Op-Ed: Without the ePrivacy Regulation, which challenges must still be addressed? [Part I]

Now that the Commission has withdrawn its proposal for an ePrivacy Regulation, where does that leave the ePrivacy Directive and the issues organisations face?

Over the past 7-8 years, a lot has been said about the proposed ePrivacy Regulation. Intended as both a modernisation of the ePrivacy Directive and a manner of getting to (more) uniform application of ePrivacy rules, the proposal covered a lot of ground, from browser settings for consent to certain uses of cookies and other files/tags to revamped rules on the authorised uses of electronic communications content and metadata. It didn't change much regarding some of the ePrivacy rules, such as the (woefully neglected) anti-spam rule, but in other respects it was seen as a more adapted ePrivacy framework.

The aim of this series is not to look at how the proposal evolved (with the various Parliament and Council modifications to the text, and their divergences) or why it broke down.

Rather, I want to highlight some of the opportunities and difficulties that are present already today and that remain, whether as a result of the withdrawal of the proposed ePrivacy Regulation or simply because the ePrivacy Regulation wouldn't have changed anything. Take from it the lessons you desire - whether you are an in-house counsel or product owner trying to understand grey areas, a legislator considering what to do (more on the Digital Fairness Act in a further piece in this series) or a regulator seeking to identify positions that are likely to give rise to challenges. After all, if a law is not workable in practice or does not have the desired effect but rather the opposite, it isn't a very good law, so this exercise can be useful in helping to identify ways to make ePrivacy rules workable for all.

The ePrivacy Directive can be said to contain two sets of rules: (i) those applicable to everyone, and (ii) rules that only apply to the providers of electronic communication services and networks.

Among the first category, there are two main rules: the "cookie" rule (Art. 5(3) of the ePrivacy Directive) and the anti-spam rule (Art. 13 of the ePrivacy Directive). [More later on why the quotes around "cookie".]

In this Part I, I will focus on an often ignored provision that seems simple but can be frightfully complex for organisations to navigate properly: the anti-spam rule. Part II deals with Art. 5(3) of the ePrivacy Directive, the "cookie" rule (and what it covers, its consequences etc.). Another part (or several, we'll see) will deal with competence/jurisdiction, dark patterns, the Digital Fairness Act and certain other topics. Have any other ePrivacy-related topics you would like to see handled in this series? Suggest away in the comments!

Here's the structure for this Part I:

1. Summary of the anti-spam rule

2. "Electronic mail"? Vague concept with many grey areas

3. Issues with soft opt-in

4. What about SOLICITED communications?

5. Conclusion: anti-spam - forgotten & flawed, but good-hearted

1. Summary of the anti-spam rule

The anti-spam rule, Article 13 of the ePrivacy Directive, is often ignored, due notably to issues of competence in some countries (more on that in a subsequent piece in this series) but also because it is overshadowed by its sibling, the "cookie" rule (which is covered in Part II).

The rule can be summarised as follows:

• Electronic mail cannot be used for direct marketing without consent (Art. 13(1) of the ePrivacy Directive),

• Except for direct marketing to existing customers in relation to its own similar products or services (provided they have already had and continue to have the opportunity to object) (Art. 13(2) of the ePrivacy Directive). [called the "soft opt-in" mechanism]

That summary hides some of the complexity, though.

2. "Electronic mail"? Vague concept with many grey areas

The definition of "electronic mail" is "any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient" (Article 2(h) of the ePrivacy Directive).

Not just e-mail, but clearly also SMS (text messages). Direct messages on social media and other interpersonal communication services would typically fit the bill.

A public post on a closed social media network, available only to my contacts/followers/...? Grey area, but in all likelihood no. The reasoning is a bit complex, so bear with me.

• The definition of electronic mail does not seem to suggest one or the other. Strictly speaking, a post on a closed social media network is "text sent over a public communications network" (when I post it online) "which can be stored in the network" (through storage on the servers of the social media provider) "until it is collected by the recipient" (when one of my contacts loads his or her feed of social media content).

• Yet the ePrivacy Directive concerns itself with "communications", which are defined as the exchange or conveyance of information "between a finite number of parties", and the anti-spam rule (Article 13 ePrivacy Directive) bears the title "unsolicited communications" (emphasis mine). That's it, though: the concept of "finite number of parties" is never explicitly tied to the definition of "electronic mail", and the key provisions - Art. 13(1) [prohibition of direct marketing by electronic mail without consent] and 13(2) [soft opt-in, i.e. consent exception] - do not actually talk about "communications" in that respect. It's in my view a gap in the legislation.

• In the case of a post available only to my closed list of social media contacts, at the time of posting my list of contacts is "finite" (even if it can be large) - but it evolves with time, and as my list of contacts evolves, the number of people who see that post - even without any replies or reactions - can evolve as well, without necessarily any action particularly in relation to that post. Basically, by adding you to my list of contacts, I am automatically making all of my posts - including that specific one - available to you. That makes it harder to argue that the communication is to a "finite" number of recipients.

• "Sure, but e-mail chains can be made available to others too through forwarding or including a new recipient - is that then really finite?" Excellent question! But in that case, there is a specific action taken in relation to that specific communication to make the list of recipients change, unlike the social media case where several factors contribute to changing the number of people who can see the post over time.

As you can see, we need a convoluted interpretation of the law to make the anti-spam rule apply to e-mail but not to social media posts.

And that's just the beginning. Things get significantly more complex when you examine whether personalised content or profile-based advertising can be "electronic mail" (really, it's a highly technical discussion looking at where someone is in the chain and how the conveyance of signals takes place).

The problem is that if you really want to stretch the notion to cover all of that [ahem, as some regulators do with certain other concepts, like the "cookie" rule, Art. 5(3) of the ePrivacy Directive - more on that in Part II of this series], then you are basically making every single Internet communication, including the loading of web pages, "electronic mail" - and surely that cannot have been the intention.

"That can't be right, Peter, with web pages the web page is not directed towards me specifically." Are you sure about that? Let's test that reasoning:

• When you are connected to a user account on a website, some of the content is personalised, such as the appearance of your username, even in your user account management space. So that is content that is directed towards you individually (which could be said to be even more "finite" - given that the person is properly identified - than in the case of a spammer sending e-mails to random e-mail addresses farmed from web crawling).

• Web pages surely don't meet the requirement that they "can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient", do they? From a technical perspective, a web page content is stored in the network. Static pages are single files with the content; dynamic pages are a collection of items spread across a database, to be combined in a single, generated page upon a request to load the page. Whether static or dynamic, there is a fraction of a second when the content of the page exists somewhere along the way between the publisher's servers and the user's Internet connection - i.e. in the network.

• "But that might not be computer storage but simply computer memory": great remark! I cover storage vs memory in Part II (on cookies and the like). An issue here is that the European Data Protection Board and its members seem to consider the verb "stored" to cover computer memory too, based on their interpretation of that very same verb in their Article 5(3) ePrivacy Directive guidance.

"That can't be right, it isn't kept there 'until collected' by the recipient": this highlights one of the most intensely problematic issues of the "electronic mail" definition, because that "until collected" bit doesn't work for e-mail anyway if you interpret it strictly. You basically have two possible interpretations:

(i) "until collected" means "after collection, it gets deleted from the server";

(ii) "until collected" means "it remains available on the server, and when the user accesses the system he gets a copy of that message".

So:

• Does "until collected" mean "after collection, it gets deleted from the server"? That worked well under the older protocol used for e-mail, POP (where a copy of an e-mail was on the server, and then when a user connected his computer to the mail server, a copy of the e-mail was downloaded - and then two separate copies existed, one on the server, one on the phone, with the possibility to delete those on the server after a while). Now, POP has by and large been replaced with IMAP, a protocol that basically ensures synchronisation between the mailboxes on my phone, my computer and the mail system. So no, not a workable criterion.

• Does "until collected" mean "it remains available on the server, and when the user accesses the system he gets a copy of that message"? Great, but you have also just described every connection to any web content.

Is your head spinning yet?

In short, the definition of "electronic mail" is bad. Really flawed. It doesn't give sufficiently (up-to-date) objective and tangible criteria for organisations to make a proper technical assessment on their own of various kinds of situations. [And the ePrivacy Regulation wasn't going to change too much in that respect, though its focus on electronic "message" (as opposed to "mail") showed lawmakers understood there was a broader scope than just e-mail.]

That results in the need sometimes to call upon people like me to help figure out whether something is or is not potentially "electronic mail", based on a combination of a legal and technical analysis, and to document that carefully in something that ultimately resembles a white paper or legal memorandum.

3. Issues with soft opt-in

The soft opt-in mechanism has its own share of issues too.

By way of a reminder, "soft opt-in" is a common way of talking of the consent exemption foreseen in Article 13(2) of the ePrivacy Directive, which in summary states that no consent is needed for direct marketing to existing customers in relation to own similar products or services (provided they have already had and continue to have the opportunity to object).

Let's look at its core conditions. The actual text of Article 13(2) ePrivacy Directive is as follows:

"where a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, in accordance with [the GDPR], the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details at the time of their collection and on the occasion of each message in case the customer has not initially refused such use"

Breaking it down:

"where a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, in accordance with [the GDPR]":

• First, who exactly obtains those contact details? This is tricky in the case of corporate groups, as many manage marketing at a global level while sales occur at a local level. This has led many corporations to seek advice (notably from me) on how to structure this in a manner that works from an ePrivacy perspective. Should corporate groups be prevented from relying on the soft opt-in consent exemption purely because they allocate tasks among different entities? That does not seem to have been the intent of the law. Legal uncertainty could be mitigated if there was no need to rely on documented arguments and more complex structures.

• Second, what is that "in the context of the sale of a product or a service"? "Sale" has typically been interpreted as covering also products and services that are free of charge but might otherwise have been against payment. Having to rely on typical interpretations isn't great though, and it highlights another issue with the provision.

Next:

"the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services":

• Again, what to do in the event of corporate groups? The "same natural or legal person" penalises straightforward task allocations within a corporate group, requiring again specific documentation and constructions to make this feasible.

• The idea of "own similar products or services" raises serious concerns for certain business models. Any time someone is not the creator or manufacturer of a product or service, this is inherently problematic: what is an "own" product or service? A reseller could argue that the products that he sells are his "own", because he has bought them from his supplier; but then, what about a commercial agent or a commission-type relationship? I have had to help organisations of a wide range of business activities in figuring out how to manage this, and it's not always easy for them to be certain that a regulator will accept their reasoning.

• Another issue comes from the "own similar products or services". What is similar? I have had discussions with supermarkets who said that they consider everything they sell to be consumer goods and thus "similar"; with energy companies saying that solar panel installations, gas boiler maintenance and electricity provision are all "similar" too because they are part of a broader category of goods and services that their customers lump together. The case law in this respect has gone in all sorts of directions, and I have often been led to help organisations document, with well thought-out legal reasoning and evidence, why they consider several types of products or services to be "similar".

And finally:

"provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details at the time of their collection and on the occasion of each message in case the customer has not initially refused such use

This one is in theory the least controversial part of the provision, the requirement to have an opt-out mechanism available both at the time of collection and in any actual electronic mail. Again, though, depending on how you interpret "electronic mail", this can become a nightmare - which highlights the importance of documenting an organisation's own reasoning of why it considers certain means of conveyance of messages (not) to be electronic mail.

4. What about SOLICITED communications?

The title of Article 13 of the ePrivacy Directive is great: "unsolicited communications". But then the text of Article 13 never talks about what is "solicited" - reducing the choice to "consent, soft opt-in or prohibited". Yet there is a whole range of communications that are clearly solicited without requiring some kind of "consent" as we typically understand it: service communications.

One example I often encountered is that of coupon/discount subscriptions. If I subscribe to a service whose entire purpose is to send me e-mails with marketing offers, is that something that really requires "consent"?

It shouldn't, yet the ePrivacy Directive doesn't leave much of a choice. Some national implementations have made the "unsolicited" aspect clearer, such as the UK's implementation in Section 22 of PECR (Privacy and Electronic Communications Regulations), but they are the minority.

Section 22(1) and (2) PECR are worth quoting in this respect:

"(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.

(2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender."

Electronic mail is clearly here purely the technical means of conveyance of the message - and if that message is "solicited" in any way, it will not be covered by the anti-spam rule.

In a jurisdiction with different implementations of the anti-spam rule, though, you might be scratching your head to figure out how to deal with solicited communications. This has led to some documenting (again, with legal arguments in support) their position that solicited communications fall outside of the scope of Article 13 of the ePrivacy Directive, while others have relied on an interpretation of Article 7(4) of the GDPR to permit a contractual consent:

• "Consent" under the ePrivacy Directive has to be understood as consent under the Data Protection Directive 95/46/EC, and thus under the GDPR today (given that all references to Directive 95/46/EC have to be read as references to the GDPR's equivalent provisions, in accordance with Article 94(2) GDPR).

• Article 7(4) GDPR states that to assess whether consent is freely given, "utmost account [must] be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract". Put differently, the performance of the contract can be conditional on consent to the processing of personal data that is necessary for the performance of that contract, without this affecting the freely given nature of that consent under the GDPR.

• So if communications are solicited, it should be possible to include a "required consent" as part of the signing-up process, without that affecting the freely given nature of that consent. After all, a person is free not to choose that service, in which case the processing that is necessary to that end will not be carried out either.

Surely we could do better. If someone wants to get communications for a service, why not have an explicit service exemption like we do for cookies and the like? It would simplify so much and avoid misunderstandings.

5. Conclusion: anti-spam - forgotten & flawed, but good-hearted

Given all of these flaws and interpretation issues, it's important to get back to the basics: what was the rule really about?

The anti-spam rule was meant to tackle the abuse of technologies whose intention is to be private communication channels.

The "Nigerian prince" e-mail scam? An abuse of private communication channels, simply because it's fraudulent.

The direct marketing scenario? If I use a private communication channel to try to sell legitimate services or products, there is no inherent illegality there, so the abuse would be if the context doesn't make it part of your expectations or if I commit a specific illegality (such as hiding the fact that this is an ad).

A closed web forum or social media network? Messages on there are not private as from the moment when I am communicating with more than ?5-10-100? people, because my message is then not specifically addressed at you and a limited number of others. So "finite" is appropriate from that perspective, but we need to be able to put some kind of value on it, or at least a requirement that it is a "finite" number that only changes if there are specific actions taken to make that message available to specific recipients.

It's a good rule in theory, but its concepts are too vague and the exceptions are too restrictive.

Maybe we can work towards more workable rules, or at least more workable interpretations of the rules while we still have the ePrivacy Directive?

Stay tuned for the next part of this series - a fun one on Article 5(3) of the ePrivacy Directive. Another part (or several, we'll see) will deal with competence/jurisdiction, dark patterns, the Digital Fairness Act and certain other topics.

Have any other ePrivacy-related topics you would like to see handled in this series? Suggest away in the comments!