New ePrivacy Draft Regulation
On November 4th, 2020, the Presidency of the Council of the European Union (currently presided by Germany) published its revised and hitherto most recent iteration of the long-awaited ePrivacy Regulation.
The new Regulation is titled a “Regulation on Privacy and Electronic Communications”. It will replace the ePrivacy Directive (2002/58/EC) and introduce some important changes to the regime of the current Directive concerning privacy aspects of electronic communications.
As in previous drafts, consent of end users to processing of electronic communications’ data and transparency duties regarding such processing are essential components of the privacy protection scheme.
The (valid) consent of an end-user is inherently connected to the fulfillment of transparency requirements: The end-user must be offered information supporting the understanding of what exactly he or she is giving permission to do, including the circumstances of processing and possibly the risks involved. And in the area of transparency, awareness and comprehension – privacy icons (alongside other visual and information design approaches) can make an important contribution.
The ePrivacy Regulation and Privacy Icons
Indeed, the Draft Regulation mentions privacy icons several times:
- Recital 41 provides:
“In particular, delegated acts should be adopted in respect of the information to be presented, including by means of standardised icons in order to give an easily visible and intelligible overview of the collection of information emitted by terminal equipment, its purpose, the person responsible for it and of any measure the end-user of the terminal equipment can take to minimise the collection.”
Delegated acts are implementation measures that the European Commission may adopt to support EU legislation, and in this context, regarding the presentation of privacy information in a manner that will further achieving the purpose of the Regulation. It is interesting to note that the Draft Recital uses an imperative language (“should be adopted”)
- Draft Article 8(3)
This provision states that certain transparency information “may be provided in combination with standardized icons in order to give a meaningful overview of the collection in an easily visible, intelligible and clearly legible manner.”
It addresses specifically underlying information for consent to collection of information emitted by terminal equipment of the end-user to enable it to connect to another device and/or to network equipment (Draft Art. 8.2.(b)), or in case that such information is necessary for the purpose of statistical counting (Draft Art. 8.2.(c)) in situations where consent is not required.
- Draft Article 8(4)
This provision empowers the Commission to adopt delegated acts that may determine the information to be presented by the standardized icon and the procedures for providing standardized icons anticipated under Draft Art. 8(3)
- Draft Article 19(2)(e)
Here, among its other tasks, the European Data Protection Board may advise the Commission on icons referred to in Art. 8(3).
An initial examination of the Draft e-Privacy Regulation reveals the following :
– The Regulation would explicitly and rather unapologetically urge the Commission to adopt delegated act/s in the area of icons/ information visualization.
– The context of implementing icons is made more concrete under Draft Art. 8(2), which specifically addresses information emitted by the end user’s terminal equipment in order to enable it to connect to another device and/ or to network equipment.
– Art. 8(3) refers to Art. 2(a), which, in turn, refers further to Article 13 GDPR – to the effect that all the information requirements under Article 13 GDPR (and it is quite a long list…) are potentially subject to the above-mentioned icons provisions.
– Compared to Article 12(7)-(8) GDPR, the provisions of Art. 8(3) Draft ePrivacy Regulation appear more restrictive in scope, as the Regulation pre-defines the technical nature and purposes of procession where the icons provisions are applicable. At the same time, Draft Recital 41 speaks in broader and more general terms as it addresses “collection of information emitted by terminal equipment, its purpose, the person responsible for it…”