The European Parliament is presently debating the draft of an E-Privacy Regulation that the European Commission is suggesting. The scope of the draft goes far beyond the GDPR as it would not only apply to personal data but to all communication data including machine-to-machine communication.

The E-Privacy draft relies heavily on consent. Such emphasis on consent bluntly contradicts the GDPR. The ill-advised E-Privacy plans of the European Commission would be bound to create confusion and uncertainty.

The Trouble with Consent

There are many good reasons not to trust consent:

• Consent is easy. A tick in the box, that is all.
• Consent is uninformed. Who seriously reads the fine print?
• Consent is black and white. Take it or leave it.
• Consent is lazy. Yes or no. It is left to the individual to protect his or her own privacy.
• Consent is middle class. Consumers with low income cannot afford to pay for ad-free services.

The GDPR does not trust Consent

Consequently, the GDPR does not encourage consent. According to Art. 6 GDPR, there are six grounds why the processing of personal data can be lawful. Consent is only one of them. And consent may be invalid when there is a “clear imbalance” between the citizen and the company asking for consent. Consent may also be invalid when it is given in connection with a contract and extends to data that is not necessary for the performance of the contract.

E-Privacy is all about Consent

The European Commission now wants to introduce rules on E-Privacy that rely heavily on consent. Whenever data is processed in connection with an electronic communications service, E-Privacy is to supersede the GDPR. As a rule, data processing will require consent from all parties involved (sender and recipient). Legitimate interests, the performance of a contract or a statutory duty will not be valid ground fors data processing.

The scope of E-Privacy will be wide

E-Privacy is not just about cookies. The European Commission wants to expand the scope of E-Privacy substantially:

• The current “cookie consent” rule is to be extended to any “collection of information from end-users’ terminal equipment”. This in fact means that all methods of online tracking and all tracking tools will require users’ consent.
• For any processing of communications data, the service provider will, as a rule, need consent from both parties involved (sender and recipient).
• The consent requirement does not only apply when personal data is processed. It also applies to the processing of the data of “legal persons”. And it even applies to the processing of machine data without any connection to a – natural or “legal” – person.
• The consent requirement does not only apply to human interaction but also to machine-to-machine communication. Connected car, smart home and smart city services are to require consent. Users are likely to be inundated with consent requests.

Further reading:

https://www.cr-online.de/blog/2017/03/06/e-privacy-regulation-nine-flaws-that-should-be-corrected/

https://www.cr-online.de/blog/2017/03/05/ueber-das-ziel-hinaus-e-privacy-verordnung/ (German)

https://anwaltverein.de/de/newsroom/sn-29-17-stellungnahme-zur-eprivacy-vo