. 6 EPR is clearly drafted in data protection terms, it is unclear what that means for applicable provisions of the GDPR. If Art. 6 EPR is to be the equivalent of Art. 6 GDPR, it is unclear why “legitimate interests” are to suffice for data processing under the GDPR but not under the EPR. Also, it is unclear if and to what extent the general principles of Art. 5 GDPR apply. Is there a duty of “data minimisation” under the EPR (Art. 5 (1) (c) GDPR)? What would the duty of “accuracy” mean for a telco provider (Art. 5 (1) (d) GDPR)?

6. Art. 8 – The relevance of the GDPR for cookies is unclear

Art. 8 EPR contains extensive rules for the use of cookies. At the same time, cookies are “online identifiers” so that the GDPR applies (Art. 4 (1) GDPR).

It is unclear if the use of cookies is to be always lawful when the conditions of Art. 8 EPR are met or whether cookies need to meet both the standards of the EPR and the GDPR.

7. Art. 9 – Who gives consent when device is owned by a company?

In many cases, the devices covered by Art. 8 to 10 EPR will be owned by companies (“legal persons”). When a “person” is the owner, it is unclear whose consent is needed. If the consent of the “legal person” (or its CEO) is required, the requirement cannnot be justified with the protection of privacy as there are no safeguards that a CEO will be protective of the privacy of his employees. If the consent of the actual user of the device is required, it is unclear how to deal with devices that change hands. How can a service provider know whether a device has changed hands so that consent needs to be renewed?

8. Art. 9 – Why so much focus on consent?

Under the GDPR, cookie consent will often be invalid as cookies are not always necessary for the performance of a contract. Moreover, there will often be a “clear imbalance” between the company processing cookies and the individual (Recital 43 GDPR). The GDPR does not, however, rely on consent. In many cases data processing will be lawful without consent on the basis of “legitimate interests” (Art. 6 (1) (f) GDPR.

According to the EPR, consent shall be (nearly) always required for the use of cookies although such consent will clearly be invalid under the GDPR and although the EPR does not provide for “legitimate interests “ as an alternative basis of lawful data processing.

9. Art. 11 – Quiet introduction of wiretapping duties for OTT providers

The EPR is to apply not only to traditional telco providers but also to OTT providers. The European Commission calls this “level playing field”. When providers of instant messenger sevices compete with telco providers who offer SMS services, it is hard to argue that there should be different rules in telecommunication law.

Art. 11 EPR provides for exceptions on the basis of the laws of member states on legal interception. As the scope of the EPR is extended to OTTs this means that OTTs will have to “establish internal procedures for responding to requests for access to end-users’ electronic communications data” (Art. 11 (2) EPR). Therefore, legal interception of messenger services, of VoIP services and of web mail services will be introduced in all of Europe, and providers will be under a duty of co-operating with law enforcement agencies and secret services all over Europe. This is a consequence of the EPR proposal that needs to be broadly discussed because of the civil liberties implications. Morevover, compliance with the new duties will be a serious cost problem for small companies and start-ups on the OTT market. It will be even more difficult for them to compete with the big (US) players in the OTT field.

The “level playing field” must not be an excuse for (quietly) enabling the wiretapping of OTT providers. OTT providers should, at least, be exempted from any statutory rules that ban encryption or that put providers under a duty not to demand encryption from their customers.