One of the most important fields of application of privacy protection is facing a fundamental reordering: data protection in combination with electronic communication. To date, the EU has regulated this important field of action in the E-Privacy Directive – in future, the E-Privacy Regulation (which is still in the drafting stage) will take its place. The new regulation will expand the field of application of the special regime to Internet services, advertising services and tracking services. The services of public administration will also be subject to the regulatory regime of the upcoming regulation.
The EU is pursuing a convincing objective with the E-Privacy Regulation: electronic communications contents and their metadata can contain highly sensitive information of the people involved in them – consequently, their protection requires measures that are just as special as for the actual content data. However, a multitude of conceptional, interpretational and application questions that still need clarification already arise at the level of EU law. For example, the draft regulation does not appear to cover peer-to-peer services – a problem that arises in the context of the GDPR similarly for decentralised applications like blockchain technology. On the other hand, the precise scope of the E-Privacy Regulation is unclear. The aim appears to be that it should apply particularly to communication on and by means of social media, but the precise delimitation is unclear. This results in problems especially in interaction with the GDPR.
Just like the GDPR, the E-Privacy Regulation will be directly applicable law in all member states of the EU. However, this does not necessarily mean that the member states themselves would be released from any responsibility. On the contrary, not only would execution be a matter for the member states – filling out the remaining room for manoeuvre would also be up to them. As in the adaptation process of national data privacy law to the GDPR, the E-Privacy Regulation will make modifications of national telecommunications law necessary.
Retained data storage is also a central problem. The EU-Commission’s draft leaves open whether national regulations on retained data storage are to be provided for or kept. However, the requirements imposed by the ECJ in the Tele2 decision may result in new regulation. National regulatory room for manoeuvre remains, not least for handling IT security risks. The E-Privacy Regulation is intended at least to oblige communications operators to warn end-users of risks. However, it remains unclear whether the state has to reveal software weaknesses of which it is aware. This is extremely relevant in case the state gets into a conflict of objectives between an interest in guaranteeing IT security and infiltrating third party systems to avert dangers (online searches, source telecommunication monitoring or hack-backs).
Prof. Dr. Mario Martini