The proposal text for the new e-privacy Regulation (hereinafter the “Regulation”) was released on 10 January 2017. It is meant to replace the current e-Privacy Directive implemented in 2002 and extend its scope and rules to align them with the General Data Protection Directive, becoming its lex specialis. It will take effect on 25 May 2018 and being a Regulation, it will become legally binding in all EU Member States without requiring specific implementing legislation. The e-Privacy Directive applies only to traditional telecommunication providers, meanwhile the Regulation will apply to all providers of electronic communications services; internet based voice services, text message and email providers included. The so-called “over-the-top communications service providers” are currently not subject to the e-Privacy Directive. As a results, such providers (i.e. Skype, WhatsApp, Messenger) will be obliged to guarantee the same level of data protection as the traditional ones. Also, no distinction is being made between EU and non EU service providers.
Confidentiality of electronic communication data
The Regulation protects not only the content of communication, but the metadata, e.g. location data, as well. Separate rules applicable to the use of content data than to metadata are set out. Content data can be used with the consent of end users, meanwhile metadata can either be used when necessary for service requirements or when needed for purposes where the data cannot be anonymous. New rules for storage and erasure of data are also introduced.
The provisions in the Regulation regarding cookies aim at the requirements set out in the ePrivacy Directive, which have resulted, according to the Commission in “cookies consent overload”. The Regulation allows the consent with the usage of cookies to be provided by browser settings and cookies that do not have an impact on privacy will no longer require consent. Also, software developers should offer the option to prevent third party cookies.
Unsolicited marketing will require prior consent of individuals. Marketing callers will have to allow subjects to block such calls and provide them with information regarding their identity as well as disclose their numbers, for instance by a prefix.
In case of breaches fines set out in the Regulation are up to 20 million EUR or 4% of the total worldwide turnover, it basically corresponds to those as provided in the GDPR.
The Article 29 Working Party (WP29) Opinion
In April 2017 the WP29 submitted a statement welcoming the Regulation and listing several positive aspects, however it also named some of the points of concern and set out ways of improvement to introduce more legal certainty for all subjects involved.
Some of the positive aspects the WP29 listed:
– the WP29 welcomes the choice for a regulation as the regulatory instrument
– it also welcomes the alignment of fines under the Regulation with the GDPR
– the expansion of the scope of providers included is welcomed.
However there are also some points of grave concern, that undermine the level of protection accorded by the GDPR:
– the rules on obtaining user consent to Wi-Fi device tracking should comply with GDPR-requirements
– the conditions under which the analysis of content and meta data is allowed must be elaborated, metadata and content data should be granted the same level of protection
– tracking walls should be banned, i.e. the situation, when access to a website is banned if a cookie is not accepted