On 10 January last the European Commission presented a proposal for a Regulation (hereafter, the “Regulation”) concerning the processing of personal data and the protection of private life in the electronic communications, and aimed at repealing Directive 2002/58/EC (hereafter, “ePrivacy Directive”).

This proposal for a Regulation updates the legislation currently in force, providing better protection of confidentiality in electronic communications – including through alignment of legislation with the new world-class standard provided for in the recent EU’s General Data Protection Regulation (GDPR) – and consequently contributing to create new useful tools to facilitate international data exchanges in the digital economy, and therefore to the development of the digital single market.

The main innovations:

1. Material scope

The current rules only apply to the processing carried out by “traditional” telecoms operators: “(…) the processing of personal data in connection with the provision of publicly accessible electronic communication services on public communications networks, including public communications networks supporting data collection and identification devices” (art. 121 Legislative Decree no. 196/2003).

The proposal for a Regulation has extended the scope of these rules also to the processing of electronic communication data carried out in connection with the “provision and the use of electronic communications services and to information related to the terminal equipment of end-users” (art. 2, proposed Regulation): i.e. to the processing connected to the exchanging of e-mail and online messages, including the new electronic communications services (such as, WhatsApp, Facebook Messenger, Skype, Gmail, Viber).

2. Harmonisation

The choice of a regulation as the legislative instrument (directly applicable in all EU Member States) meets the need to obtain a uniform application of rules at EU level, avoiding the fragmentation of the internal market due to the divergent  national implementing legislations.

3. New protection and simplification measures

Under this new EU law, both the content and metadata derived from electronic communications (e.g. the websites visited, the numbers called, the time and date when an individual made a call etc.) will need to be anonymized or deleted if users have not given their consent, unless the data are required for special purposes (art. 6, proposed Regulation).

In addition, the proposed Regulation also seeks to:

  • a simplification of the “consent” rules for the use of cookies and other identifiers when they are not intrusive but aim improving user navigation;
  • more control over spam: the proposed Regulation bans, regardless of the technology used, any unsolicited electronic communication without prior consent by end-users. Members State may opt for a solution that gives consumers the right to object to the reception of marketing calls.

4. Jurisdiction

National data protection Authorities will be responsible for any breaches of this Regulation.

5. Penalties

The proposed Regulation provides a similar penalties system to that of GDPR, in structure and philosophy: penalties for the breaches of new rules - in order to be effective, proportional and dissuasive - are as follows:

  • Up to Euro 10.000.000 or up to 2% of the total worldwide annual turnover, whichever is higher, in case of breach of rules regarding notice and consent (art. 8, proposed Regulation), default privacy settings (art. 10, proposed Regulation), publicly available directories (art. 15, proposed Regulation) and unsolicited communications (art. 16, proposed Regulation), or
  • Up to Euro 20.000.000 or up to 4% of the total worldwide annual turnover, whichever is higher, in case of breach of rules regarding the confidentiality of communications (art. 5, proposed Regulation), permitted processing of electronic communications data (art. 6, proposed Regulation) and in breach of the terms of storage and erasure of electronic communications data (art. 7, proposed Regulation).

Finally, it should be pointed out that the European Commission would like to adopt the new Regulation no later than 25 May 2018 that is when the General Data Protection Regulation will enter into application, so that citizens and businesses may have a complete legal framework for privacy and data protection in Europe by this date.