The draft ePrivacy Regulation: 10 things you need to know
On 10 January 2017 the European Commission published its draft Regulation on Privacy and Electronic Communications (the ePrivacy Regulation), which is intended to replace the existing ePrivacy… Read more
On 10 January 2017 the European Commission published its draft Regulation on Privacy and Electronic Communications (the ePrivacy Regulation), which is intended to replace the existing ePrivacy Directive (Directive 2002/58/EC). Here are 10 things you need to know about the ePrivacy Regulation:
- Regulation not a Directive – like the General Data Protection Regulation (GDPR), as a Regulation it will be directly applicable across all of the EU, meaning that there will be one uniform set of rules across all Member States – there’s no scope for Member States to vary the terms of the ePrivacy Regulation locally.
- Interoperability with the GDPR – it relies on many of the definitions in the GDPR. Security obligations are now dealt with in the GDPR (and no longer separately addressed in the ePrivacy Directive). The ePrivacy Regulation covers more than just personal data processing and so goes beyond the GDPR to guarantee the confidentiality and integrity of users’ devices (i.e. laptop, smartphone, tablets).
- More businesses caught – it will apply to all providers of electronic communications services, publically available directories and software providers permitting electronic communications. This means that ‘over-the-top’ web service providers such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, and Viber, as well as traditional telecoms companies, will all need to comply. This is designed to level the playing field (as the ePrivacy Directive only applied to telecoms companies).
- Extraterritoriality – it covers electronic communications data processed in connection with the provision and use of electronic communications services to end-users within the EU – so the provision of an electronic communications service from outside the EU to an individual in the EU will be covered.
- Consent – it requires that consent be necessary to access information on a user’s device (“terminal equipment”), as well as for the use of more privacy-intrusive cookies or other technologies to access information stored on computers or to track online behaviour. It’s been clarified that such consent may be obtained using technical/browser settings (instead of using banners / pop-ups), provided that the higher standards set out in the GDPR are met. This means that consent will only be valid if individuals have a genuine and free choice and are able to refuse or withdraw their consent without detriment.
- Simplified cookies rules – it confirms that consent will not be needed for non-privacy intrusive cookies improving internet experience (e.g. cookies needed to remember shopping cart history, for filling in online forms over several pages, or for the login information for the same session). Cookies set by a visited website counting the number of visitors to that website will also no longer require consent.
- Spam and direct marketing – it stipulates that Users will need to give consent before unsolicited commercial communications are addressed to them, regardless of the technology used.
- Privacy by design – in line with the GDPR, privacy by design is a key feature in the ePrivacy Regulation and many companies will need to make changes to comply. For example anonymisation is mandated where personal data is not needed to provide a service, and software permitting electronic communications will need to tell users about the privacy settings options upon installation and require users to make a selection (for software that is already installed, this will need to be implemented on the first update and no later than 25 August 2018).
- Enforcement – For consistency, Data Protection Authorities in Members States will be responsible for enforcing the ePrivacy Regulation.
- Fines – it operates in line with GDPR with potential fines increasing to up to EUR20 million or 4% of worldwide turnover, whichever is the greater.
It’s intended that the ePrivacy Regulation will apply from 25 May 2018 – the same date from which the GDPR will apply. It should though be noted that the draft Regulation is likely to be amended whilst it makes its way through the EU’s legislative process.