On January 10, 2017, the European Commission unveiled the “last major Digital Single Market initiatives” addressing Europe’s digital future. These initiatives comprise the following:
- A proposal for a Regulation on Privacy and Electronic Communications (E-Privacy Regulation) ;
- A Communication on “Building a European Data Economy” (see our post here); and
- A Communication on exchanging and protecting personal data in a globalized world (see our post here).
(There is also a proposal for a Regulation on data protection rules applying to European institutions which InsidePrivacy is not reporting on.)
This post summarizes the proposal for an E-Privacy Regulation.
The existing E-Privacy Directive 2002/58/EC sets out specific privacy-related rules for telecommunications, marketing, and digital services that “particularise and complement” those in the Data Protection Directive. However, following the enactment of the General Data Protection Regulation (GDPR), there has been a need to update the E-Privacy Directive. From April to June 2016, the Commission consulted on reform of the E-Privacy Directive and, in August 2016, the Commission published a summary report on the results of that consultation.
The proposed E-Privacy Regulation includes significant changes to the current framework that, if enacted in its current form, would impact a wide range of companies that operate online. Among other things, the draft introduces new rules in relation to traffic and location data, modifies the controversial “cookie” rule, and aligns fines for breach of the proposed Regulation with the GDPR – meaning a maximum fine of up to 4% of annual worldwide turnover for certain breaches.
Significant changes to the current framework include:
- A Regulation (to harmonize rules across Europe) with broad(er) territorial reach. The current E-Privacy Directive is implemented in a patchwork of national Member State laws; the leaked draft, however, is a Regulation, which requires no national implementing laws (and so would harmonize these rules across the European Union); this approach mirrors the approach taken with the Data Protection Directive, which will be replaced by the GDPR. The geographic scope of the law has been clarified: unlike the current E-Privacy Directive, which applies only to “the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community,” the new proposal also applies where processing takes place outside the Union, provided those services are provided to end-users in the EU.
- Telecommunication over-the-top (OTT) services are clearly in scope. The current E-Privacy Directive applies to providers of public electronic communications services and networks — the meaning and scope of which has been subject to debate. In response by telecoms providers to “level the playing field,” the new Regulation would, through referencing new definitions proposed by the Commission in the draft European Electronic Communications Code (a separate Commission proposal to comprehensively reform telecoms laws), also apply to so-called “OTT providers,” such as instant messaging and chat apps.
- Expansion of rules on confidentiality, interception, and traffic / location data. The e-Privacy Regulation would significantly tighten confidentiality requirements in relation to the processing of all “electronic communications data” (a term defined to include both “electronic communications metadata” (including both traffic and location data), and “electronic communications content”). The Regulation would prohibit providers of electronic communications services from processing any such data without meeting strict grounds set out in the Regulation (one of which, in some circumstances, is the consent of end-users). In the case of processing of electronic communications content, such conditions are highly restrictive, and could require companies to consult with regulators prior to processing.
- Modifications to the “cookie law.” The law requiring consent for the use of certain cookies will be reformed, so that cookies are prohibited except where (i) the end-user has provided consent; (ii) where it is necessary for the purpose of carrying out communications over a network; (iii) where it is necessary for an information society service requested by the end-user, or where a provider of such a service measures use of the service; or (iv) where it is necessary for web audience measuring, provided that the measurement is carried out by an information society service at the request of the end-user. The standard of “consent” is also heightened, by reference to the high threshold set out in the GDPR.
- High(er) fines for breaches. The E-Privacy Regulation takes the same approach as the GDPR by introducing fines as high as EUR 20 million or 4% of total worldwide turnover, whichever is greater.
- “Privacy by design” requirement. The Regulation would introduce a wholly new requirement to mandate that software that “permits” electronic communications must “offer the option” to prevent third parties from storing, processing or using information on the end-user’s device. Consent will be required before any software is installed and for software already installed users will be put through the process “at the time of the first update of the software, but no later than 25 August 2018.”
- Similar rules on unsolicited communications but applied more broadly. The proposed Regulation’s rules on unsolicited communications are similar to the E-Privacy Directive; the rules on consent and the “soft opt-in” are maintained (although, unlike the E-Privacy Directive, there is no reference to “prior” consent). The rules would also be expanded, however, to apply expressly to “electronic communication services for the purpose of transmitting direct marketing communications,” rather than only to the “use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail [as defined].”
The draft proposal is envisaged to apply from May 25, 2018. (In addition, the Commission has scheduled a review of the law 3 years after it becomes applicable.) The proposed rules, if adopted in the form proposed, would be significant for industry, although a draft would have a long way to go before enactment. (The GDPR took four years to finalize from the point it was first proposed.) The European Parliament and Council will review the proposal before all three institutions debate its provisions in trilogue. This process will likely result in amendments to the proposal.
The CJEU recently handed down a significant judgment on its interpretation of the E-Privacy Directive in relation to national data retention laws. More details can be found in our recent article on the judgment.
InsidePrivacy will be tracking and reporting on these developments.