The European Commission has proposed a new e-Privacy Regulation that will replace the current directive and overhaul the rules in relation to privacy and electronic communications.
The Commission intends to finalise and implement the e-Privacy Regulation in alignment with application of the new General Data Protection Regulation (GDPR) on 25 May 2018.
Organisations should take note of the upcoming changes and begin preparations now to ensure compliance by that date.
Why are the rules being changed?
The rules are being updated for a variety of reasons including the need for alignment with the more stringent rules to be introduced by the GDPR;
harmonisation of rules across the EU; and technological and economic advancements since the last revision of the e-Privacy Directive, which has seen both businesses and consumers rely on internet-based services enabling inter-personal communications (including VOIP, instant messaging and web-based e-mail services).
When will the changes take place?
The European Commission intends to finalise and implement the e-Privacy Regulation in alignment with application of the GDPR on 25 May 2018.
What are the main changes?
One set of rules: The e-Privacy Regulation will apply directly in a uniform way across all EU member states – this is the same approach as adopted by the GDPR. This differs from the current e-Privacy Directive, which was implemented into each member state’s law by national legislation, and via the Privacy and Electronic Communications Regulations (PECR) in the UK.
Territorial reach: In the same way as the GPDR, the proposed e-Privacy Regulation will have extra-territorial effect and will apply to the processing of electronic communications data carried out in connection with the provision of electronic communications services in the EU, irrespective of whether the actual processing takes place in the EU.
Expanded scope: In line with the aim to keep up with technological developments, the e-Privacy Regulation adopts a broad definition of “electronic communications services” so that the new rules apply not only to providers of the traditional telecoms services but also to providers of services that run over the internet (referred to as “over-the-top” or “OTT” service providers). This means that the new rules will apply to instant messaging providers (such as WhatsApp), social media messaging (like Facebook Messenger), VOIP (for example Skype) and web-mail (such as Gmail).
Rules on cookies: The rules on cookies will be changed and streamlined under the e-Privacy Regulation. The circumstances in which consent is not required appears broader and non-privacy intrusive cookies that merely improve internet usage (for example to remember shopping cart history) will not require consent at all. The regulation incorporates a more user-friendly tool that supports the use of in-built browser settings to express consent, which could reduce the need and use of cookie banners, and requires that software providers integrate settings into their products which allow users to opt-in and opt-out easily.
Direct marketing: Under the Regulation, electronic communications data can only be used for the purpose of direct marketing if the end-user has given consent for this specific purpose. The ability to object to data being used for direct marketing should be given when the data is collected and any time following that in which direct marketing is sent to the individual.
Privacy by design and impact assessments: In line with the GDPR, the e-Privacy Regulation advocates privacy by design – which means that organisations will be obliged to adopt an approach that promotes privacy and data protection compliance from the outset.
Enforcement and fines: Currently the UK’s Information Commissioner’s Office (ICO) can fine organisations up to £500,000 for breaches of PECR. The penalties under the e-Privacy Regulation will greatly increase as they align with the higher GDPR fines, namely:
• the higher of €20m or 4 per cent of an organisation’s total worldwide turnover and covers for example breaches related to time limits for erasure of data and unlawful processing
• higher of €10m or 2 per cent of an organisation’s total worldwide turnover and covers breaches associated with cookies and consent and privacy by design obligations
What can you do?
Whilst the e-Privacy Regulation is in draft format, an ambitious deadline of 25 May 2018 has been set, and there are some things that organisations can do to prepare (just as they prepare for the GDPR):
• Review policies (especially cookie policies) and procedures to assess whether they would comply with the new requirements under the e-Privacy Regulation (and the GPDR).
• Consider carrying out privacy impact assessments at the beginning of a project so that privacy is “baked” into the process from the beginning.
• Ensure that consent is sought appropriately and that it is an affirmative indication of the individual’s permission to obtain, store, and/or process data.
Whether the e-Privacy Regulation remains part of UK law post-Brexit will need to be decided; however, in terms of timing, it is likely that it will come into force before Brexit negotiations are concluded, so organisations should not delay in preparations.
Valerie Surgenor is a partner and specialist in intellectual property and information technology at law firm MacRoberts