The Commission has published a draft Regulation to replace the ePrivacy Directive.

What's the issue?

Having completed the GDPR and NISD, the Commission is rounding off its overhaul of the EU privacy regime with an update of the ePrivacy Directive.

What's the development?

The EC has published a draft Regulation which it is urging the Council and Parliament to complete by 25 May 2018 when the GDPR comes into effect.

As expected, the draft Regulation on Privacy and Electronic Communications:

  • applies to 'over the top' service providers such as WhatsApp, Facebook, Gmail and Skype and not just to telecommunications service providers;
  • takes the form of a Regulation rather than a Directive;
  • covers both content and metadata derived from electronic communications - both will need to be anonymised or deleted if users have not given consent, unless required for billing purposes;
  • gives traditional telecommunications providers more scope to use data and provide additional services, subject to obtaining appropriate consent;
  • streamlines rules on cookies - consent to cookies will be able to be given through browser settings and consent will not be needed for non-privacy intrusive cookies improving internet experience and cookies set to count visitors to a website;
  • bans unsolicited electronic communication by any means including phone calls if users have not given consent;
  • allows Member States to require that marketing callers display their phone number or use a special prefix; and
  • enhances enforcement, including by bringing penalties for non-compliance in line with those under the GDPR.

What does this mean for you?

This legislation is going to be of enormous significance to OTT providers who come within its scope for the first time. For traditional telecommunications providers, there is some extension of scope in terms of what can be done with data and there is also a relaxation of cookie rules with the recognition that consent can be provided using browser settings. Individuals are likely to welcome further restrictions on unsolicited marketing, not least through the vastly increased sanctions for non-compliance which are brought in line with those under the GDPR.