The EU Data Protection Authorities welcome the expansion of the scope of the current e-Privacy Directive to include Over-The-Top (OTT) providers such as WhatsApp. The regulators also say that the EU Commission’s plan to introduce the new rules as a Regulation is the right choice of instrument.
However, the DPAs says that they are very concerned over the tracking of the location of terminal equipment; WiFi-tracking, under the General Data Protection Regulation (GDPR) is likely either to subject to consent, or may only be performed if the personal data collected is anonymised. Analysis of content and metadata should be prohibited without the consent of all end-users (senders and recipients). The regulators also say that operators should not be allowed to force consumers to consent to tracking if they want to have access to the service. They also say that terminal equipment and software must by default offer privacy protective settings.
The WP29 Plenary Meeting last week finalised guidelines on the Data Protection Impact Assessments (DPIAs) which will be open for public consultation for 6 weeks before their final adoption. The WP also adopted guidelines on data portability, data protection officers, and lead authority – these have been open for comment. The WP continued its work on the certification guidelines, and preparatory work for the European Data Protection Board, EDPB, with the aim of it being operational by 25 May 2018 when the GDPR enters into force.