The current ePrivacy Directive regulating electronic communications that covers the rules on cookies and e-marketing will be replaced soon by the ePrivacy Regulation. The full name is: ‘Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC’ (‘Regulation on Privacy and Electronic Communications’). Its final content and the effective date is not known at this time, but a draft was published in early 2017, which is not expected to change substantially before it becomes applicable. Although the ePrivacy Regulation was supposed to be published together with the General Data Protection Regulation (GDPR), the final draft is expected in 2019.
The ePrivacy Regulation is lex specialis to the GDPR, which means that it particularises and complements the rules on the electronic communications sector. As a result, compliance with both laws is mandatory. As you probably concluded based on your experience preparing for the GDPR – it is definitely a great idea to start implementing the requirements of new legislation into your business as soon as possible!
Background: Why do we need the change coming with ePrivacy Regulation?
The Regulation will in fact update the currently applicable ePrivacy Directive and address technology developments that have occurred over the past 15 years (i.e. the Internet of Things and other new technologies that allow for tracking online behaviour). The form of the Regulation will make it directly applicable throughout the EU, without the need to transpose it into national law of the EU countries. Like the GDPR, the Regulation aims to harmonise laws across the EU, but it also allows the EU Member States to further specify some provisions, such as the rules governing how voice–to-voice calls may be marketed or the obligation to display the caller ID.
The ePrivacy Regulation is strongly aligned with the GDPR. Thus, the definitions of the GDPR do apply, as well as the rules on breach notification and the amount of fines for non-compliance with the provisions. Furthermore, the same data protection authorities are responsible for both monitoring and enforcing compliance with the regulations.
ePrivacy Regulation vs. GDPR: Understanding the main differences
As mentioned above, the ePrivacy Regulation further specifies the GDPR provisions. Whereas the GDPR governs all personal data in general, the ePrivacy Regulation solely pertains to electronic communications and the information integrity of one’s device (both personal and non-personal data).
In addition, the GDPR grants individuals a set of data protection rights, which European citizens strongly demanded. As an obvious consequence, the GDPR has introduced an array of new obligations for companies that process personal data. The ePrivacy Regulation, on the other hand, deals with apps and other internet communication services and prohibits the interception, recording or tapping of communications.
What’s new about the ePrivacy Regulation?
More electronic-communication service providers
The new rules will apply to all providers of electronic communication services, including so-called ‘Over The Top’ and ‘Voice over Internet Protocol’ providers (OTTs and VoIPs) and instant and social media messaging services such as WhatsApp, Skype, Facebook Messenger, etc. They will be governed by the same legislation as traditional telecom operators.
Like the GDPR, the ePrivacy Regulation also applies to non-EU providers who offer their services to end-users located in the EU, irrespective of whether the actual data processing takes place in the EU or not. This means, that your company may be obliged to designate an EU representative in one of the countries where the end-users of your services are located. The representative’s main job is to answer questions and provide information to supervisory authorities and end-users on all issues related to the processing of communications data.
The Regulation defines ‘electronic communications data’ as both electronic communications content and metadata, e.g. time, location and duration of a call. ‘Electronic communications data’ was defined in this way because the collection and/or processing of such information may itself be an infringement on one’s (i.e. the data subject’s) privacy.
Cookies and other tracking technologies
The GDPR set strickter standards for obtaining users’ consent (freely given, specific, informed and unambiguous), and it seems that the ePrivacy Regulation will introduce additional new rules concerning cookie consent.
For example, the Regulation will allow users to give such consent by changing certain settings of the Internet browser or other application, wherever this is technically possible and feasible. This should prevent users from having to consent to cookies every time they visit a webpage, as they will be able to make this decision via the settings in their general preferences. Such a solution is assumed to be more user friendly and could end the annoying issue of repetitive cookie banners popping up on every website.
The good news is: consent is not required for ‘first-party cookies’, which are non-intrusive with respect to privacy yet are necessary to improve/enhance the internet experience of users. However, this means that any non-essential or third-party cookies – including Google Analytics and the like – will not be covered by this exemption and will require end-users’ consent.
E-marketing communication is only allowed for your existing customers of similar products or if a person has explicitly consented to this. In both situations, the e-marketing recipient must be offered an opt-out option. These rules apply to both B2C and B2B communications.
In the case of voice-to-voice marketing, each EU country will decide individually if it will implement a do-not-call-lists to prevent marketing phone calls in general. Accordingly, such marketing callers may be obliged to either display their phone number or a code/prefix indicating that the call is of a marketing nature. The Commission will specify such a code/prefix in the future.
As the scope of the ePrivacy Regulation has extended to new electronic-communication service providers, these rules will apply to all methods of e-marketing communications, including push notifications and the like.
How to prepare for the ePrivacy Regulation?
- Map all the data flows (internal and external)
- Determine all the communication services used
- Establish which devices are utilised for communications
- Audit your security measures
- Secure all the devices that are connected to your company’s network
Keep an eye on the ePrivacy Regulation updates! For instance, the Article 29 Working Party (WP29) have published an extensive opinion on the ePrivacy Regulation proposal. It covers both the positive and negative aspects and also provides recommendations for further improvement of the legislation.