Earlier this week, the first draft of the EU’s ePrivacy Regulation was leaked. ePrivacy laws in Europe aim to protect the right to privacy and confidentiality with respect to the processing of personal data in the electronic communications sector (e.g., relating to cookie usage and online direct marketing). The leaked draft is intended to bring the law up-to-date and to align it with other developments in European data protection law. We understand that the leaked draft is still under discussion (and may have been superseded). Nevertheless, the leaked draft may foreshadow what will be contained in the official draft, which sources at the International Association of Privacy Professionals (IAPP) say is expected to be released in January 2017. Based on the leaked draft, we expect that many technology companies and online advertisers will not be happy with the official draft.
The intention behind the review and proposed reform of the existing ePrivacy Directive was to assess the existing law’s effectiveness and relevance in the context of today’s technological environment and also to ensure consistency with the General Data Protection Regulation (the GDPR). As part of this review, the EU engaged both citizens and industry representative stakeholders and concluded that there was a need for “measured reinforcement of privacy/confidentiality” and “simplification” in the new ePrivacy law. (We have previously covered the Article 29 Working Party’s opinion recommending changes to the ePrivacy Directive.)
Here are some interesting points from the leaked draft:
- It’s a Regulation: The leaked draft is a regulation, meaning that it will apply directly in a harmonised way across all Member States. (This is in contrast to the current ePrivacy Directive, which has had to be implemented into each Member State’s national laws). Given that the backbone of European data protection law (the GDPR) will be a regulation from May 2018, it is unsurprising that the proposed new ePrivacy law is also in the form of a regulation. As with the GDPR, Member States will still be given some freedom to deviate from the Regulation, particularly in the area of national security.
- Alignment with the GDPR: One aim of the review was to achieve consistency with the GDPR and a number of provisions in the proposed Regulation demonstrate this alignment. As with the GDPR, the draft has a broad territorial scope and applies to the provision of electronic communication services (e.g. voice telephony, SMS services and the “OTT” services referred to below) from outside the EU to end users in the EU. The fining regime also aligns with the fining regime under the GDPR, exposing organisations that breach the law to fines of up to 4% of worldwide annual turnover for breaches of communications secrecy requirements, cookies requirements and the rules on the use of metadata.
- It applies to “OTT” services: In line with the aim to keep up with technological developments and despite some heavy lobbying by technology companies, the leaked draft indicates that the new Regulation will apply to providers of services that run over the Internet (referred to as “over-the-top” or “OTT” service providers), such as WhatsApp, Skype and other messenger services. This expansion in scope is achieved by the broad definition of “electronic communications services” in the leaked draft, which encompasses services of this type.
- Marketing: The leaked draft does not draw a distinction between corporate and individual subscribers and requires all end users to consent to direct marketing communications undertaken via electronic communications services. The conditions for consent in the Regulation are those higher standards set out in the GDPR. Telephone marketing continues to be permitted on an opt-out basis, but the proposed Regulation would require entities placing marketing calls to use a specific code or prefix identifying that it is a marketing call.
- Implementation: The leaked draft states that it will take effect just six months after it enters into force, clearly demonstrating the Commission’s objective to ensure that this Regulation comes into force at the same time of the GDPR. Whether that will be possible remains to be seen. In practice, this will mean that the draft will need to be finalised by the end of Q3 on 2017. This is an exceptionally tight timeframe, especially given the nature of some of the changes that this leaked draft suggests will be included, which will need to be considered and agreed.
Revisions to the ePrivacy law have been expected for some time, and this leaked draft reveals some potentially significant areas of change, especially in the context of privacy by design and the default opting out of cookies. We think that a number of industry groups, especially in the area of online advertising, will have some major concerns about many of these areas and will be keen to have their views heard. This, and the rest of the finalisation process, will need to be done to a very tight timetable, so 2017 looks set to be an interesting year in the area of ePrivacy.
We will continue to monitor the development of this Regulation and provide a more detailed analysis when the official draft is published in the New Year.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.