January 10, 2017 marked another important step towards reform of the EU data protection framework, with the release of the EU Commission’s proposals for a new Regulation governing privacy and electronic communications.
The draft Regulation, which goes beyond the scope of the current e-Privacy Directive in significant ways, would apply directly without the need for Member States to implement local law in the same way as the General Data Protection Regulation (“GDPR”). Like the e-Privacy Directive, the Regulation sets out rules on, among others, the use and confidentiality of electronic communications and metadata, use of cookies and direct marketing by electronic means.
The main aims of the draft Regulation are to update the ePrivacy Directive to reflect new technologies and to better align it with GDPR. In addition to taking effect on the same day as the GDPR (25th May, 2018), penalties for non-compliance envisaged by the draft Regulation are the same as the GDPR, (i.e. potentially fines of €20m or 4% of annual global turnover, whichever is higher).
Extension of Scope – OTT Providers and Internet of Things
In addition to traditional telecoms services, over-the-top (“OTT”) service providers, such as instant messaging and web-based email services, are captured by the draft Regulation. Such OTT providers are generally not subject to the existing e-Directive, which the Commission views as a clear example of the law not keeping pace with technological developments. The draft Regulation casts a wide net: such OTT service providers will include services which “enable interpersonal and interactive communication merely as a minor ancillary feature.”
Likewise, the draft Regulation expands the definition of “electronic communications service” to include machine-to-machine communications. Effectively, this brings ‘internet of things’ devices within scope to the extent that the devices communicate with one another.
Cookies and Consent
While use of cookies will still require the consent of individuals, the rules on obtaining this consent (usually obtained by way of a banner or pop-up) have been relaxed considerably. The draft Regulation allows for consent to be expressed “by using the appropriate technical settings of a software application enabling access to the internet.” In other words, browser settings will amount to legitimate consent. To this end, the draft Regulation requires web browsers to inform users of their choice to turn off cookies during installation, suggesting a range of options from “reject all” to “accept all” cookies.
The Commission acknowledges that this change in direction will lead to “potentially significant cost savings and simplification” and will be generally welcomed by website operators.
Rules on Electronic Direct Marketing
Use of electronic communications for direct marketing requires the individual’s consent. Consent is aligned with the definition contained in the GDPR, i.e. an “opt-in”. This is effectively the same as the current e-Privacy Directive. There is an exception to this rule where the electronic contact details have been obtained in the course of a sale, and certain other conditions apply (known as the “soft opt-in” exception under the e-Privacy Directive).
Recommendations
- Organizations should monitor the progress of the draft Regulation – which will subsequently be analyzed and debated by the Council and Parliament, the other EU law-making institutions.
- Given the anticipated timeline of the draft Regulation and the alignment with the GDPR, once finalized organizations would be wise to seek advice as to the specific applicability of the Regulation to their activities alongside any GDPR readiness efforts.