On 10 January 2017, the European Commission published the official proposal of the revised e-Privacy Regulation, which amends the current e-Privacy Directive. The proposed Regulation on Privacy and Electronic Communications will increase the protection of people’s private life and open up new opportunities for business.
Background of ePrivacy
The current E-Privacy Directive (Directive 2002/58/EC) is part of the EU regulatory framework for communications. It aims to reinforce trust and security in digital services in the EU, by ensuring a high level of protection for privacy and confidentiality in the electronic communications sector, as well as seeking to ensure the free flow of movement of personal data and of electronic communications equipment and services in the EU.
Proposing this legal act, the EU Commission follows the same approach as the GDPR: Fostering harmonisation by relying on the legal instrument of a regulation that is directly applicable in all EU Member States and in contrast to the ePrivacy Directive does not need to be transposed into local law.
Key points of ePrivacy Regulation
Below, we highlight some key points of the official proposal.
The new e-Privacy legislation will be introduced as a regulation. This means that, once enacted, the legislation will be simultaneously and immediately enforceable in Member States, tracking the EU’s general move towards a harmonised approach to privacy across the European Union.
Alignment with the GDPR
Unsurprisingly, the Regulation aligns the rules for electronic communications with the GDPR. The new Regulation is intended to apply from 25 May 2018, the same date as the GDPR.
Similar to the GDPR, the Regulation will be extended to cover communications service providers not established in the EU, but who provide services to end-users in the EU. As with the GDPR and the NIS Directive, such overseas service providers will be required to designate a representative in a Member State.
Confidentiality of Communications
Communications data must be kept confidential except to the extent necessary to transmit the communication or to maintain the security of, or detect faults in, the services. Other uses of both content and metadata (communications source and destination, device location, data, time, duration and type of communication) are possible only where the purpose cannot be achieved without the content and in anonymised form and where the end-user has consented. There are limited carve outs (e.g. for billing purposes).
The Regulation continues to mandate that electronic marketing to individuals (B2C) be made only with consent of those individuals to the electronic marketing to be carried out. Despite this requirement, a business continues to be permitted to market its own similar products or services to an individual who purchased a product or service from the business, provided that the individual has been given the right to opt-out (commonly known as the “soft opt-in”).
The onerous condition for obtaining consent set out in the GDPR shall apply where the Regulation requires end-user consent. Among other things, the GDPR requires that consent language is separate from other information and is unbundled (i.e. consent will be required for each type of electronic marketing). It also requires that it must be as easy to withdraw consent as to give it.
This proposed Regulation will need to be considered and agreed by the European Parliament and the Council before it is adopted. The Commission is calling on the European Parliament and the Council to work swiftly to ensure the adoption by 25 May 2018, when the GDPR comes into application. Read more on the ePrivacy Regulation website of the European Commission.