The European Commission has released its proposal for a new EU e-Privacy Regulation that will replace the existing e-Privacy Directive. The high level aim of the draft e-Privacy Regulation is to harmonise the specific privacy framework relating to electronic communications within the EU and ensure consistency with the GDPR. Compared to the existing Directive, the draft e-Privacy Regulation has broader territorial reach and applies generally to the provision of electronic communications services to end users in the EU and to the use of such services. It is also concerned with the protection of information related to the devices of end users located in the EU.

In this particular respect, the draft e-Privacy Regulation introduces revised and complex rules affecting end users’ terminal equipment and how data is collected in that context. Our high level assessment of the notice and consent requirements affecting various data activities involving users’ devices can be found here.

The consequences for non-compliance follow a two-tier approach as follows:

  • Breaches of the rules regarding notice and consent, default privacy settings, publicly available directories and unsolicited communications may be punished with fines of up to EUR 10 million or 2% of the total worldwide annual turnover, whichever is higher.
  • Breaches of the rules regarding the confidentiality of communications, permitted processing of electronic communications data and the time limits for erasure of data may be punished with fines of up to EUR 20 million or 4% of the total worldwide annual turnover, whichever is higher.

This is the beginning of the formal legislative process and now the draft is in the hands of the European Parliament and the Council of the EU.

Sam Choi, a trainee solicitor in our London office, contributed to this entry.