2018 saw the biggest change in European privacy law in over 25 years with the implementation of the General Data Protection Regulation (the GDPR) in May. While organisations have been busy implementing the various changes the GDPR brought about, the European Union has been negotiating the text of the ePrivacy Regulation (the Regulation).

The Regulation will complement the GDPR where the electronic communication contains personal data. More significantly, it will replace the existing E privacy directive and update the rules on the processing of electronic communications, cookies and unsolicited direct marketing.

The current draft of the Regulation proposes a number of important changes to the existing law in this area.

Key Changes under the current draft of the Regulation

1. Scope

The existing ePrivacy Directive and the Irish ePrivacy Regulations of 2011 (which implement the 2002 Directive in Ireland) apply to traditional means of communication for example, mobile or landline telephone calls, SMS text messages and e-mails. Given that the communications landscape has evolved significantly, the definition of communications services has been updated, so that it includes messaging services, web based email services and voice over IP.

2. Direct Marketing

The Regulation provides that as a general rule you cannot use electronic communications services to send direct marketing to a natural person unless they have given their consent.

However, where you obtain a natural person’s contact details for an electronic message in the sale of a product or service you can use those details for direct marketing of your own similar products or services only if that person was given an opportunity to object (opt out) to such use. The right to object must be given at the time you collect the details and each time you send a direct marketing message.

The Regulation allows member states to set a time period, after the sale of the product or service occurred, within which you may use the person’s details for direct marketing.

The Regulation also provides that member states may allow direct marketing by voice to voice calls to persons who have not objected (opted out) of receiving those communications. The Regulation leaves member states free to set the rules in respect of direct marketing to legal persons but requires that such legal persons’ legitimate interests are sufficiently protected.

While the Regulation does, to the relief of many businesses, maintain the “opt-out” rule for existing customers, in line with the 2002 Directive, the current exception contained in the Irish ePrivacy regulations of 2011 (which implement the 2002 directive) in respect of direct marketing to business email addresses did not make it in to the Regulation. This exception permits, without the individual’s prior consent, the sending of direct marketing by electronic mail to an email address that reasonably appears to be an email address used mainly by the individual in the context of their commercial or official activity and the unsolicited communication relates solely to that commercial or official activity.

3. Consent

The Regulation adopts the provisions for consent that are set out in the GDPR. Consent is therefore required to be a freely given, specific, informed and unambiguous indication of the natural or legal person’s agreement to what is being proposed. This is a much higher threshold for obtaining consent than under the current ePrivacy regulations and the pop up cookies banner which asks users to simply consent to all cookies is unlikely to be sufficient. Website operators will also no longer be able to rely on implied consent to cookies where an individual simply uses the website. Website users will be required to positively consent to the use of cookies (where consent is required under the Regulation).

This will impact the way in which consent is obtained for the storage of cookies and may make obtaining consent in line with the GDPR, for third party cookies, such as advertising tracking cookies, very challenging for website operators and third party advertisers.

The initial drafts of the Regulation provided for users including details of their consent in their browser settings, for example that they always consent to cookies that optimise their use of the website, but do not consent to cookies that assist with marketing. However, this text has been removed from the most recent draft of the Regulation.

Consent will generally be required for the storage of a cookie, except in some limited circumstances such as necessary functional cookies or cookies for measuring website analytics.

4. Extra Territorial Effect

Like the GDPR, the Regulation will have extra-territorial effect. It will apply to the processing of electronic communications and metadata and sending of unsolicited direct marketing to end users in the EU, regardless of where the processing takes place.

The current directive does not have this extra-territorial effect.

5. Enforcement and Compensation

The Regulation adopts the fines as set out in the GDPR. As such, a breach of the Regulations can attract a fine of up to €20million or 4% of worldwide turnover, whichever is greater.

In addition, similar to the GDPR, individuals who suffer damage as a result of a breach of the Regulation will be entitled to recover both material and non-material damages.

While a breach of current ePrivacy regulations is a criminal offence and can attract court fines, the Regulation increases the fine and allows the Data Protection Commission to impose the fine directly on an entity without the involvement of a Court.

Next Steps

The Regulation is currently working its way through the EU legislative process and we do expect further changes before the final text is agreed. In particular it is expected that there will be some changes to how cookies consent is obtained.

In addition, the current draft text provides that the Regulation will apply 24 months from the date it is adopted, meaning that it could be some time before we see the new Regulation coming into effect. We will update our website with any significant developments as they arise.