January 10, 2017 marked another important step towards reform of the EU data protection framework, with the release of the EU Commission’s proposals for a new Regulation governing privacy and electronic communications.
The main aims of the draft Regulation are to update the ePrivacy Directive to reflect new technologies and to better align it with GDPR. In addition to taking effect on the same day as the GDPR (25th May, 2018), penalties for non-compliance envisaged by the draft Regulation are the same as the GDPR, (i.e. potentially fines of €20m or 4% of annual global turnover, whichever is higher).
Extension of Scope – OTT Providers and Internet of Things
In addition to traditional telecoms services, over-the-top (“OTT”) service providers, such as instant messaging and web-based email services, are captured by the draft Regulation. Such OTT providers are generally not subject to the existing e-Directive, which the Commission views as a clear example of the law not keeping pace with technological developments. The draft Regulation casts a wide net: such OTT service providers will include services which “enable interpersonal and interactive communication merely as a minor ancillary feature.”
Likewise, the draft Regulation expands the definition of “electronic communications service” to include machine-to-machine communications. Effectively, this brings ‘internet of things’ devices within scope to the extent that the devices communicate with one another.
Cookies and Consent
The Commission acknowledges that this change in direction will lead to “potentially significant cost savings and simplification” and will be generally welcomed by website operators.
Rules on Electronic Direct Marketing
Use of electronic communications for direct marketing requires the individual’s consent. Consent is aligned with the definition contained in the GDPR, i.e. an “opt-in”. This is effectively the same as the current e-Privacy Directive. There is an exception to this rule where the electronic contact details have been obtained in the course of a sale, and certain other conditions apply (known as the “soft opt-in” exception under the e-Privacy Directive).
- Organizations should monitor the progress of the draft Regulation – which will subsequently be analyzed and debated by the Council and Parliament, the other EU law-making institutions.
- Given the anticipated timeline of the draft Regulation and the alignment with the GDPR, once finalized organizations would be wise to seek advice as to the specific applicability of the Regulation to their activities alongside any GDPR readiness efforts.