Those who believed that the General Data Protection Regulation was sufficient new privacy regulation for Europe to contend with, may have got it wrong. The European Commission has been working on a review of the 2002 ePrivacy Directive and a version of the text was leaked earlier this week. Initial analysis shows that the new rules may have a heavy impact on any organisation, whether based in the EU or abroad, that uses metadata, tracking software or other tools to monitor online behavior. Further, there is a risk of sanctions for non-compliance at a level that aligns with the GDPR – ie fines of up to 4% of global annual revenues.
If implemented as currently written, the draft e-Privacy Regulation would:
- Extend scope of ePrivacy regulation to cover telecommunication providers
- Apply rules to new tracking and e-marketing technologies
- Align privacy concepts (consent, breaches, territorial scope, fines,…) with the GDPR
- Amend the rules on secrecy of communication metadata
Extending ePrivacy to VOIP and IoT
Providers of telecommunication services over internet (VoIP or “over-the-top” (OTT) players including messenger apps) are not included in the current ePrivacy Directive even though their services may be seen by end-users as functionally equivalent to traditional telecommunications providers. To level the playing field, the draft text of the Regulation features a technology neutral approach applying to ‘any exchange of information using electronic communications services and public communications networks, including content and metadata’ (e.g. location data and device fingerprints). The Regulation would also apply to hotspot services and cover machine-to-machine (M2M) communications which is crucial for the development of the internet of things (IoT).
Expanded privacy rules
The draft Regulation would also spell big changes for a variety of actors beyond traditional telecoms providers:
- Regulation: By avoiding the need for transposition into national law, the Regulation will be directly applicable and leave less room for divergent national laws.
- Territorial scope: The Regulation would apply to electronic communications data processed in connection with the provision of electronic communications services in the EU, regardless whether the processing takes place in the EU, and to the protection of information related to the terminal equipment of end-users in the EU.
- Tracking tools: The Regulation confirms that the current cookie apply universally to all end-users, irrespective as to whether they are individuals or corporate subscribers. The new rules would include a more stringent approach to “opt-in” consent – applying the consent regime defined by the GDPR. Third party cookies should be prevented by default. The rules would extend beyond cookies and pixel tags to cover any form of tracking tool, including tools that “interfere” with the terminal equipment without storing any code on the user device (such as by using the terminal equipment’s processing capabilities).
- Communications secrecy: Metadata from all types of providers will need to be deleted except as permissible under the current exceptions (e.g. billing, quality control or cybersecurity ) or if prior consent is provided under the GDPR.
- Spam: The Regulation confirms that anti-spam rules will apply universally to all subscribers (including corporates). Direct e-marketing will not be permitted unless the end-user has consented, or unless to existing customers for similar products (only opt out option required). The Regulation would permit Member States by law to provide voice-to-voice on an opt-out basis.
- Breach notification: The procedure to report breach notifications for ISPs and telecoms providers – which was introduced in 2009– is to be aligned with the breach notice requirements in the GDPR.
- Enforcement: As with the GDPR, a violation of the e-Privacy Regulation could be fined up to 4% of the total worldwide annual turnover of an undertaking; data protection authorities would be given powers to enforce certain provisions of the Regulation.
The draft text of the proposal is expected to be finalized in January 2017, after which it will be reviewed by the European Council (comprised of EU Member State representatives) and the European Parliament; this process could take several months or even years. Once finally adopted, the draft text currently provides for a 6 month transition period.