On 10 January the Commission finally presented new rules on privacy in electronic communications, the last legislative proposal under the Digital Single Market Strategy ("DSM Strategy"). The DSM Strategy included the objective to increase trust in and the security of digital services. In that context, the Commission proposed a reform of the data protection framework across the EU, which materialized in the adoption of the General Data Protection Regulation ("GDPR").
Such an overhaul of the European data privacy rules created the urgent need to review the Directive 2002/58/EC ("ePrivacy Directive"), which addressed the matters of privacy protection specifically for users of electronic communications services. This has resulted in the decision of transforming the essence of the ePrivacy Directive into a new Regulation (here), “concerning the respect for private life and the protection of personal data in electronic communications”, and modernizing its previous content, while ensuring its consistency with the GDPR.
This new Regulation creates a regulatory level playing field between ‘traditional’ telecommunication services and new players such as platforms, location services and message service providers, extending the obligations of the former to the latter. These relate to several privacy-related issues, such as the notice and consent by end users, publicly available directories, unsolicited communications, confidentiality of communications, processing of electronic communications data and the time limits for their erasure.
The draft Regulation applies to the processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to the protection of information related to the terminal equipment of end-users located in the EU. It is irrelevant if a payment of the end-user is required or not.
Where the provider of an electronic communications service is not established in the EU it will be mandatory for it to designate a representative in the EU, established in one of the Member States where the end users of such electronic communications services are located.
Any natural or legal person adversely affected by infringements of the Regulation and having a legitimate interest, including a provider of electronic communications services, shall have a right to bring legal proceedings in respect of such infringements.
In terms of penalties, the consequences for non-compliance may be heavy with fines of up to EUR 20 million or 4% of the total worldwide annual turnover.
The proposed Regulation starts now its full legislative procedure. Although most electronic communication providers and new market players where vocal against it, there is general political consensus both in the Council and in the EP about the need for this specific law. The Regulation may take at least a full year before it is approved by EP. But in any case, its entry into force has ben set to be coordinated with that of the GDPR in 2018.