2018 saw the biggest change in European privacy law in over 25 years with the implementation of the General Data Protection Regulation (the GDPR) in May. While organisations have been busy implementing the various changes the GDPR brought about, the European Union has been negotiating the text of the ePrivacy Regulation (the Regulation).
The Regulation will complement the GDPR where the electronic communication contains personal data. More significantly, it will replace the existing E privacy directive and update the rules on the processing of electronic communications, cookies and unsolicited direct marketing.
The current draft of the Regulation proposes a number of important changes to the existing law in this area.
Key Changes under the current draft of the Regulation
The existing ePrivacy Directive and the Irish ePrivacy Regulations of 2011 (which implement the 2002 Directive in Ireland) apply to traditional means of communication for example, mobile or landline telephone calls, SMS text messages and e-mails. Given that the communications landscape has evolved significantly, the definition of communications services has been updated, so that it includes messaging services, web based email services and voice over IP.
2. Direct Marketing
The Regulation provides that as a general rule you cannot use electronic communications services to send direct marketing to a natural person unless they have given their consent.
However, where you obtain a natural person’s contact details for an electronic message in the sale of a product or service you can use those details for direct marketing of your own similar products or services only if that person was given an opportunity to object (opt out) to such use. The right to object must be given at the time you collect the details and each time you send a direct marketing message.
The Regulation allows member states to set a time period, after the sale of the product or service occurred, within which you may use the person’s details for direct marketing.
The Regulation also provides that member states may allow direct marketing by voice to voice calls to persons who have not objected (opted out) of receiving those communications. The Regulation leaves member states free to set the rules in respect of direct marketing to legal persons but requires that such legal persons’ legitimate interests are sufficiently protected.
While the Regulation does, to the relief of many businesses, maintain the “opt-out” rule for existing customers, in line with the 2002 Directive, the current exception contained in the Irish ePrivacy regulations of 2011 (which implement the 2002 directive) in respect of direct marketing to business email addresses did not make it in to the Regulation. This exception permits, without the individual’s prior consent, the sending of direct marketing by electronic mail to an email address that reasonably appears to be an email address used mainly by the individual in the context of their commercial or official activity and the unsolicited communication relates solely to that commercial or official activity.
This will impact the way in which consent is obtained for the storage of cookies and may make obtaining consent in line with the GDPR, for third party cookies, such as advertising tracking cookies, very challenging for website operators and third party advertisers.
The initial drafts of the Regulation provided for users including details of their consent in their browser settings, for example that they always consent to cookies that optimise their use of the website, but do not consent to cookies that assist with marketing. However, this text has been removed from the most recent draft of the Regulation.
Consent will generally be required for the storage of a cookie, except in some limited circumstances such as necessary functional cookies or cookies for measuring website analytics.
4. Extra Territorial Effect
Like the GDPR, the Regulation will have extra-territorial effect. It will apply to the processing of electronic communications and metadata and sending of unsolicited direct marketing to end users in the EU, regardless of where the processing takes place.
The current directive does not have this extra-territorial effect.
5. Enforcement and Compensation
The Regulation adopts the fines as set out in the GDPR. As such, a breach of the Regulations can attract a fine of up to €20million or 4% of worldwide turnover, whichever is greater.
In addition, similar to the GDPR, individuals who suffer damage as a result of a breach of the Regulation will be entitled to recover both material and non-material damages.
While a breach of current ePrivacy regulations is a criminal offence and can attract court fines, the Regulation increases the fine and allows the Data Protection Commission to impose the fine directly on an entity without the involvement of a Court.
The Regulation is currently working its way through the EU legislative process and we do expect further changes before the final text is agreed. In particular it is expected that there will be some changes to how cookies consent is obtained.
In addition, the current draft text provides that the Regulation will apply 24 months from the date it is adopted, meaning that it could be some time before we see the new Regulation coming into effect. We will update our website with any significant developments as they arise.