Presentation is loading. Please wait.

Presentation is loading. Please wait.

The (Draft) ePrivacy Regulation 2018/9

Published byNathan Roberts Modified over 6 years ago

Similar presentations

Presentation on theme: "The (Draft) ePrivacy Regulation 2018/9"— Presentation transcript:

1 The (Draft) ePrivacy Regulation 2018/9
11/11/2018 Andrew Cormack, Chief Regulatory Adviser Jisc Go to ‘View’ menu > ‘Header and Footer…’ to edit the footers on this slide (click ‘Apply’ to change only the currently selected slide, or ‘Apply to All’ to change the footers on all slides). To change the image on this slide: Click once on the image to select it, and then delete it Drag a replacement picture to the placeholder or click the icon in the centre of the placeholder to browse for & add another image Once you have added your replacement image, you may need to put it into the background so that it doesn’t cover other items on the slide. Do this by right-clicking on the new image and choosing ‘Arrange’ > ‘Send to Back’ from the contextual menu

2 History 1995: Data Protection Directive (95/46/EC)
Draft ePrivacy Regulation History 1995: Data Protection Directive (95/46/EC) 2002: ePrivacy Directive (2002/58/EC) “DPD for networks”: also spyware, security requirements, CLI blocking, spam 2009: revised ePrivacy Directive “cookie law”: also breach notification, robocalls 2016: GDPR, incorporating much of ePD 2017: draft ePrivacy Regulation Again, parking for new ideas/old battles E.g. Parliament use it to express disapproval of crypto backdoors…

3 Current State (September 2018)
Draft ePrivacy Regulation Current State (September 2018) EU Commission: text published Jan 2017 Planned in force 25th May 2018 EU Parliament: 168 amendments agreed Dec 2017 Mostly strengthening privacy (tracking walls/signals, privacy by design) Including positive support for security (network CIA, device patching) EU Council: next meeting, soon; “status report” in December Amendments popping in and out of proposed text

4 Draft ePrivacy Regulation
Intended Scope EU Commission (Jan 2017) New Players: OTT services that look like phone/messaging Stronger Rules: Regulation rather than Directive Content and Metadata New Business Opportunities: all based on user consent… Cookie simplification: “cookie fatigue” Spam protection: opt-in for all electronic media, possible mandatory marking Enforcement: by DPAs [

5 Draft ePrivacy Regulation
Actual Scope According to Council of Ministers Article 2(1), 4th May 2018 (a) “processing of electronic communications content [&] metadata carried out in connection with the provision and use of electronic communications services” & (b) “end-users’ terminal equipment information” & (c) “placing on the market of software permitting electronic communications” & (d) “the offering of a publicly available directory of end-users” & (e) “the sending direct marketing communications”. (sic) Not (by Art.2(2)(c)) “electronic communications services which are not publicly available” But HE/FEIs probably do quite a lot that is covered

6 Areas of Interest Legal basis Marketing Cookies Location data Browsers
Draft ePrivacy Regulation Areas of Interest Legal basis Marketing Cookies Location data Browsers Security GDPR relationship Directories

7 Legal Bases for Processing Communications Data
Draft ePrivacy Regulation Legal Bases for Processing Communications Data Art.6 COM/PAR limit these to Consent, or Necessary for service (specific form of contract), or Necessary for security (not as legitimate interest, so no balancing test!) COU Gradually restoring all the GDPR bases Vital Interests, Legitimate Interests, Public Interests, Contract Member States can choose on Legal Obligation

8 Marketing Re-fighting all the same old wars
Draft ePrivacy Regulation Marketing According to Council of Ministers Article 2(1), 4th May 2018 Re-fighting all the same old wars But now applies to all communications data/all digital media COM: note that GDPR allows (some) marketing as legitimate interest PAR: only by opt-in consent COU: at least as wide as current Directive (details change per month) Suggestion to put a fixed time limit on soft opt-in Indecisive whether “presented” messages (as opposed to “sent”) are covered

9 Cookies (I): Permitted Purposes
Draft ePrivacy Regulation Cookies (I): Permitted Purposes Art 8(1) With user consent NEW: “consent” as defined in GDPR Necessary to provide a service requested by the user e.g. shopping carts, authentication, UI preference, multi-media sessions, … Necessary for transmission e.g. load-balancers NEW Necessary for “audience measuring” But only if done by/on behalf of the service provider

10 Cookies (II): Principles
Draft ePrivacy Regulation Cookies (II): Principles Cookie walls (i.e. no service unless you accept cookies) PAR want to ban these; COU OK, under [un]certain conditions Cookie processing Now explicit that ePrivacy law only regulates storage/reading GDPR regulates processing of resulting data So know legal basis (not limited to consent) Ensure you meet its obligations E.g. notice, rights of rectification, portability, etc. See Cormack (2017) in 14(2) ScriptEd

11 Browsers and other software
Draft ePrivacy Regulation Browsers and other software Art.10 “Software placed on the market permitting electronic communications” must Offer option to prevent storage other than by end-user PAR: which is set to “no” by default COU: which must inform user on installation and updates Industry belatedly realises this favours the big browsers/advertisers… Unclear to me who it’ll be enforced against anyway [Jul.18 COU still “lot of concerns”, proposes to delete it!]

12 Draft ePrivacy Regulation
Location Data Art. 6(2)(f) & Art 8(2) May be both “communications metadata” and “terminal equipment information” Can process To establish/maintain communication (e.g. mobile phone cell), or With user consent (e.g. where’s nearest free terminal?), or For “statistical counting” (e.g. how long is queue at security?), or For “scientific research” (COU) (subject to safeguards) [Jul.18 COU proposes punting “statistical counting” and “research” to MS law!]

13 Network and Information Security
Draft ePrivacy Regulation Network and Information Security Arts 5, 6, 8 Very supportive intention Mentions NIS, unauthorised access, DDoS, malware, virus, spam, patches, etc. But text is much less clear Starts with a ban on processing electronic communications data Only relaxes this for network operators (not websites, employers, etc.) Self-contradictory whether others are covered by ban or not Regulators have adopted security-helpful interpretations of previous laws Paper currently being peer-reviewed…

14 Relation to GDPR Which data?
Draft ePrivacy Regulation Relation to GDPR Rec.2a, etc. Which data? ePrivacy Reg covers “communications data”, some of which is not personal e.g. machine-machine; corporations; deceased people Unclear which of these will be included in final text When? COU note “in transmission is confusing” (yes, but we have case law…) So propose GDPR “when recipient gains control”; ePR before that. Clear??? Who? Disagreement whether Law Enforcement/National Security are regulated

15 Draft ePrivacy Regulation
Directories Art.15 Mostly applies to number-based systems Disagreement on opt-in/opt-out Disagreement on businesses

16 Draft ePrivacy Regulation
So what do we know…?

17 Draft ePrivacy Regulation
Reasonably Clear Little divergence in current drafts… Opt-in location-based services (e.g. “where is nearest free terminal?”) Though still unclear whether these are “consent” or “necessary for service” Cookie classes (as before, plus “audience monitoring”) Status of GoogleAnalytics unclear, though ICO website uses it! (as at 3/9/18) Security – at least in spirit Don’t think too hard about actual text! Marketing – in the sense that current arguments seem unlikely to end…

18 Still Unclear Unconsented location data (counting or tracking)
Draft ePrivacy Regulation Still Unclear Beware of making long-term plans Unconsented location data (counting or tracking) “Statistical counting” OK, but no one can define it [COU latest punts it to MS!] When does GDPR/ePR apply? Which legal bases are permitted? i.e. which GDPR obligations will apply Cookie walls Make sure all cookies are either necessary or separately consented Browser requirements Unclear and mysterious… [COU latest gives up]

19 References Latest drafts
Draft ePrivacy Regulation References Latest drafts COM (10/1/17): privacy-and-electronic-communications PAR (23/10/17): &language=EN COU (4/5/18): COU (10/7/18): Me: cookie-processing/

20 Thanks Andrew Cormack Chief Regulatory Adviser, Jisc Technologies
Go to ‘View’ menu > ‘Header and Footer…’ to edit the footers on this slide (click ‘Apply’ to change only the currently selected slide, or ‘Apply to All’ to change the footers on all slides). Except where otherwise noted, this work is licensed under CC-BY-NC-ND

Download ppt "The (Draft) ePrivacy Regulation 2018/9"

Similar presentations

European payment order Regulation (EC) No 1896/2006 of the European Parliament and of the Council of 12 December 2006 creating a European order for payment.

European payment order Regulation (EC) No 1896/2006 of the European Parliament and of the Council of 12 December 2006 creating a European order for payment.
© JANET(UK) 2011 Running a Public Communications Service Andrew Cormack Chief Regulatory Adviser, Janet

© JANET(UK) 2011 Running a Public Communications Service Andrew Cormack Chief Regulatory Adviser, Janet
Net Neutrality, What Else? Wim Nauwelaerts Partner Hunton & Williams.

Net Neutrality, What Else? Wim Nauwelaerts Partner Hunton & Williams.
The European Data Protection Regulation and research Graham Love Chief Executive Health Research Board 1.

The European Data Protection Regulation and research Graham Love Chief Executive Health Research Board 1.
INSPIRE vs. PSI re-use Directives comparison Roger Longhorn Director, Info-Dynamics Research Associates Ltd /

INSPIRE vs. PSI re-use Directives comparison Roger Longhorn Director, Info-Dynamics Research Associates Ltd /
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
New Canadian Anti-Spam Legislation Robert Lipson – April 8, 2014.

New Canadian Anti-Spam Legislation Robert Lipson – April 8, 2014.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Lecture to Carleton University, Center for European Studies, December 1, 2010.

Lecture to Carleton University, Center for European Studies, December 1, 2010.
European payment order Regulation (EC) No 1896/2006 of the European Parliament and of the Council of 12 December 2006 creating a European order for payment.

European payment order Regulation (EC) No 1896/2006 of the European Parliament and of the Council of 12 December 2006 creating a European order for payment.
Class 13 Internet Privacy Law European Privacy.

Class 13 Internet Privacy Law European Privacy.
Email Marketing - Best Practice from a Legal Point of View Yvonne Cunnane - Information Technology Law Group 30 November 2006.

Marketing - Best Practice from a Legal Point of View Yvonne Cunnane - Information Technology Law Group 30 November 2006.
Europe's work in progress: quality of mHealth Pēteris Zilgalvis, J.D., Head of Unit, Health and Well-Being, DG CONNECT Voka Health Community 29 September.

Europe's work in progress: quality of mHealth Pēteris Zilgalvis, J.D., Head of Unit, Health and Well-Being, DG CONNECT Voka Health Community 29 September.
E-Privacy and Cookies: Legal Aspects. E-Privacy Directive 2002/58, amended by 136/2009 Main amendments focus on DBN (security) and confidentiality of.

E-Privacy and Cookies: Legal Aspects. E-Privacy Directive 2002/58, amended by 136/2009 Main amendments focus on DBN (security) and confidentiality of.
2009/10/06 STUDY ON RECOGNITION OF PROFESSIONAL QUALIFICATIONS Alternative title slide.

2009/10/06 STUDY ON RECOGNITION OF PROFESSIONAL QUALIFICATIONS Alternative title slide.
EPrivacy & Consenting Cookies Rakuten LinkShare Symposium 2012 Liz Robertson Jones Day 17 April 2012.

EPrivacy & Consenting Cookies Rakuten LinkShare Symposium 2012 Liz Robertson Jones Day 17 April 2012.
TERENA Networking Conference 2005©The JNT Association, 2005 Network Performance Measurement: Privacy and Legal Issues Andrew Cormack, UKERNA

TERENA Networking Conference 2005©The JNT Association, 2005 Network Performance Measurement: Privacy and Legal Issues Andrew Cormack, UKERNA
Directive on the Authorisation of electronic communications networks & Services Directive (2002/20/EC) Authorisation Directive Presented by: Nelisa Gwele.

Directive on the Authorisation of electronic communications networks & Services Directive (2002/20/EC) Authorisation Directive Presented by: Nelisa Gwele.
[ Direct marketing – an introduction to data protection and privacy] For [insert name of organisation] presented by [insert name of presenter] on [date]

[ Direct marketing – an introduction to data protection and privacy] For [insert name of organisation] presented by [insert name of presenter] on [date]
Andrew Cormack Janet Who Burnt the Cookies?. One portion... Mix with... Bake into... Resulting in... Recipe for Trouble Good intentions – They’re breaching.

Andrew Cormack Janet Who Burnt the Cookies?. One portion... Mix with... Bake into... Resulting in... Recipe for Trouble Good intentions – They’re breaching.

Similar presentations

Ads by Google