In January 2017, the European Commission published its proposal for an ePrivacy Regulation ("ePR") to replace the existing ePrivacy Directive (Directive 2002/58/EC). The draft ePR is currently working its way through the EU legislative process. Below we set out a summary of the key points of the most recent draft of the ePR, published in October 2017:
While the ePR was initially intended to come into force simultaneously with the GDPR, it is more likely that the ePR will be finalised in 2018 and enter force in late 2018 or early 2019.
The ePR will apply to all providers of electronic communications services, including so-called `over-thetop' or OTT internet-based services (e.g. web-based email, voice-over IP and online messaging apps). Dataemitting connected devices will also be regulated by the ePR.
The ePR will have extraterritorial effect where services (including advertising) are provided to or target end-users located within the EU by providers located outside the EU, regardless of where the processing takes place.
RELATIONSHIP WITH GDPR
The ePR is intended to "particularise and complement" the GDPR and also provides that "electronic communications" under the ePR will generally be considered personal data for GDPR purposes. In short, the ePR should be read in tandem with the GDPR as there is likely to be significant overlap.
The GDPR-level of consent will also apply under the ePR to the processing of message content and metadata for advertising purposes. This means that consent must be freely given, specific, informed and capable of withdrawal at any time. Unlike the GDPR, the ePR does not provide a legitimate interests ground for processing data.
The ePR significantly alters the rules on cookies and other online trackers and use of such
technologies must be based on an informed consent.
CONSENT AND OBA
The ePR defines "direct marketing communications" to include any form of advertising in written, oral or video format which is "sent, served or presented" to end-users. This provision may have implications for online behavioural advertising given that prior consent is required to send or "present" direct marketing communications.
The ePR mirrors the GDPR with the potential fines of up to the higher of EUR 10 million or 2% of global annual turnover or EUR 20 million or 4% of global annual turnover, depending on the breach. The supervisory authority in each EU Member State responsible for enforcing the GDPR, will also be responsible for ePR enforcement.
Note: this summary is based on the draft text of the ePR, which has not yet been finalised.