Over-the-top communications services ("OTTs"), the Industry 4.0, marketing departments, hotspot operators, software providers that permits electronic communication, and web browser providers should pay close attention: A new regulation, taking on board the risks of hefty fines of the new General Data Protection Regulation ("GDPR"), is coming to town.

After enacting the GDPR, the European Union is adding a new piece to the puzzle by updating its privacy regulation for communication technologies. On January 10, 2017, the European Commission published its proposal for an "ePrivacy Regulation" to be adopted by the European parliament and the Council. Replacing the so-called ePrivacy Directive (2002/58/EC), the ePrivacy Regulation is aimed at complementing the high level of data protection already imposed by the new GDPR, to which the ePrivacy Regulation will serve as lex specialis. As a Regulation, it will be directly applicable in 28 Member States (possibly excluding the United Kingdom after Brexit). It should also ensure a level playing field for all market players. Moreover, the ePrivacy Regulation harmonizes the requirements for direct marketing and streamlines cookie requirements by establishing Privacy by Design for web browsers and other software applications.

Extended Scope

The ePrivacy Regulation will apply to the processing of electronic communications data carried out in connection with the provision and use of electronic communication services as well as to information related to the terminal equipment of end-users. The ePrivacy Draft Regulation extends its scope to services not previously covered-instant messaging, voice-over IP, and web-based e-mail services-that run over the internet access services (hence: over the top). The official justification also clarifies that the definition includes the transmission of machine-to-machine ("M2M") communication, also known as the Internet of Things. Moreover, hotspot operators providing access to an undefined group of users will also fall within the new broad material scope.

Electronic communications data, including content and metadata, is considered extensively and on a technology-neutral basis. Any interference with the transmission of electronic communications data, whether directly or through the intermediation of automated processing by machines, is prohibited, meaning that without consent, no monitoring by third parties of the websites visited or the interaction with others is permitted, regardless of the technology used.

The ePrivacy Regulation applies irrespective of whether the processing of electronic communications data takes place in the EU or not. The provision to end-users or use of electronic communications services in the EU is sufficient besides the additionally outlined protection of information related to terminal equipment of end-users in the EU. If the provider of an electronic communications service is not established in the EU, a representative with the power to represent the legal or natural person and to answer questions and provide information to the supervisory authorities, courts, and end-users must be established within the EU.

Processing is Conditioned on Consent

The concept of consent as adopted from the GDPR is the sole justification for the processing of electronic communications data, except in a limited number of cases (e.g., for transmission, security, or billing purposes). "Consent" is defined as in the GDPR and will be presumed not to be given freely if the provision of a service is made conditional upon consent. In addition, the ePrivacy Regulation stipulates that consent for the processing of communications content and metadata may be obtained only if the intended purpose cannot be achieved by processing information that is made anonymous. Users must have the ability to withdraw consent at any time and be reminded of this possibility on periodic six-month intervals.

Cookies, Communication Software, Web Browsers, and Privacy by Design

End-users' terminal equipment for electronic communications networks and any information relating to the usage of such terminal equipment are part of the users' private sphere, and consent is necessary for any interference with this equipment. Exceptions apply to situations that have no or only limited privacy intrusiveness, including interface customization cookies (e.g., language preferences) for short periods.

The proposal considers web browsers and communication software as gatekeepers of the users' privacy sphere. In order to provide a more user-friendly internet browsing experience, the ePrivacy Regulation requires, wherever technically possible and effective, the obtaining of the user's consent through appropriate browser settings or other software applications. In connection, the ePrivacy Regulation enforces the concept of Privacy by Design for software permitting electronic communications, including the retrieval and presentation of information on the internet. Thus, all software permitting electronic communications and web browsers, upon installation, must inform the end-user about the privacy settings, including an option to prevent third parties from storing information.

Direct Marketing

The ePrivacy Regulation adjusts the requirements for direct marketing via electronic communications services in all Member States. Prior consent (opt-in) is necessary, unless customers' contact details for email were obtained in the context of the sale of a product or a service, in accordance with the GDPR. In that case, customers must have been clearly and distinctively informed about the opportunity to object free of charge and must be informed about their right to object on the occasion of each message.

Penalties

Violation of the principle of confidentiality-any interference with electronic communications data without justification, as well as noncompliance with an order by the supervisory data protection authority-can lead to fines of up to €20 million or, in the case of an undertaking, up to 4% of the worldwide annual turnover. The same applies in the case of a failure to comply with the requirements for direct marketing. Noncompliance with regard to Privacy by Design can lead to fines of up to €10 million or, in the case of an undertaking, up to 2% of the worldwide annual turnover.

In conclusion, the digital industry should anticipate an increased regulation of privacy in their area of activities:

  • The ePrivacy Regulation is still a proposal that must be adopted by the European Parliament and the Council. Currently, adoption is expected to be aligned with the entry into force of the GDPR (May 2018). However, the timing for adoption is also likely to depend on the legislative progress made for the adoption of the draft Electronic Communication Code, as many concepts found in the ePrivacy Regulation stem from (and must be aligned with) this draft Code.
  • During the legislative process, modifications to the ePrivacy Regulation are likely, and all operators have the opportunity to identify their concerns and possible improvements via the EU legislative process.
  • OTTs and software providers, even those located outside the EU, may anticipate likely legal developments when considering the privacy settings of their future products and services.