Another Regulation showing that the European Commission means business when it comes to privacy and data subject rights.

While organisations are trying to come to terms with the EU General Data Protection Regulation (the “GDPR”), the European Commission as part of its digital single market package aims to have a new ePrivacy Regulation in force by May 2018.

The ePrivacy Regulation (currently in draft form) will replace the current ePrivacy Directive from 2002. As a Regulation it will be directly applicable in this jurisdiction. The aim is to ensure stronger privacy rules for all electronic communication, in particular for Over The Top Communication Services (“OTTs”) e.g. Skype, Gmail, Facebook messenger WhatsApp, and to harmonise the rules around electronic communications to align with the new rules under the GDPR. There are currently a number of similarities in terms of consent conditions and fines between the GDPR and the proposed ePrivacy Regulation.

Who does the ePrivacy Regulation impact?

While the ePrivacy Directive only applied to traditional telecoms providers, the ePrivacy Regulation applies to all electronic communication providers, that is, to any business that provides any form of online communication service (OTTs). It also extends to inter personal communication services that are ancillary to another service, for example a gaming app that allows users to talk to each other, dating apps, travel and e-commerce sites.

Technology, media and marketing service providers will all be impacted by the ePrivacy Regulation, together with organisations who engage in direct marketing.

How does the ePrivacy Regulation impact users and services providers?

In addition to having a wider remit, and harmonising the rules across all Member States, the following are proposed in the draft ePrivacy Regulation:

1. Communications Content and Metadata

Privacy is guaranteed under the proposed ePrivacy Regulation for both content (i.e. text, voice, videos, images, and sound) and metadata (i.e. a set of data that describes and gives information about other data such as source and/or location, time, date and duration data of communications) derived from electronic communication. The ePrivacy Regulation requires metadata to be anonymised or deleted unless consent is given by users to the continued use or the data is necessary for the purposes of, for example, detecting or stopping fraudulent telecommunications services.

2. Interception Prohibited

The ePrivacy Regulation prohibits the interception of any electronic communications unless permitted by a Member State or EU law. Confidentiality of electronic communications may be restricted by law under the GDPR, where necessary, to safeguard one or more of the general public’s interests, for example to safeguard national security.

3. Consent

All definitions of consent contained in the GDPR are adopted by the ePrivacy Regulation. The strict conditions relating to consent set out by the GDPR must be compiled with. Users must be given the right to withdraw their consent at any time and must be reminded every six months of the option of withdrawing their consent if the data processing continues.

4. Access to personal data

Providers of electronic communications services must establish internal procedures for responding to requests for access to end-users’ electronic communications data.

When requested, service providers must provide the competent supervisory authority (Data Protection Commissioner) with information about those procedures, the number of requests received, the legal justification invoked and their response.

5. Cookies

Firstly, what is a cookie? It’s not crunchy or chocolaty

An internet cookie is a small piece of data sent from a website and stored on a users’ computer (by the users’ web browser) and is typically used to store information about the user which is relevant to the website (e.g. remembering a username, remembering search history).

The ePrivacy Regulation streamlines the rules on cookies to prevent the overload of pop-up windows requesting consent to the use of cookies for internet users. The new provision on cookies provides that browser settings be taken as consent. This is a privacy by design approach that requires providers of browsers, and similar software, to provide users with cookie and tracking controls which should remove the need for cookie banners and to move the consent requirement away from websites.

The ePrivacy Regulation also provides that consent is not required for non-privacy intrusive cookies such as cookies used by a website to remember shopping cart history or to count the number of visitors to the site.

6. Unsolicited Electronic Communications

It is proposed that unsolicited direct marketing by any means, including via email, SMS or automated calling machines, will be prohibited under the ePrivacy Regulation, if consent is not given. All types of electronic marketing will require an opt-in except where an individual’s email contact details have been obtained in the context of a sale or service, but an opt-out is still possible.

Marketing callers are also required to display their phone number or use a special pre-fix number that indicates a marketing call.

7. Enforcement – Fines

The responsibility of enforcement and monitoring of the ePrivacy Regulation is entrusted to the supervisory authority (Data Protection Commissioner) which is also responsible for enforcing the GDPR. This aligns online privacy rules with the high standards of data protection rules set out in the GDPR. The fines imposed for breaches are identical to the GDPR which is up to €10,000,000 or 2% of the preceding financial year’s turnover, for a less server breach, and for a more material breach, up to €20,000,000 or 4% of the preceding financial year’s turnover.

8. Compensation

Similar to the GDPR, users who suffer material or non-material damage as a result of infringement are given an express right of action under the ePrivacy Regulation to receive compensation from the infringing organisation. The burden of proof is on the infringing organisation to prove that it was not responsible for the event giving rise to the damage.

Next Steps

The European Commission aims to have the proposed ePrivacy Regulation come into force on the same date as the GDPR, which is 25 May 2018. However, the proposal must first be reviewed and debated by the European Parliament and the Council.

The proposed ePrivacy Regulation reflects another step towards the harmonisation of the Digital Single Market, and highlights the growing emphasis being placed on responsibility and accountability for data use, and the protection of data subjects’ rights.

Notwithstanding the fact that the earliest this ePrivacy Regulation will become effective is May 2018, and that the Regulation is not in its final form, it would be wise for organisations to begin to prepare for the implementation of this Regulation now, alongside their planning for the implementation of the GDPR.