We live in a digital world in which new technologies and devices are constantly being developed. These innovations have and continue to revolutionise the way we do things. But while, in many respects, they make our lives that little bit easier – they bring, with them, the increased threat on online privacy.
On 10th January this year, the European Commission published proposed text for the new e-Privacy Regulation, following on from an unauthorised leak just a month earlier. If accepted, the regulation will replace the current e-Privacy Directive and, alongside the GDPR, will create a new legal framework for electronic communications, in relation to privacy.
Below are some key pointers for businesses to consider on the latest projected changes:
- The Directive’s objective is to bring the law on cookie and online behaviour tracking in line with the GDPR and the EU digital single market strategies and because the previous E-Privacy Directive was out of date technically.
- It is in draft format only. Although the intended date it comes into force is 25 May 2018 the same as GDPR, there will doubtless be many months (if not longer) of negotiation before it reaches its final text if GDPR negotiations are anything to go by (and that was before the Member States had Brexit to contend with).
- The proposed changes are not dramatically different to the previous E-Privacy Directive in that:
- consent is still required for cookies (or collection of information about your device) unless the ‘strictly necessary’ exemption applies. Analytics are less clear;
- consent is still required for electronic marketing and the ‘soft opt in’ still applies;
- one must always provide an opt out of electronic marketing.
- However, the definition of direct marketing is so wide at present that it may capture targeted online advertising. Watch this space.
- There are more detailed obligations on use of software in browsers and on devices to consent to cookies.
- Penalties would sit in line with GDPR (depending on the breach: 2-4% of global turnover or 10m or 20m euro whichever is the higher). Compensation claims would also be available for individuals who have suffered damage. Businesses who have a legitimate interest in stopping the infringements could also bring legal proceedings.
- More detailed obligations would be implemented for those operating automated marketing calls, involving using codes to identify marketing calls and a clear means of contact back to opt out.
- More detailed obligations would be set, regarding storage of meta data by communications service providers and on their obligations (and those device manufacturers) on default privacy settings.
For further advice, please see https://ec.europa.eu/digital-single-market/en/news...