EU Member States have reached an agreement on the negotiating mandate for the draft ePrivacy Regulation (ePR). The ePR will repeal and replace the ePrivacy Directive (ePD) and all member state laws that implement it. The ePD is implemented in Ireland via the Irish e-Privacy Regulations. The ePR will update existing rules on the protection of privacy and confidentiality in the use of electronic communication services.

Why the change?

The current ePD (2002/58/EC) came into effect in July 2002 to protect the privacy of and provide for secure electronic communications, specifically with regard to rules for tracking and monitoring of communications. When the ePD was implemented it was known as 'the cookie law' as it prompted organisations to introduce cookie policies and consent mechanisms that prevented end-users from accessing websites unless they accepted cookies.

The ePR was proposed by the European Commission in January 2017 and was intended to take effect alongside the GDPR on 25 May 2018. The ePR will complement the GDPR’s general rules on personal data processing by providing specific rules governing electronic communications. From the date that the GDPR took effect on 25 May 2018, references in the ePD to the repealed Data Protection Directive (95/46/EC) are to be construed as references to the GDPR. Therefore, where consent is required under the ePD, that consent must meet the GDPR's standard of consent. This means that it must be a freely given, specific, informed, unambiguous indication of the end-user's agreement to the processing of their personal data, which is communicated through a statement or clear affirmative action. Consent through inaction (including by pre-ticked boxes) is therefore not valid consent under the ePD or the GDPR.

There have been significant delays in agreeing the revised text. This recent agreement on the negotiating mandate has been long awaited to allow negotiations on the final draft to progress. The updates are required to address confidentiality in modern day technological developments including voice over IP ("VoIP"); web-based email and messaging services; machine-to-machine communications; communication between individuals on publicly accessible networks (e.g. public hotspots/WiFi); and new techniques for tracking an individual's online behaviour.

What are the main changes brought about by the ePR?

The purpose of the ePR is to ensure that, as a general rule, electronic communications data are confidential. The ePR will expand the ePD’s scope to cover the newer technologies mentioned above, such as instant messaging apps and VoIP platforms, and the Internet of Things.

Key provisions in the agreed text:

  • Interference, such as listening, monitoring and processing of data by humans or machines without consent of the communicating parties will be prohibited, except in circumstances such as:
    • ensuring integrity of communications services
    • identifying malware/viruses
    • where the service provider is bound by domestic or EU law for prosecution of criminal offences or prevention of threats to public security.

It is worth noting that such interference may occur where third parties monitor websites visited, timing of the visits and interaction without the consent of the end-user.

  • Public hotspots and WiFi must ensure the confidentiality of electronic communications transmitted via publicly available services/networks.
  • Users must be given a genuine choice to accept cookies or other similar identifiers. To avoid cookie consent fatigue, an end-user can give consent by whitelisting one or several providers in their browser settings.
  • Metadata related to communications (e.g. location, time, date, duration) must also be kept confidential. However, with consent, metadata may be used to display, for example, traffic movement to help public authorities and transport providers develop infrastructure or monitor the spread of epidemics.
  • Machine-to-machine data transmitted via a public network must be kept confidential.
  • The collection of information from end-users terminal equipment, including hardware and software, is only permitted with end-user consent.

The proposed text of the ePR has a broad territorial scope. The rules will apply when end-users are in the EU, even if the processing takes place outside the EU or the service provider is established or located outside the EU. In addition, many ePR provisions will apply to both natural and legal persons. In contrast, the GDPR does not apply to personal data concerning legal persons.

Fines for non-compliance

The ePR carries the same penalty regime as the GDPR, with maximum fines of €20 million or 4% of a non-compliant organisation’s global annual turnover, whichever is greater. End-users who suffer “material or non-material damage” as a result of infringement of the ePR also have the right to receive compensation from the infringer. The Data Protection Commission will be responsible for enforcing the ePR in Ireland.

Next steps

  • The agreed text will form the basis of the Council’s negotiations with the European Parliament on the final terms of the ePR.
  • The Council will begin these negotiations. Once adopted by the Council and the European Parliament, the draft text provides for a transition period of two years, starting from twenty days after the final text of the ePR is published in the EU Official Journal.

While organisations should be aware of changes they may need to make to their business operations to comply with the ePR, it is important to remember the draft ePR is subject to change before the final version is agreed.