One of the most frequent questions we get asked by clients is whether the e-Privacy Directive (2002/58/EC) applies on 'country of origin' or 'country of destination' basis. This is normally in the
One of the most frequent questions we get asked by clients is whether the e-Privacy Directive (2002/58/EC) applies on 'country of origin' or 'country of destination' basis. This is normally in the context of e-marketing: advertisers running a pan-European campaign naturally want to understand whether they have to comply with the national e-privacy rules:
(a) only of the Member State in which they are established (the 'country of origin' principle); or
(b) of every Member State where their e-marketing recipients are based (the 'country of destination' principle).
However, while most commonly raised in an e-marketing context, understanding when and how the e-Privacy Directive applies is also relevant to determining website operators' cookie 'consent' responsibilities. Do they have to comply with the (as yet to be determined) opt-in or opt-out rules of every Member State?
Why does this uncertainty exist?
Quite simply, this uncertainty exists because the e-Privacy Directive, unlike the Data Protection Directive (95/46/EC), does not have any provisions that expressly set out its geographical scope of application.
Article 1 of the e-Privacy Directive says only that: "This Directive provides for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community." Article 3 provides some further clarity, adding that the e-Privacy Directive applies "to the processing of personal data in connection with the provision of publicly available electronic communications services."
Both Article 1 and 3 indicate that, in order for the e-Privacy Directive to apply, there must be processing of personal data. Yet, interestingly, regulatory consensus is that processing of personal data is not necessary for the e-Privacy Directive's cookie 'consent' requirements to apply. The Article 29 Working Party said, in their Opinion on Online Behavioural Advertising, that "It is not a prerequisite for the application of this provision that this information is personal data within the meaning of Directive 95/46/EC". It's challenging to resolve this interpretation with the applicability criteria specified in Articles 1 and 3 - but, challenging or not, this is the position that Data Protection Authorities seem to be taking.
So when and how do e-privacy rules apply?
To return to the original question of whether the e-Privacy Directive applies on a 'country of origin' or a 'country of destination' basis, marketers and website operators might naturally feel that the 'country of origin' principle ought to apply. There is precedent for this in the e-Commerce Directive (2000/31/EC), which says that "Each Member State shall ensure that the information society services provided by a service provider established on its territory comply with the national provisions applicable in the Member State in question" (Article 3(1)).
However, despite setting the principle that information society service regulation should generally be determined on a 'country of origin' basis in the EU, the e-Commerce Directive subsequently excludes data protection e-marketing rules from this principle.
Country of origin rules for e-marketing
The key clarification about the scope of the e-Privacy Directive can in fact be found in Article 1(2). This points out that the provisions of the e-Privacy Directive "particularise and complement" those of the Data Protection Directive.
Put another way, this means that the e-Privacy Directive can be thought of as a specialised subset of rules that fall under the overall privacy framework established by the Data Protection Directive. This is confirmed by Recital 10 of the e-Privacy Directive, which clarifies that the Data Protection Directive applies "to all matters concerning protection of fundamental rights and freedoms which are not specifically covered by the provisions of this [e-Privacy] Directive, including the obligations on the controller and the rights of individuals".
So, in the absence of clear geographical applicability rules in the e-Privacy Directive itself, data controllers must instead look to the applicability rules of the Data Protection Directive. These are set in Article 4 of the Data Protection Directive and, for EU-based data controllers, make clear that data protection laws apply on a 'country of origin' basis. However, non-EU based data controllers are subject to the national laws of the territories in which they use 'equipment' - which potentially includes devices where cookies are served to collect data - and so need to review local EU law risk carefully.
What this means and why it matters
It is a commonly-held misconception that data protection e-marketing rules apply to EU businesses on a 'country of destination', not a 'country of origin' basis. The consequence of this is that marketers often expend excessive legal budget taking legal advice across multiple EU member states in respect of the pan-European campaigns they want to conduct. Naturally, there will be local laws that apply (e.g. local consumer protection laws, advertising standards rules, and gaming laws), but data protection advice will need normally only to be sought from the from the EU territory in which the marketer is based. A proper understanding of the geographical scope of application of the e-Privacy Directive therefore has the potential to substantially reduce marketing budgets.
The same ought to be true for cookies. That is to say, a website operator established in one EU member state should have to comply with the cookie 'consent' requirements of that Member State only - not those of other Member States. However, the advantages of the 'country of origin' are lost where the operator is established outside the European Union, because in that case, the national data protection authorities will argue very strongly that where 'equipment' in used in their jurisdictions, each of their local laws will most definitely apply.
(a) only of the Member State in which they are established (the 'country of origin' principle); or
(b) of every Member State where their e-marketing recipients are based (the 'country of destination' principle).
However, while most commonly raised in an e-marketing context, understanding when and how the e-Privacy Directive applies is also relevant to determining website operators' cookie 'consent' responsibilities. Do they have to comply with the (as yet to be determined) opt-in or opt-out rules of every Member State?
Why does this uncertainty exist?
Quite simply, this uncertainty exists because the e-Privacy Directive, unlike the Data Protection Directive (95/46/EC), does not have any provisions that expressly set out its geographical scope of application.
Article 1 of the e-Privacy Directive says only that: "This Directive provides for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community." Article 3 provides some further clarity, adding that the e-Privacy Directive applies "to the processing of personal data in connection with the provision of publicly available electronic communications services."
Both Article 1 and 3 indicate that, in order for the e-Privacy Directive to apply, there must be processing of personal data. Yet, interestingly, regulatory consensus is that processing of personal data is not necessary for the e-Privacy Directive's cookie 'consent' requirements to apply. The Article 29 Working Party said, in their Opinion on Online Behavioural Advertising, that "It is not a prerequisite for the application of this provision that this information is personal data within the meaning of Directive 95/46/EC". It's challenging to resolve this interpretation with the applicability criteria specified in Articles 1 and 3 - but, challenging or not, this is the position that Data Protection Authorities seem to be taking.
So when and how do e-privacy rules apply?
To return to the original question of whether the e-Privacy Directive applies on a 'country of origin' or a 'country of destination' basis, marketers and website operators might naturally feel that the 'country of origin' principle ought to apply. There is precedent for this in the e-Commerce Directive (2000/31/EC), which says that "Each Member State shall ensure that the information society services provided by a service provider established on its territory comply with the national provisions applicable in the Member State in question" (Article 3(1)).
However, despite setting the principle that information society service regulation should generally be determined on a 'country of origin' basis in the EU, the e-Commerce Directive subsequently excludes data protection e-marketing rules from this principle.
Country of origin rules for e-marketing
The key clarification about the scope of the e-Privacy Directive can in fact be found in Article 1(2). This points out that the provisions of the e-Privacy Directive "particularise and complement" those of the Data Protection Directive.
Put another way, this means that the e-Privacy Directive can be thought of as a specialised subset of rules that fall under the overall privacy framework established by the Data Protection Directive. This is confirmed by Recital 10 of the e-Privacy Directive, which clarifies that the Data Protection Directive applies "to all matters concerning protection of fundamental rights and freedoms which are not specifically covered by the provisions of this [e-Privacy] Directive, including the obligations on the controller and the rights of individuals".
So, in the absence of clear geographical applicability rules in the e-Privacy Directive itself, data controllers must instead look to the applicability rules of the Data Protection Directive. These are set in Article 4 of the Data Protection Directive and, for EU-based data controllers, make clear that data protection laws apply on a 'country of origin' basis. However, non-EU based data controllers are subject to the national laws of the territories in which they use 'equipment' - which potentially includes devices where cookies are served to collect data - and so need to review local EU law risk carefully.
What this means and why it matters
It is a commonly-held misconception that data protection e-marketing rules apply to EU businesses on a 'country of destination', not a 'country of origin' basis. The consequence of this is that marketers often expend excessive legal budget taking legal advice across multiple EU member states in respect of the pan-European campaigns they want to conduct. Naturally, there will be local laws that apply (e.g. local consumer protection laws, advertising standards rules, and gaming laws), but data protection advice will need normally only to be sought from the from the EU territory in which the marketer is based. A proper understanding of the geographical scope of application of the e-Privacy Directive therefore has the potential to substantially reduce marketing budgets.
The same ought to be true for cookies. That is to say, a website operator established in one EU member state should have to comply with the cookie 'consent' requirements of that Member State only - not those of other Member States. However, the advantages of the 'country of origin' are lost where the operator is established outside the European Union, because in that case, the national data protection authorities will argue very strongly that where 'equipment' in used in their jurisdictions, each of their local laws will most definitely apply.