If you live in Europe you might have noticed a message appearing recently on your Messenger and Instagram accounts announcing that some features are not available in order to ‘respect new rules for messaging services in Europe.’ The ‘new rules’ are the updated privacy restrictions and the features which seem (or seemed) to be missing are: stories, nicknames and personalized replies on Messenger, running polls on group chats on both Messenger and Instagram and lack of augmented reality filters in direct messages on Instagram. There may be more features missing as Facebook hasn’t published the list of the features suspended.
Furthermore, the changes have impacted also the businesses wishing to advertise their products and services on Messenger and Instagram in Europe. Among the products that are (or were) unavailable there are, sponsored messages and lead generation features for ads that click to Messenger. See this Facebook Business Help Centre article for more information.
Who is affected?
According to Facebook for Developers, ‘all of the 30 European Economic Area (EEA) countries, which includes the 27 EU member states, Norway, Iceland, Liechtenstein and the UK’ are affected. It seems unclear if, after the end of the transition period on 31 December 2020, Facebook decided to continue to apply the new rules also to the UK. As the UK ceased to be a member of the EEA and/or treated like its member, the EU law stopped applying to the UK.
In any case, the changes affect both, the users located in these countries and those who advertise to Facebook users located in any of these countries.
Ok, it’s all about privacy. But is it the famous GDPR or what?
No, this time the GDPR (the General Data Privacy Regulation n. 2016/679) is not directly involved.
On 20 December 2020 Facebook announced that ‘starting today, the data privacy and security protections in the 2002 Privacy and Electronic Communications Directive (ePrivacy Directive) will apply to more communications services across the EU. The laws implementing the ePrivacy Directive will apply to messaging and calling services and limit the ways companies can use messaging and calling data’. It seems, therefore, it’s all fault of the ePrivacy Directive. That is, however, an understatement.
The ePrivacy Directive or, precisely, ‘Directive 2002/58/EC’ was introduced in 2002 and, as such, it definitely isn’t new. The goal of that Directive is to regulate the obligations of the electronic communications service providers regarding ‘appropriate technical and organisational measures to safeguard the security of its services’ (Article 4.1). The thing is the definition of the ‘electronic communications services’, until the last month, did not include the communicators such as Messenger and Instagram (see the next subtitle).
As for the relation between the GDPR and the ePrivacy Directive, the ePrivacy Directive complements the GDPR as lex specialis. Therefore, for the matters specifically governed by the ePrivacy Directive, it should apply instead of the GDPR. In all other cases regarding the processing of personal data, the law applicable will be the GDPR. You may have noticed also that the GDPR is a REGULATION, which means it is immediately a law, directly applicable and binding upon all citizens of the EU. On the other hand, the ePrivacy Directive is a DIRECTIVE, which means it is not a law for the citizens but it obliges the Member States of the EU to transpose the directive’s provisions to national laws. For the record, the ePrivacy REGULATION is being discussed but has not yet been enacted.
So, what has actually happened that the ePrivacy Directive forced Facebook (and not only) to disable certain functions only now?
Well, another Directive establishing the European Electronic Communications Code (EECC) happened. Let me explain because it gets a little bit complicated here.
Previously, the ePrivacy Directive applied to those service providers who provided rather traditional electronic communications services. The term ‘electronic communications service’ is defined in Article 2(c) of the Framework Directive as follows: ‘”‘electronic communications service” means a service normally provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, but exclude services providing, or exercising editorial control over, content transmitted using electronic communications networks and services; it does not include information society services, as defined in Article 1 of Directive 98/34/EC, 101 which do not consist wholly or mainly in the conveyance of signals on electronic communications networks’.
As a consequence, the e‐Privacy Directive applied to providers of e‐communication services such as telecommunications operators and Internet service providers: but those providing access to the Internet and not those providing a web-based content, ‘because they do not consist wholly or mainly in the conveyance of signals on electronic communications networks’ (see Recital 10 of the Framework Directive). All these definitions may sound confusing so let’s think of examples. And so CJEU determined that the “electronic communication services” include, for example, the SkypeOut service as Skype had entered into agreements with telecommunication providers to deliver calls to telephones. On the other hand, CJEU has excluded the emailing services rendered by Google (Gmail) as e-communication services. Precisely, according to CJEU ‘Article 2(c) of the Framework Directive must be interpreted as meaning that a web-based email service which does not itself provide internet access, such as the Gmail service provided by Google, does not consist wholly or mainly in the conveyance of signals on electronic communications networks and therefore does not constitute an ‘electronic communications service’ within the meaning of that provision’.
To put it simply, the ePrivacy Directive applied only to those providers who ensured the functioning of communication tools, the conveyance of the signals: telephone providers who enable us making calls and sending SMSs and the companies providing us with the Internet, selling us gigabytes. On the other hand, all the platforms working thanks to the providers of the Internet, even if used to communicate (such as Gmail, Messenger, Instagram etc.) were not included in the scope of the ePrivacy Directive.
However, that definition has changed recently and to ‘blame’ is the Directive 2018/1972/EC establishing the European Electronic Communications Code that had to be implemented by the Members of European Economic Area (the countries referred to in the second subtitle) until 21 December 2020. That Directive has broadened the definition of the electronic communication services, substituting the one in the Framework Directive (and, therefore, broadening the applicability of the ePrivacy Directive) in a way they will apply also to email, Internet phone calls, instant messaging applications and personal messaging provided through social media: collectively, over-the-top (or ‘OTT’) services.
For those interested in more details regarding the connection between the ePrivacy Directive and the EECC, the latter substitutes the EU telecoms/electronic communications directives referred to in the ePrivacy Directive (Article 2). In particular, Article 125 and Annex XII of the EECC Directive set forth that those directives, including the Framework Directive, are repealed and references to the repealed directives shall be construed as references to the EECC Directive. In this way, the new definition of electronic communication services applies also to the ePrivacy Directive. Accordingly, it must be complied with also by Facebook when managing Messenger and Instagram.
How is the ePrivacy Directive stricter than the GDPR and how will it influence the OTTs?
First of all, the ePrivacy Directive contains confidentiality obligations regarding all communications. Article 5 of the Directive prohibits listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users without the consent of the users concerned. Therefore, all the services that use messages and calls scanning, for example, to show personalized advertising, are prohibited (unless the users give their consent for such activities).
Furthermore, the above provision mentions also traffic data, that is, for example, data referring to the routing, duration, time or volume of communication, to the protocol used, to the location of the terminal equipment of the sender or recipient, to the network on which the communication originates or terminates, to the beginning, end or duration of a connection, etc. The above does not apply to any automatic, intermediate and transient storage of this information in so far as this takes place for the sole purpose of carrying out the transmission in the electronic communications network. Therefore, the traffic data may be stored for example for the billing purposes but, unless agreed upon by the user, may not be disclosed to any third parties. Which means the end of selling/using such data for ads targeting by Facebook, unless the users will be willing to give their consent for such a disclosure.
Articles 6 and 9 of the ePrivacy Directive introduce further limitations on the use of traffic and location data such as obligations of erasure and anonymisation.
Balancing of the goods protected: privacy and child abuse detection.
The new law has also certain downsides: it prevents the voluntary reporting of online images of child abuse by the affected providers of electronic communication services.
Indeed, Facebook stated that ‘the ePrivacy Directive also prohibits messaging and calling services from using data to prevent, detect and respond to child abuse material and other forms of harm. The European Commission and child safety experts have said that the directive does not provide a legal basis for these tools. The safety of our community is paramount, and we are advocating for changes that will allow us to resume our efforts to identify this type of material.’
According to Euronews, the European Commission is calling to suspend part of a new privacy directive for five years after determining it could impact negatively on detecting child abuse.
Indeed, the Regulation suspending the confidentiality obligations for child abuse detection was proposed on 12 September 2020. However, on 10 November 2020, the European Data Protection Supervisor (EDPS) has released an opinion on the European Commission’s proposal, recommending EU institutions not to adopt the proposal, even in the form of a temporary derogation, as it could set a dangerous precedent. According to EDPS, the proposed measures would ‘constitute an interference with the fundamental rights to respect for private life and data protection of all users of very popular electronic communications services, such as instant messaging platforms and applications.’
Consequently, the regulation proposed has not yet been enacted. And considering the concerns of the EDPS and the members of the European Parliament, it’s difficult to expect it will be enacted soon.
Was Facebook really forced by the EU to disable the features on Messenger and Instagram mentioned above?
It seems in reference to at least some of the features disabled – it wasn’t. In any case, Facebook surely had time to figure out how to make these features work in compliance with the new rules. One may suppose, therefore, the recent actions are more about turning the users (and, what may be more important for Facebook, the businesses using Facebook ads) against the changes introduced by the EU to protect its citizens’ privacy than about the willingness to comply with the law. Maybe it’s time for Facebook to start worrying, instead, if it’s not turning the users against itself. The consciousness of the European citizens regarding their privacy rights has increased and they appreciate less and less the processing and selling of their data by foreign companies.