Updated Sep 23, 2022
Meanwhile, Directive 2002/58 continues to inspire case law, in particular with regard to the lifting of anonymity on the Internet for the purpose of researching the authors of illegal comments published on the Internet, even though the directive concerns communications between people (private correspondence) and not the writing of public statements online (CJEU, gde. ch., Oct. 6, 2020, aff. C-511/18, C-512/18 and C-520/18)
***
The Draft Regulation ePrivacy proposed by the European Parliament and Council on
January 10, 2017, aims to respond to the concerns of European citizens on the protection of their data
personal information stored on their smartphones, tablets, laptops,
etc., by strengthening the rules applicable to communications
electronic and commercial canvassing.
January 10, 2017, aims to respond to the concerns of European citizens on the protection of their data
personal information stored on their smartphones, tablets, laptops,
etc., by strengthening the rules applicable to communications
electronic and commercial canvassing.
In an information note, the European Commission officially launches the
legislative process devoted to the proposed regulation. The Commission
calls on the European Parliament and the Council to press ahead with the
work on their proposals and to ensure their adoption by 25 May 2018
at the latest (date from which, moreover, the general EU regulation
n°2016/679 of April 27, 2016 on data protection will come into force
application).
legislative process devoted to the proposed regulation. The Commission
calls on the European Parliament and the Council to press ahead with the
work on their proposals and to ensure their adoption by 25 May 2018
at the latest (date from which, moreover, the general EU regulation
n°2016/679 of April 27, 2016 on data protection will come into force
application).
This will be an update of the provisions of the directive ePrivacy 2002/58/EC
of July 12, 2002 (revised on November 25, 2009 by Directive 2009/136/EC).
of July 12, 2002 (revised on November 25, 2009 by Directive 2009/136/EC).
The provisions of this old directive will therefore take
a new youth through this regulation, which will make them directly
applicable, this time to all Member States and without a transposition deadline,
thus making it possible to fight against inequalities and differences
assessment in matters of personal data protection. Furthermore,
this regulation will supplement the Regulation General EU n°2016/679 of April 27, 2016 on data protection which will come into force on May 25, 2018.
a new youth through this regulation, which will make them directly
applicable, this time to all Member States and without a transposition deadline,
thus making it possible to fight against inequalities and differences
assessment in matters of personal data protection. Furthermore,
this regulation will supplement the Regulation General EU n°2016/679 of April 27, 2016 on data protection which will come into force on May 25, 2018.
The old directive ePrivacy 2002/58/EC of July 12, 2002 had however already been the subject of scattered transpositions into French law from 2004 to 2012
through 11 texts, the new regulation will therefore have the merit of serving as a single reference text on the subject and directly applicable:
through 11 texts, the new regulation will therefore have the merit of serving as a single reference text on the subject and directly applicable:
–
Law No. 2004-575 of June 21, 2004 for trust in the digital economy
Law No. 2004-575 of June 21, 2004 for trust in the digital economy
– Law No. 2004-669 of July 9, 2004 relating to electronic communications and
audiovisual communication services
audiovisual communication services
– Law No. 2004-801 of August 6, 2004 relating to the protection of natural persons
with regard to the processing of personal data and amending Law no.
78-17 of January 6, 1978 relating to data processing, files and freedoms
with regard to the processing of personal data and amending Law no.
78-17 of January 6, 1978 relating to data processing, files and freedoms
– Decree No. 2005-862 of July 26, 2005 relating to the conditions of establishment and
operating networks and providing communications services
electronic
operating networks and providing communications services
electronic
–
Decree No. 2009-834 of July 7, 2009 establishing a service with national competence
referred to as the “National Information Systems Security Agency”
Decree No. 2009-834 of July 7, 2009 establishing a service with national competence
referred to as the “National Information Systems Security Agency”
–
Law No. 2011-302 of March 22, 2011 containing various provisions for adapting the
legislation to European Union law on health, work and
electronic communications
Law No. 2011-302 of March 22, 2011 containing various provisions for adapting the
legislation to European Union law on health, work and
electronic communications
– Law No. 2011-901 of July 28, 2011 tending to improve the functioning of the houses
departments for people with disabilities and containing various provisions relating to
disability policy
departments for people with disabilities and containing various provisions relating to
disability policy
–
Ordinance No. 2011-1012 of August 24, 2011 relating to electronic communications
Ordinance No. 2011-1012 of August 24, 2011 relating to electronic communications
– Decree No. 2012-436 of March 30, 2012 transposing the new regulatory framework
european electronic communications
european electronic communications
– Decree No. 2012-488 of April 13, 2012 amending the obligations of operators to
electronic communications in accordance with the new regulatory framework
European
electronic communications in accordance with the new regulatory framework
European
In the regulation in preparation, three sections are planned :
- 1er
shutter : eavesdropping, interception, analysis and storage
text messages, e-mails or voice calls will be prohibited without
of user consent: this will concern the content of the
communication but also the data relating to the place, the time and the
recipient. (this will also concern applications such as WhatsApp,
Facebook, Skype, Gmail, etc.).
- 2th
shutter : the
transparency in the use of cookies. The objective is to offer
users a digital environment less “invaded” by
cookie banners that are displayed on each page visited. In this regard,
the user will have the possibility to accept or refuse cookies and
should be able to do it more
systematically by configuring the navigation parameters (concerning the
so-called “third-party cookies”, which are essentially intended to
communicate data to third parties for commercial purposes, browsers
must be able to block them by default)
Remark : the
cookie is the equivalent of a small text file, stored on the
user's terminal. Their appearance dates from the 90s and allow
thus allowing website developers to retain user data in order to
to facilitate navigation and to allow certain functionalities. The
cookies have always been more or less controversial because they contain
personal information that could potentially be exploited by
third.
cookie is the equivalent of a small text file, stored on the
user's terminal. Their appearance dates from the 90s and allow
thus allowing website developers to retain user data in order to
to facilitate navigation and to allow certain functionalities. The
cookies have always been more or less controversial because they contain
personal information that could potentially be exploited by
third.
2 guidelines to consider
account :
account :
–
Directive 2002/58 on privacy: it contains rules on
the use of cookies. Article 5 §3 requires that the storage of data
(like cookies) on the user's computer can only be
done if: the user is informed of how the data is used
; it is given to the user the possibility of refusing this operation of
storage. However, this article also states that the storage of data for
technical reasons is exempt from this law. According to the opinion of the G29 n° 2/2010 of
2010, this directive remains very poorly applied: most sites
limited to a simple "banner" informing of the use of
"cookies" without giving information on the uses, without
differentiate "technical" cookies from cookies of
"tracking", nor to offer any real choice to the user.
Directive 2002/58 on privacy: it contains rules on
the use of cookies. Article 5 §3 requires that the storage of data
(like cookies) on the user's computer can only be
done if: the user is informed of how the data is used
; it is given to the user the possibility of refusing this operation of
storage. However, this article also states that the storage of data for
technical reasons is exempt from this law. According to the opinion of the G29 n° 2/2010 of
2010, this directive remains very poorly applied: most sites
limited to a simple "banner" informing of the use of
"cookies" without giving information on the uses, without
differentiate "technical" cookies from cookies of
"tracking", nor to offer any real choice to the user.
–
Directive 2009/136/EC of 25 November 2009 therefore strengthens the obligations
prior to placing cookies on the Internet user's computer provided
that the latter has given his consent after having received clear information and
complete. However, despite the will of the European legislator to the contrary, no
browser does not yet allow the dissociation of technical cookies and cookies
optional.
Directive 2009/136/EC of 25 November 2009 therefore strengthens the obligations
prior to placing cookies on the Internet user's computer provided
that the latter has given his consent after having received clear information and
complete. However, despite the will of the European legislator to the contrary, no
browser does not yet allow the dissociation of technical cookies and cookies
optional.
- 3th
shutter : prohibition of electronic communications
unsolicited, whatever the medium used (emails, SMS, calls
telephones, etc.). Except prior consent of the user. Thus, for
the sending of spams, the Net surfer will be able to materialize his consent by ticking
a box and thus receive offers commercial
of the society. Similarly, the consumer who has actively registered his number
on the red list shall not receive targeted telephone calls
commercial.
This 3th shutter poses
useful questions for France: in fact, sending spam is
already governed by consumer law in France, as well as the implementation of
place of telephone restrictions (“Platform “ bloctel.gouv.fr ”, resulting from the law n ° 2014-344 of March 17, 2014
on consumption). Text messages and voice messages are not affected, but
depend on another procedure (Platform of the 33 700).
useful questions for France: in fact, sending spam is
already governed by consumer law in France, as well as the implementation of
place of telephone restrictions (“Platform “ bloctel.gouv.fr ”, resulting from the law n ° 2014-344 of March 17, 2014
on consumption). Text messages and voice messages are not affected, but
depend on another procedure (Platform of the 33 700).
The main targets of this text,
are the actors of targeted advertising and
the GAFAs. Indeed, the commission's new proposal intends to include
within its scope all service providers
telecommunications: such as Facebook (Facebook Messenger), WhatsApp, Google
Hangouts etc.
are the actors of targeted advertising and
the GAFAs. Indeed, the commission's new proposal intends to include
within its scope all service providers
telecommunications: such as Facebook (Facebook Messenger), WhatsApp, Google
Hangouts etc.
For some observers, this
proposal does not go far enough in terms of data protection.
proposal does not go far enough in terms of data protection.
As Lukasz Olejnik explains,
British PhD researcher
IT from INRIA, specializing in security and privacy issues,
the commission's proposal does not take not
take into account the technical developments awaiting browsers and this
finally content to validate the status quo: “ For example, this new update of the directive does not take
not take into account the fact that browsers will soon have
much more powerful features, such as access to sensor data
or the pairing between the browser and the user's device, via
Bluetooth. ".
Thus, browsers will be able to enter data via the
connected devices, including the collection of cookies.
British PhD researcher
IT from INRIA, specializing in security and privacy issues,
the commission's proposal does not take not
take into account the technical developments awaiting browsers and this
finally content to validate the status quo: “ For example, this new update of the directive does not take
not take into account the fact that browsers will soon have
much more powerful features, such as access to sensor data
or the pairing between the browser and the user's device, via
Bluetooth. ".
Thus, browsers will be able to enter data via the
connected devices, including the collection of cookies.
Thus, this new regulation
would simply seem to renew some bases already acquired in 2009 or with
the new Directive coming into force in 2018, without really bringing any
progress.
would simply seem to renew some bases already acquired in 2009 or with
the new Directive coming into force in 2018, without really bringing any
progress.
See also: https://roquefeuil.avocat.fr/reglementation-des-cookies/
The states
announce that they will take a position on this regulation only from the end of April 2017.
On February 9, 2017, the G29 declared that they would publish their opinion on the regulation " maybe in April, surely before
summer [Editor's note: 2017]".
MR
English 
French 
German 
Spanish 
Portuguese 
Italian