The ePrivacy Regulation is the next piece of legislation at EU level in the field of personal data protection after the GDPR. The new rules will apply to providers of electronic communications services, publicly available lists, electronic communications software, and also to natural and legal persons who use user-related information to send marketing messages. The legislative process is currently being completed, and the Regulation could take effect in the second half of 2021. Under this new Regulation, it will be possible to impose fines of up to EUR20 million or 4% of worldwide turnover.
The ePrivacy Regulation aims to increase user security, confidentiality of communication and metadata, to define clearer rules for technologies such as cookies, and also to control spam. In practice, for example, it will be a matter of adjusting data anonymization, rules for the use of metadata, or access to information on end-user devices. Specifically, it will be, for example, adjusting the confidentiality of written communication on WhatsApp or video calls on the Zoom or Skype platforms, location records, call durations or pages visited. The ePrivacy Regulation also significantly affects the sending of commercial communications via electronic communication tools. The result should be a similar level of protection for electronic communications, which is now enjoyed by users of "traditional" communication tools (ie letters or telephone calls).
Data processing of electronic communications
The ePrivacy Regulation prohibits interference with electronic communications data. Such an intervention is, for example, wiretapping (there are, however, some exceptions to this, eg for the secret services) or any other type of interception, surveillance, or processing of electronic communications data. Providers may process electronic communications data in situations where this is necessary for the transmission of communications, the maintenance or restoration of security of services, or the detection of technical defects. The processing of the content of electronic communications is possible only with the consent of the user, for example, to use a specific service, which cannot be provided without it. The new rules similarly regulate the processing of electronic communications metadata. Examples of metadata include the abovementioned dialled numbers, visited websites, the geographical location, or the date, time, and duration of the user's call.
Protection of information on users' devices
Rules are also set for the use of information stored on users' end devices, such data can be thought of as data stored on mobile phones and computers. Specific reasons are set out for access to the device. Consent will be required, or access must be necessary to carry out the transmission of electronic communications or to provide service to an information society, or to measure website traffic.
Although all the practical implications of the ePrivacy Regulation for electronic communications, such as obtaining consent and similar necessary steps, may not yet be fully known, in some areas the practice seems clearer. For example, in the area of consenting to cookies, it can be expected that under the new ePrivacy Regulation it will be possible to agree to certain types of cookies by "enabling" one or more websites through browser settings. This provision should prevent users from being overwhelmed by pop-up banners.
Infringements may be subject to fines of up to EUR10 million or 2% of the group's annual worldwide turnover if the rules for processing electronic communications data or sending commercial communications are infringed. In the event of a breach of the rules on cookies, the protection of the confidentiality of electronic communications, or non-compliance with corrective action, a fine of up to EUR20 million or 4% of the group's annual worldwide turnover can be imposed.
The ePrivacy Regulation will not be the first piece of legislation in this area at EU level, it will replace the hitherto effective Directive 2002/58 / EC on privacy and electronic communications. This Regulation is partially transposed into Czech law by Act No. 127/2005 Coll., on electronic communications. However, it should be noted that this directive has not been properly transposed, although the deadline for transposition expired in December 2020. The proposal to complete the transposition of the directive was discussed by the Chamber of Deputies in May 2021. Although the current wording is not final, no major changes are expected and the adjustments should be rather minor.