On 10 January 2017, the European Commission (EC) issued its proposal for a Regulation on Privacy and Electronic Communications, with the aim to replace the current e-Privacy Directive (for more information, see our Data Protection Alert on the e-Privacy draft regulation). After months of intensive debate, the European Parliament finally adopted its amendments to the draft e-Privacy Regulation, while the Council recently released a consolidated version of the e-Privacy Regulation, summarising the work it has done so far as a basis for future work.
The current revised versions of the Regulation of the European Parliament (see here) and the Council (see here) specify, and sometimes depart, from the EC’s proposal, while strengthening the rules on the protection of electronic communications data. Provisions drawing the most attention relate to (1) the broader scope of application of the Regulation, (2) changes in cookies rules, and (3) stronger direct marketing rules.
Broader scope of application The EC’s proposal (Proposal) extended the scope of the e-Privacy rules to new forms of electronic communication services in order to provide users with the same level of protection, irrespective of the communication service they use. While current e-Privacy legislation only applies to traditional mobile and fixed-line communication services, the Proposal also covers instant messaging, VoIP and web-based e-mail. In order to make sure that the Regulation covers all new channels and forms of electronic communication services, the current proposed amendments (Amendments) explicitly include machine-to-machine communications (Internet of Things). This approach was also endorsed by the WP29 in its opinion.
Furthermore, the Amendments also specify that the principle of confidentiality of electronic communications applies to both data in transit, and data stored on a device or in the cloud. They further detail the specific circumstances and conditions allowing a lawful interference with the right to confidentiality of electronic communications.
Changes in cookies rules: by default browser settings and “Do-Not-Track mechanisms” The Amendments add that browser settings should disable cookies by default. Such configuration will allow to prevent other parties from storing information on the device or processing information stored on the device without the consent of the user. This is in line with the privacy by design approach implemented in the GDPR. In addition, the Amendments also extend the periodic intervals at which users are given the opportunity to withdraw or confirm their consent from 6 to 12 months.
Finally, both the European Parliament and the Council agree on the necessity to implement by default “Do-Not-Track” mechanisms in browser settings. This implies that browser settings should allow users to give sufficient granular options as to the categories of consent.
Stronger direct marketing rules In line with the GDPR, the Proposal expressly stated that a valid “opt-in” consent must be obtained from the user in order to send unsolicited electronic communications such as e-mails, push notifications or SMS. This requirement does not apply in case of electronic marketing to existing customers regarding the company’s own similar products or services, provided that the customers are given opportunity to withdraw their consent at any time for each marketing communication. The Amendments clarify that such withdrawal right must be available free of charge.
The Proposal also introduced a system of mandatory caller-line identification for marketing calls, allowing users to identify the person/company calling them. While the Amendments specify that the use of false identities is of course prohibited, they add that marketing firms will have to comply with “Do-Not-Call” registers. Such registers allow individuals to “opt-out” for all direct marketing calls.
Next steps? As the current amendments clearly tend to focus on the user’s prior consent as primary ground for processing, the EU bodies are now debating whether additional grounds, such as the legitimate interest (as stated in the GDPR), could also be taken into account for processing electronic communications data. The Council has already pointed out other grounds for processing, such as the compliance with a legal obligation or scientific research and statistical purposes.
Despite what was initially scheduled, it seems unrealistic to expect a final version of the Regulation by 25 May 2018, date on which the GDPR will become applicable. As per usual, we will follow this matter closely, and will keep you up to date.