On January 10, 2017, the European Commission presented its Proposal for a Regulation on Privacy and Electronic Communications (the “Proposed Regulation”). The Proposed Regulation would repeal and replace Directive 2002/58/EC (the 2002 ePrivacy Directive, as amended in 2009, which is also frequently referred to as the “Cookie Directive”). The proposal aims to keep pace with the evolution of technical and market realities, and to ensure consistency with the General Data Protection Regulation 2016/679 adopted in 2016 (the “GDPR”). Consequently, the provisions of the Proposed Regulation complement the general rules on the protection of personal data in the GDPR as regards electronic communications data.

The Proposed Regulation would lead to far-reaching changes for the electronic communication sector:

  • Change from a Directive to a Regulation. As with the GDPR, the new legal instrument for privacy in the electronic communication sector would be a regulation. Regulations have direct effect in member states of the European Union (“EU”) and do not require national implementing legislation. This means that one single legal text—the Regulation, when adopted and in force—would be applicable in the EU member states. Only in certain specific areas, e.g., national security, would member states have the authority to pass national legislation regarding privacy in electronic communications.
  • Changes in Territorial Scope. The Regulation would apply to electronic communications data processed in connection with the provision and use of electronic communications services in the EU, regardless of whether the processing takes place in the EU, and to the protection of information related to the terminal equipment of end-users in the EU.
  • Risk of Significant Sanctions. As with the GDPR, the Regulation would significantly increase the range of possible fines for non-compliance. The European Commission suggests that the amounts of administrative fines could be up to the higher of EUR 20 million or 4% of the fined party’s total worldwide annual revenue of the preceding financial year.
  • Broader Applicability. The Regulation would broaden the applicability of the framework by referencing to the broad definition of “electronic communications services” as proposed by the European Commission in its proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast) (COM/2016/0590 final - 2016/0288 (COD)). That definition includes not only internet access services and services consisting wholly or partly in the conveyance of signals but also interpersonal communications services, which may or may not be number-based, such as for example, messaging services and web-based e-mail services.
  • Electronic Consent, including for Cookies. The Regulation is designed to be in conformity with the GDPR, meaning that it would be subject the GDPR’s heightened requirements for consent, which are stricter than those that exist in the current ePrivacy Directive. The general definition of consent now requires a freely given, specific, informed and unambiguous indication of an individual’s wishes by which the respective individual, either by a statement or by a clear affirmative action, signifying an agreement to personal data relating to him/her being processed. Regarding the use of cookies in the user’s terminal equipment, the recitals of the draft Regulation explicitly state that end-users are overloaded with requests to provide consent. To address this problem, the Regulation contains express language regarding the use of technical means to provide consent through transparent and user-friendly settings (reference to “Privacy by design” and “Privacy by default”). Therefore, the Regulation states that software that is offered in the marketplace permitting electronic communications must offer the option to prevent third parties from storing information, including cookies, on the terminal equipment of an end-user or processing information already stored on that equipment.
  • Restrictions on Direct Marketing. Under the Regulation, direct e-marketing would not be permitted unless the end-user has consented, or unless the company has obtained the e-mail contact details within the context of an existing customer relationship for the offering of similar products or services and distinctly given the data subject the opportunity to object, free of charge and in an easy manner. The conditions for consent in the Regulation are the higher standards set out in the GDPR, as described above.
  • Supervisory Authorities. The independent supervisory authority or authorities responsible for monitoring the application of the GDPR would also be responsible for monitoring the application of the Regulation. Further, the concept of a lead supervisory authority for data processing activities with cross-border effects of the GDPR and the detailed provisions regarding the cooperation between the lead supervisory authority and other concerned supervisory authorities in the GDPR would apply.

The European Commission called on the European Parliament and the Council to work swiftly and to ensure smooth adoption of the Regulation. The intent is to provide citizens and businesses with a complete legal framework for privacy and data protection, including a final Regulation on Privacy and Electronic Communications in Europe by May 25, 2018, the date when the GDPR is fully applicable.