On 10 January 2017 the European Commission issued its proposal of ePrivacy Regulation ("ePrivacy Regulation"), laying down rules for the protection of privacy and personal data within the context of electronic communications services. These are services provided via electronic communications networks and used to obtain internet access, to have interpersonal communications or to convey signals for the purposes of broadcasting or machine-to-machine transmission.

This article summarizes the most remarkable points of the current proposal, which touch upon such important issues as confidentiality of electronic communications, use of cookies, and direct marketing.

  • Increased harmonization: ePrivacy Regulation will replace the current ePrivacy Directive (Directive 2002/58/EC). Moving from a directive to a regulation naturally increases harmonization, for regulations are not subject to implementation through (never equal) national laws, but directly applicable across the Union. In any case, some differences will probably remain due to likely varying interpretations by national Courts and to the allowed national derogatory regimes.
  • Over-the-top (OTT) players: internet-based services such as WhatsApp, Facebook Messenger or Skype will come under the purview of the ePrivacy Regulation, because the regulation will use the definition of electronic communications services from the coming European Electronic Communications Code. As we explained in a previous post, Electronic Communications Code will include OTT communications services – voice and video calling, text messaging and email – within the concept of electronic communications services. Scope of application of the ePrivacy Regulation will in that way be broader than that of the ePrivacy Directive, which does not apply to OTT communications services.
  • Alignment with General Data Protection Regulation ("GDPR"): being lex specialis to GDPR as for electronic communications data that qualify as personal data, ePrivacy Regulation shares with GDPR several commonalities. One example is the intention to entrust enforcement of ePrivacy Regulation to the same authorities which are responsible for GDPR. Also, the two instruments have similar approach with respect to penalties, by setting the maximum fine at EUR 20 million or 4% of the infringer's worldwide turnover.
  • Territorial scope: As it happens with GDPR, the territorial scope of the new law will reach business outside the Union, provided that they render electronic communications services to end-users in any of the Member States.
  • Confidentiality of communications: like the existing ePrivacy Directive, the proposed regulation sets rules to protect the confidentiality of communications. It states that processing of the content (i.e. text, voice, videos, images and sounds) and/or metadata (i.e. date, time, and duration of communication, location of the parties involved, etc.) of electronic communications must only be permitted under very limited circumstances, such as when end-user consents, when processing is necessary to achieve the transmission, or when security reasons justify the processing. Once the transmission has been completed and the purposes of the authorized processing fulfilled, the service provider should erase or make the electronic communications data anonymous.
  • Cookies - rules for web browsers: the proposed text contains rules for web browsers, demanding that their privacy settings offer the user the possibility to choose preventing cookies as a default option. The idea is to make the internet experience more user-friendly, by eliminating the current overload of consent pop-ups. This measure would not affect non-privacy intrusive cookies for which consent is not required, such as those necessary to carry out the transmission, to provide a service requested by the user, or for web audience measuring.
  • Direct marketing: as it happens under the current ePrivacy Directive, the sending of direct marketing communications would require the recipient's consent, unless the messages are sent via e-mail and refer to products or services similar to others previously acquired from the sender. In the latter case, the recipient should be given the opportunity to object, both at the time of the initial sale of services/products and each time he receives a communication. A novelty likely to be welcomed by the general public has to do with marketing calls. Unless something changes in the text finally approved, marketing callers will need to display their number or use a special pre-fix indicating the (marketing) nature of the call, so people are aware of the type of call they are receiving before picking up the phone.
  • Stricter notion of consent: ePrivacy Regulation intends to use the notion of consent brought by GDPR. Consequently, valid consent to process electronic communications data, to use cookies, or to carry out direct marketing would require an affirmative action – a statement or conduct which leaves no doubt about the users' acceptance. Silence, pre-ticked boxes, or inactivity would not be sufficient.

Although the Commission is committed to make ePrivacy Regulation apply from 25 May 2018 (same date as GDPR), not everyone shares its optimism. The final text still needs to be negotiated with the European Parliament and the Council of Ministers in a process that, as the example of GDPR showed, may takes years.