On 10 January 2017 the EU Commission proposed a new regulation (the “ePrivacy Regulation”) to replace Directive 2002/58/EC (the “ePrivacy Directive”). This new regulation aims to update and extend current ePrivacy rules and to align them with the impending General Data Protection Regulation (“GDPR”). The key features of the proposed ePrivacy Regulation are as follows:
Increased fines: Currently under the ePrivacy Directive, as implemented into Irish law, the fines are up to €250,000 for a body corporate and €50,000 for an individual. Depending on which provision is breached, fines currently provided for in the ePrivacy Regulation range from €10,000,000 or, in the case of a body corporate, 2% of the preceding financial year’s turnover to €20,000,000 or, in the case of a body corporate, 4% of the preceding financial year’s turnover. This aligns with the fines provided for in the GDPR.
Compensation: Users who suffer material or non-material damage as a result of infringement are given an express right of action under the ePrivacy Regulations to receive compensation from the infringing organisation. The burden of proof is on the infringing organisation to prove that it was not responsible for the event giving rise to the damage. This aligns with a similar right given to data subjects in the GDPR.
Extension of scope: The ePrivacy Regulation will extend the scope of ePrivacy rules to include all electronic communication services irrespective of whether a payment from the end-user is required or not. In the Commissions’ view, this means that operators such as Whatsapp, Facebook Messenger, Skype, Gmail, iMessage and Viber will be subject to the ePrivacy Regulation as well as traditional telecom operators (to which the ePrivacy Directive applies).
Uniform rules: As this is a regulation, as opposed to a directive, it will have direct effect across the Member States without the need for implementing legislation at a national level, although some aspects will still need national legislation to “fill the gaps” or exercise options (such as relating to marketing calls as referenced below). This fits with the renewed focus on harmonisation in the Digital Single Market and should (hopefully) mean that businesses can make efficiency savings by implementing standard compliance procedures across all their EU operations and will enjoy the associated business certainty.
Communications content and metadata: The ePrivacy Regulation guarantees the privacy for both content (ie text, voice, videos, images and sound) and metadata (eg data used to trace source and/or location of communication, the time, date and duration of the communications) derived from electronic communication. Such data will need to be anonymised or deleted unless users consent to their continued use or where the data is necessary to achieve the transmission of the electronic communication, for support and maintenance of the network or service or where, in the case of metadata, it is necessary for billing purposes.
Cookies: The Commission has recognised that the cookies requirements in the ePrivacy Directive have resulted in “cookies consent overload”. The ePrivacy Regulation will streamline the user consent requirements in respect of cookies. For example, the use of a combination of standardised icons which give a meaningful overview of the data collected is suggested as a method of providing the required information to users. Cookies required for the use of a website that do not impact on privacy, such as items in an online shopping cart, will no longer require consent, nor will cookies which are used to analyse visitor numbers.
Spam: The ePrivacy Regulation will ban unsolicited electronic communication by any means if users have not given their consent. In relation to marketing calls, the Member States have discretion to implement this via a blanket prohibition or via an opt-out system. In addition, marketing callers will be required to display their phone number or use a special prefix that indicates a marketing call.
The Commission’s proposals will now be reviewed and debated by the European Parliament and the Council, with the Commission aiming to have the proposed ePrivacy Regulation becoming effective across Member States on 25 May 2018, being the same effective date as the GDPR.
What does this mean for your business?
The ePrivacy Regulation is another step towards greater harmonisation of the Digital Single Market. It is also reflective of the growing emphasis put by the Commission on responsibility and accountability for data use. While the ePrivacy Regulation is not in its final form and will not come into effect until May 2018 at the earliest, organisations should now start to consider the impact of the ePrivacy Regulation on their businesses. This is particularly so for organisations that are not subject to the ePrivacy Directive but will be subject to the ePrivacy Regulation. With the significant financial sanctions for breaches of the ePrivacy Regulation, the risk of not implementing appropriate policies and procedures may be considerable.