Professor Joasia Luzak on revision of the e-privacy Directive in light of Brexit

Will the third version of e-privacy Directive manage to guarantee privacy of data?

On December 2nd, in Portcullis House, The Houses of Parliament in London, a conference took place on "The relationship of the EU and the UK in the future of data protection and privacy policy" within The UK in a Changing Europe research programme. See more on the conference here. Gathered academics and stakeholders discussed the impact of the adoption of General Data Protection Regulation as well as of the revision of e-Privacy Directive on the UK’s policy, in light of the coming Brexit.

During this conference, Associate Professor Joasia Luzak gave a talk entitled: 'A house of bricks? On the 3rd version of e-Privacy Directive'. She has posed a question whether it is possible to draft the new, third version of e-Privacy Directive in a way that would provide it with solid fundaments, making it capable to protect privacy regardless of the new challenges that it would face due to evolving technology ('the big bad wolf').

In her talk, Professor Luzak discussed the findings of the public consultation of summer 2016, which clearly showed conflicting interests of consumers, industry and public authorities. These conflicting interests will be hard to reconcile by the European institutions, and may, again, lower the level of privacy protection that the final version of the rules will provide. This notwithstanding the fact that the European Data Protection Supervisor called upon European institutions in its opinion 5/2016 to reinforce privacy protection, and not limit the review just to adjusting the scope of e-Privacy Directive to match the one of the General Data Protection Regulation.

The public consultation revealed three main issues that the revision should tackle. First, with regard to the scope, the e-Privacy Directive is currently not well suited to protect privacy in e.g. cloud computing, which has developed after the adoption of the last version of this directive. Not to mention, it does not clearly address over-the-top services. Second, the current rules are vague, which means that e.g. there is no clarity as to whether metadata (traffic and location data) is covered by confidentiality rules; opinions differ on when obtaining users’ informed consent for sharing their data is compliant with this Directive; etc. Third, the rates of compliance and enforcement are low, and in different Member States different authorities have purview over this area.

After briefly presenting and discussing these issues, Professor Luzak mentioned that the UK leaving the EU might protect the UK in the future from actions by EU institutions claiming that the UK has improperly adopted the e-Privacy Directive. E.g., communication of the Information Commissioner's Office (ICO) of 2012 stated that 'wherever possible' placing of cookies should be delayed till consent is obtained. Such a backdoor for obtaining informed consent was not envisaged by the drafters of the Directive. On the other hand, it is reasonable to fear the future of privacy protection in the UK after Brexit, considering privacy protection was never recognised as a fundamental right in the UK, prior to joining the EU, and the UK will not have an obligation to adopt the changed rules of e-Privacy Directive any longer, as this change is likely to occur after the UK leaves the EU. However, a light of hope might shine, considering that EU might not allow trade of British companies with EU ones, if the UK cannot guarantee the safety of exchanged data. These practical consequences might motivate the Parliament to continue adjusting privacy policies to the EU ones.

Date: 9 January 2017

Read more University News