Coverage of OTT services and M2M communication by the ePrivacy Regulation
The material scope of the ePrivacy Regulation is very wide-ranging. It is not intended solely to regulate the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services (Article 2(1) (a)). It is also applicable to
- information relating to/on end-user terminal equipment (such as cookies)
- the provision of publicly accessible directories of users of electronic communications and
- the transmission of direct marketing to end-users by means of electronic communications.
The ePrivacy Regulation is intended to cover more than just conventional telecommunications services, such as Internet access services, fixed and mobile telephone services or SMS services. Category 1 Over-the-Top services (OTT-I services) such as the messenger and VoIP services WhatsApp, Skype and Threema, e-mail services such as Gmail and Posteo, and machine-to-machine transmission services (M2M communication services) are also set to fall within the scope of the ePrivacy Regulation.
Application of the Regulation to these services has been made possible by the redefinition of electronic communications services. A revised version of this definition has already been included in the European Electronic Communications Code (EECC). In line with the new definition, the ePrivacy Regulation distinguishes four categories of electronic communications services:
- Internet access services,
- number-based interpersonal communications services,
- number-independent interpersonal communications services, and
- services consisting wholly or mainly of the conveyance of signals.
The inclusion of interpersonal communications services is intended to make it clear that OTT-I services fall within the scope of the ePrivacy Regulation.
Under the present legal framework, it has long been a matter of dispute whether pure OTT-I services fall within the scope of European telecommunications law. The ECJ’s ruling of 13 June 2019 (Case Ref. C-193/18 – Gmail) largely resolved this issue at the highest judicial level: according to the argumentation of the ECJ, pure OTT-I services do not constitute communications services falling under any of the legal frameworks currently applicable (see blog post of 20 June 2019). This will change when the EECC is implemented and the ePrivacy Regulation enters into force. A regulatory level playing field will then exist, covering both conventional and modern (Over-the-Top) communications services.
Messengers that are integrated into another service as an ancillary feature will also fall within the scope of the ePrivacy Regulation (see Article 4(2) of the draft published by the Finnish presidency of the Council on 4 October 2019). Facebook’s Messenger, for example, is thus likely to fall within the scope of the ePrivacy Regulation in the future.
Disputes around M2M communication
In the course of the legislative process to date, the explicit inclusion of M2M communication has repeatedly been a matter of contention between the parties involved. While the Commission’s draft made it clear that M2M communication should fall within the scope of the ePrivacy Regulation, the European Parliament deleted the relevant section from its own draft entirely.
The draft ePrivacy Regulation (as at 4 October 2019) makes a distinction between different types of M2M communication. Transmission services used to provide M2M services are covered by the ePrivacy Regulation; in contrast, M2M communication services located at the application level would not be subject to the ePrivacy Regulation.
Applicability of the ePrivacy Regulation to providers of services in the EU
The marketplace principle (Article 3) applies to the ePrivacy Regulation, as is the case with the GDPR. This is of particular relevance for companies that do not have a branch in the EU. Under the marketplace principle, the ePrivacy Regulation applies to any company providing electronic communications services in the EU. In line with the interpretation of the GDPR, this would be the case if a product is obviously intended for users in the EU. The mere accessibility of a website or contact option is not sufficient to trigger the marketplace principle. Entities not established in the EU must designate in writing a representative in the EU unless the activities covered by the Regulation are occasional and unlikely to result in a risk to the fundamental rights of end-users.
Strict interpretation of the marketplace principle would mean that the ePrivacy Regulation is even applicable if the service provider merely observes the behaviour of persons in the EU. This would be the case with web-tracking technologies in particular, such as cookies and social media plug-ins.
The current draft produced by the Finnish presidency of the Council confirms the marketplace principle.