The European Commission has opened a Public Consultation on the Evaluation and Review of the ePrivacy Directive as well as the possible changes to the existing legal framework to make sure it is up to date with the new challenges of the digital area. The questionnaire contains several questions related to the interplay between the e-Privacy Directive and the future GDPR and this is a very important consultation to have your say.

In our previous article we referred to the Digital Single Market strategy, (adopted on 6 May 2015) and the three priority areas to be tackled by the end of 2016. At the same time the Digital Single Market (DSM) Strategy was adopted the Commission announced that, following the adoption of the General Data Protection Regulation, the ePrivacy rules would also be reviewed and such a review should focus on ensuring a high level of protection for data subjects and a level playing field for all market players.

Why is the review important?

The e-Privacy Directive (Directive 2002/58/EC on privacy and electronic communications) concerns the protection of privacy and personal data in the electronic communication sector. The Communication on a Digital Single Market Strategy for Europe (COM(2015) 192 final) of 6 May 2015 (DSM Communication) sets out that once the new EU rules on data protection are adopted, the ensuing review of the e-Privacy Directive should focus on ensuring a high level of protection for data subjects and a level playing field for all market players.

Review of the ePrivacy Directive is one of the key initiatives aimed at reinforcing trust and security in digital services in the EU. There is a focus on ensuring a high level of protection for citizens and a level playing field for all market players.

The Commission will use the feedback from the consultation to prepare a new legislative proposal on ePrivacy, which is expected by the end of 2016.

How will the review work?

The review will be preceded by a Regulatory Fitness and Performance Programme (REFIT), which aims at evaluating the performances of the current legislation against criteria such as efficiency, effectiveness and EU added value.
The Commission is now consulting stakeholders to gather input on the evaluation process and to seek views on the possible changes to the current ePrivacy Directive.

Given that the e-Privacy Directive particularises and complements the Data Protection Directive 95/46/EC that will be replaced by the General Data Protection Regulation (GDPR), the questionnaire contains several questions related to the interplay between the e-Privacy Directive and the future GDPR.

How long will the Consultation remain open?

12 weeks. The Consultation opened on 11 April 2016 and closes on 5 July 2016.

Responses can be submitted online and is available in 3 languages (French, English and German)

Who should respond?

  • Citizens
  • Consumer associations or user associations
  • Civil society organisations
  • Businesses (e.g. electronic communications network provider; provider of electronic communication services; internet content providers; companies from security or other interested sectors)
  • Industrial associations
  • Public authorities
  • Research and academia

How will your response be considered?

The Commission will summarise the results of the consultation in a report, which will be made publicly available on the website of the Directorate General for Communications Networks, Content and Technology. The results will feed into a Staff Working Document describing the Commission findings on the overall REFIT evaluation of the e-Privacy Directive.

For further background information see: https://ec.europa.eu

Concluding remarks

One aspect that observers may be keen to follow in the consultation, is whether the EU will seek to align penalties for breach of e-Privacy rules with penalties the proposed new General Data Protection Regulation, under which data protection authorities would have power to fine organisations fine organisations up to 4% of annual global turnover/ £20m Euro. If so, it will be particularly interesting to see precisely where on the scale of seriousness, unsolicited direct marketing will be considered to lie, and whether there will be a mechanism to seek more consistency across the EU. The ICO recently fined an organisation £175,000 for a breach of the direct marketing provisions of the e-Privacy Regulations. By contrast, in Ireland two companies were ordered to pay sums of money to charity in lieu of convictions after they were prosecuted for email marketing offences. Whilst not necessarily comparative on the facts, it will be interesting to see how this review will ultimately impact the current enforcement approaches of individual data protection authorities.