The right to privacy is enshrined in international and national law around the world. However, in order to help make this right a reality this right must be accompanied by other legal frameworks, such as data protection laws and other laws to protect confidentiality of communications and place limits on tracking and marketing. This is increasingly important as data gathering and tracking becomes ever more invasive and includes data that may not be considered personal data.

Data protection in the EU is governed by the General Data Protection Regulation (GDPR). The GDPR is “particularised and complemented” by the ePrivacy Directive, another EU legal text.

The ePrivacy Directive seeks to ensure that all communications over public networks maintain respect for fundamental rights, in particular a high level of data protection and of privacy, regardless of the technology used. The Directive from 2002 has been amended a few times over the years (2006, 2009, 2013) and as it is a Directive was required to be implemented by Member States through national law.

On 10 January 2017, the European Commission adopted a proposal for a Regulation on Privacy and Electronic Communications seeking to build on and update the law with GDPR. However, in a large part thanks to corporate lobbying, the proposal has yet to be passed.

What is the problem

Our online behaviour and communications are increasingly tracked, monitored and used in various ways to target us. This is particularly prevelant in the AdTech industry.

The ePrivacy Directive (as implemented in national laws) seeks protects confidentiality of communications, prevents spam and places limits on the use of data from our devices - this includes the use of cookies, pixels and other tracking technologies. However, in spite of the protections we’ve observed multiple infringements on websites and apps.

The lack of respect for and enforcement of the ePrivacy rules is compounded by the troubles faced through
corporate lobbying as well as member states that see this as an opportunity to introduce data retention regimes. These prevent the law from being updated in a way that increases and does not diminish protections.

What is the solution?

The ePrivacy framework (and laws like it) needs to be implemented and enforced as it stands but more importantly it needs to be updated. Among other things, to ensure rules on confidentiality, privacy, and security apply to internet connected devices and machine-to-machine communications.

The reform of ePrivacy should be an opportunity to discuss and set rules that see innovationsecurity, and protection of privacy as mutually reinforcing and put firm limits on ever more intrusive tracking.

It is essential that in updating the law consideration is given to calls from civil society and regulators

What is PI doing?

  • PI investigates and exposes infringements and abuses of ePrivacy, whether on websites or apps

  • PI has been closely monitoring the development of the Commission’s proposal to update the law and proposed amendments to the original draft. In the years since, together with other civil society organisations we have consistently called for a strong Regulation to be passed. We will continue to do so.

  • PI works around the world to support work by partners, for example Dejusticia, in Colombia, to review whether equivalent protections are in place and make suggestions for reform.