In our article, we provide our views on the key takeaways of the e-Privacy Regulation. Further, we will point out specific aspects of the new legislation and their impact in the countries of Emerging Europe and Central Asia: Bulgaria, Czech Republic, Hungary, Kazakhstan, Romania, Serbia, Slovakia, Turkey and Ukraine.

In January 2017 the EU published the draft e-Privacy Regulation[1] intended to replace the current e-Privacy Directive[2]. While data protection rules do set a regime for the personal data management, the e-Privacy rules focus on specific duties in connection with electronic communications services. The new rules will apply throughout EU as of 25 May 2018.

We, at Kinstellar, have singled out the following key takeaways of the new rules:

1. United rules. One single set of the e-Privacy rules will apply across the EU as the legislation will be adopted in the form of a regulation (rather than a directive). Less country-specific differences can be expected which can help reduce the compliance costs and complexity.

2. Technology & Telecom providers. Unlike the former e-Privacy Directive, the new e-Privacy Regulation will apply to both the telecommunications services providers (e.g. telecoms and broadcasting networks), as well as to the new players providing electronic communications services, such as: WhatsApp, Facebook Messenger and Skype. This is a logical step by the EU, considering the entry of the new technology players.

3. Extra-territorial effect. Privacy rules will apply to entities anywhere in the world when they provide publicly available electronic communications services to, or gather data from the devices of, end users located in the EU. Companies outside the EU will be equally requested to comply with the new rules.

4. EU representative. The extra-territorial effect will not be toothless: if the provider of an electronic communications service is not established in the EU, it shall designate its representative in one EU state. Most likely, this will be done via establishing a branch office within the EU or contracting a third party provider. Such a representative shall have the power to answer questions and provide information in addition to, or in place of, the provider it represents.

5. Fewer regulations on Cookies. The cookie consent provision, which has resulted in an overload of consent requests for internet users, will be simplified. Cookies used for ensuring proper functioning of websites will no longer require consent of end-user. Cookies used for tracking purposes / marketing will still require consent; however, it does not need to be explicit. In particular, the browser settings shall provide an easy way to accept or refuse tracking cookies.

6. Protection of meta-data. The e-Privacy Regulation not only protects the confidentiality of electronic communications, but also the privacy of the so-called ‘meta data’, i.e. information pertaining to the length, addressees and time of the communication. Metadata has a high privacy component and is to be anonymised or deleted if users did not give their consent, unless the data is needed for billing, for example.

7. Direct Marketing. General rules do not change much as both spam and direct marketing communications require prior consent, subject to certain legal exceptions. However, the e-Privacy Regulation also introduces several novelties in this area of electronic communications. Under the first option, a Member State may opt for a solution that gives consumers the right to object to the reception of voice-to-voice marketing calls, e.g. by registering on a do-not-call list. As a second option, the marketing callers will need to display their phone number, or use a special prefix number that indicates a marketing call. The monitoring of further legislative developments in respective EU countries remains therefore important.