A draft of the much an­tic­i­pated pro­posal for a re­form of the e-Pri­vacy Di­rec­tive has been leaked. The draft pro­posal con­tains sev­eral note­wor­thy changes with far-reach­ing con­se­quences for in­ter­net pri­vacy.

13 De­cem­ber 2016 – To com­ple­ment the Gen­eral Data Pro­tec­tion Reg­u­la­tion fi­nalised ear­lier this year, the Eu­ro­pean Com­mis­sion was sched­uled to pub­lish a pro­posal to up­date the e-Pri­vacy Di­rec­tive in No­vem­ber. While the pub­li­ca­tion of the pro­posal has been post­poned to Jan­u­ary 2017, a draft ver­sion has been leaked by Politico, which may give some in­di­ca­tions on what to ex­pect from the com­ing pro­posal. The first no­table point is that the di­rec­tive is re­placed by a reg­u­la­tion to fully com­ple­ment the Gen­eral Data Pro­tec­tion Reg­u­la­tion.

The leaked pro­posal also pro­vides much needed clar­ity on how web browser cook­ies should be han­dled. While the cur­rent e-Pri­vacy Di­rec­tive pro­vides lit­tle de­tails on whether web­sites need to seek con­sent on the us­age of cook­ies, case law and guid­ance by mem­ber state data pro­tec­tion au­thor­i­ties have gen­er­ally es­tab­lished that browser pri­vacy set­tings are not suf­fi­cient for ex­pressly grant­ing con­sent to the us­age of cook­ies. The draft pro­posal changes this dras­ti­cally with recitals ex­plic­itly deal­ing with browsers and track­ing tech­nolo­gies.

No­tably, the draft reg­u­la­tion en­dorses ex­ist­ing “Do Not Track” func­tion­al­ity pro­vided for by some browsers (but which is cur­rently al­most uni­ver­sally ig­nored by web­sites) by stat­ing that “gen­eral pri­vacy set­tings of a browser or other ap­pli­ca­tion shall be bind­ing on, and en­force­able against, any third par­ties.” Mak­ing browser pri­vacy set­tings bind­ing means that the preva­lent prac­tice of ig­nor­ing browser pri­vacy set­tings while pre­sent­ing a cookie no­tice would ex­pose web­sites to the pos­si­bil­ity of li­a­bil­ity un­der the draft pro­posal.

The leaked draft also clar­i­fies that there is no need for ex­plicit con­sent if cook­ies are used purely for en­sur­ing the proper func­tion­ing of a web­site, e.g. “to re­mem­ber lan­guage pref­er­ences [or] to keep track of the user’s in­put when fill­ing on­line forms over sev­eral pages”. The pos­si­bil­ity to en­sure the func­tion­ing of a web­site with­out the need for ex­plicit con­sent fur­ther sup­ports the “Do Not Track” regime by en­sur­ing that it is not nec­es­sar­ily a bi­nary choice be­tween ac­cept­ing cook­ies or be un­able to use a web­site but rather a choice whether to ac­cept track­ing (by cook­ies or other means).

Other note­wor­thy pro­vi­sions in­clude ex­plic­itly man­dat­ing “pri­vacy by de­sign” for com­mu­ni­ca­tions prod­ucts sold in the EU, and a re­quire­ment on browsers to pre­sent an ini­tial pri­vacy con­fig­u­ra­tion “at the mo­ment of the first use of the soft­ware”. Ad­di­tion­ally, there is a new oblig­a­tion for browsers to move away from cur­rent gen­eral prac­tice of al­low­ing all cook­ies as de­fault to a re­quire­ment to block all cook­ies and track­ing “in case of no ac­tive choice or ac­tion from the user”.

Fail­ure to com­ply with the draft pro­posal comes at a steep price: in­fringe­ments are sub­ject to ad­min­is­tra­tive fines up to €20 mil­lion, or 4 % of the to­tal world­wide an­nual turnover.