Citizens are increasingly being monitored and tracked by public authorities and commercial interests. Many carry digital devices which, by design, emit a unique identifier, such as the WiFi Media Access Control (MAC) address of a smartphone. Even though the MAC address does not directly reveal the identity of a person, it can be used for recognising individuals between different sensor points and tracking their movements. With a sufficient number of sensors, an almost complete profile of a person’s movement in a city can be obtained without consent.
The Danish Business Authority, which is the regulatory authority for the Danish transposition of the ePrivacy Directive, initially indicated in media comments that these systems were subject to Article 5(3) of the ePrivacy Directive and that consent was required. There is no practical way that the required consent could be obtained, so this would effectively have forced the Danish municipalities to stop their traffic monitoring projects.
In January 2015, a formal request to the Danish Business Authority about the collection of MAC addresses was submitted and the Danish Business Authority rendered a formal decision on the matter which reversed its initial position that the consent requirement of Article 5(3) applies to these systems.
The Association for Technology and Internet (ApTI) wrote an opinion indicating several issues, however despite being invited to participate in a debate organized by the Legal Commission, none of the points raised were given any attention.
The top European data protection official, the European Data Protection Supervisor, has called for strong privacy protections in the "ePrivacy Directive", an updated framework to safeguard personal information. "The scope of new ePrivacy rules needs to be broad enough to cover all forms of electronic communications irrespective of network or service used." The Data Protection Supervisor also said the legislation should "allow users to use end-to- end encryption without back doors". NGOs and data protection officials have also called for the reform of the European legislation after the adoption of the General Data Protection Regulation. EPIC has urged the FCC to establish a comprehensive framework for communications privacy, noting the work now underway in Europe to update privacy laws.
Revised ePrivacy laws should guarantee confidentiality of communications and encourage encryption, the European Union’s data watchdog has said. European Data Protection Supervisor (EDPS) Giovanni Buttarelli published his official opinion on the review of the ePrivacy Directive on Monday.
An overhaul to the so-called Cookie Law is currently be worked on by officials at the European Commission, with the completion date expected before the end of the year to bring it into line with the new General Data Protection Regulation (GDPR).
Today, on 10 January 2017, the European Commission published its proposal for an e-Privacy Regulation. This legislation is crucial to provide clear rules on tracking individuals as they surf the web, and on freedom of communication more generally.
On January 10 2017, the European Commission published a proposal for a Regulation, in view of the economic and social importance of digital services, the development of Internet of Things and the rise of the so-called Over-the-Top communications services, all of which currently fall outside of Directive 2002/58/EC.
This article presents a commentary on the ePrivacy Regulation.