Matthew B. Welling

EU Commission publishes first results of consultation of e-Privacy Directive; Irish DPA issues Guidance on Location Data.

European Commission publishes summary report on consultation of e-Privacy Directive

On August 4, 2016, the European Commission has published a first summary report on the public consultation on the evaluation and review of the e-Privacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), also known as ‘e-Privacy’ or ‘Cookie’ Directive.

Two weeks ago, on July 19, 2016, the Article 29 Working Party, an EU advisory body comprised by representatives of the national Data Protection Authorities, had also published a detailed opinion on this issue.

The ‘e-Privacy Directive’, which contains specific rules relating to the processing of personal data in the e-Communications sector, needs to be adapted to the new European General Data Protection Regulation (‘GDPR’), which will replace the former EU Directive 95/46/EC as from May 25, 2016. The GDPR aims to ensure modernized rules and increased harmonization for Privacy in Europe and is part of the European Commission’s Digital Single Market (DSM) Strategy.

The 421 stakeholders in the consultation, of whom more than ¼ are situated in Germany, agree with a vast majority of 83% that specific privacy rules for e-Communication are useful to ensure the confidentiality of communications. In addition, 76% of respondents believe that the Directive should as well apply to so-called ‘over-the-top’ service providers (OTT), when offering VoIP services or instant messaging. However, more than ¾ of the respondents also said that until now, the Directive has achieved its aims only to a limited extent, due to – among others – too little enforcement and compliance pressure.

The Commission’s conclusions drawn from the consultation, as well as proposals on how to adapt the Directive are expected to be released later this year.

Irish Data Protection Authority issues Guidance on Location Data

On August 9, 2016, the Irish Data Protection Commissioner has published detailed guidance for individuals and organizations on location data.

Localization data, which links an individual to a particular place including information on where that person currently is or where they were at some point in the past, is used by organizations to offer personalized services, such as i.a. navigation apps or location-specific website content. The most popular recent example is the smartphone application ‘Pokemon Go’, which is a so called ‘augmented-reality’ game based on geomapping and user localization data.

The guidance papers warn individuals to be aware of applications and networks that might collect their personal data and encourages them to know their rights in relation to this data. For organizations, the guidance gives detailed advice on applicable laws and the legitimation of processing under current applicable laws. As a key note, it reminds obligations of their responsibility to minimize the amount of data collected, processed and retained and warns that such data may in particular cases also constitute or contain sensitive data.

Reference is also made to the latest guidance of the Article 29 Working Party, an EU advisory body comprised by representatives of the national Data Protection Authorities, on the use of location data for value-added services (2005), geolocation services on smart mobile devices (2011), the definition of consent (2011) as well as anonymization techniques (2014).