The European Commission has published draft e-Privacy Regulations which will replace the current e-Privacy Directive and will apply to all Member States. It will update the existing law to cover instant messaging, web-based email, metadata, cookies, direct marketing and online marketing.
When is it coming in to force?
The Commission’s aim is for the regulation to apply from 25 May 2018, which is purposefully the same date as the GDPR comes into force. It is important to consider the new e-Privacy Regulations alongside the impact of the GDPR for your business and obtain legal advice if necessary.
Who will the regulation apply to?
The regulation covers entities that provide publicly-available ‘electronic communications services’ which process data, utilise online tracking technologies or engage in electronic direct marketing. This is much broader than the current directive and captures many more businesses.
It is intended to apply to newer platforms and media such as: WhatsApp, Gmail, Facebook messenger, Skype, machine-to-machine communication (the Internet of Things), dating apps and video games – as long as there is a ‘communication’ element.
Why have both the GDPR and the e-Privacy Regulation?
The GDPR focuses mainly on individuals whereas the new e-Privacy Regulation will apply to both individuals and businesses. The new regulation will give individuals and businesses specific rights that are not covered in the GDPR, for example, the right of confidentiality and integrity of the users' device (e.g. smart phones and tablets).
The new regulation will have extra-territorial effect, meaning that it will apply to all electronic data generated by users in Europe that is processed inside and outside of the European Union. This is particularly important for cloud-based services and consideration should be given to cloud agreements.
Confidentiality and metadata
Confidentiality of electronic communications will be strengthened so that no provider can listen, tap, intercept, scan or store any communication without user consent. The processing of communications data will continue to be limited except in the cases of national security or criminal law enforcement.
Metadata will also be caught under the new Regulation, such as the location from which the message was sent, the duration of the call, who sent it and what was in the user's online shopping basket at the time. Metadata will need to be anonymised or deleted if users have not provided their consent for it be retained.
The restrictions on unsolicited marketing communications will also apply to ‘electronic communications services’ e.g. by text, automated call or email.
Marketing callers will have to use their number (no more blocking caller ID) or use a specific marketing-only prefix which will increase transparency to consumers.
Fines for non-compliance
The fines reflect the higher GDPR levels and are in two tiers. The more serious infringements have penalties which equate to the higher of €20 million or 4% of the total annual worldwide turnover.
Are there any opportunities for businesses?
Yes, there are. Once users have given their consent, telecom companies will have more opportunities to process metadata collected from users to provide value added services and to develop their businesses.
Updating and standardising the e-Privacy law across member states has the advantage that businesses will only need to comply with one set of rules across the EU.
What happens next?
The regulation is still in draft form and will likely be scrutinised and amended by the European Parliament and Council. We will be providing further updates in due course.