Data Protection Report - Norton Rose Fulbright

On 10 January 2017, the European Commission published the official proposal of the revised e-Privacy Regulation, which amends the current e-Privacy Directive. Many of the alarming changes that were included in the leaked December draft of the Regulation, which we covered, have been changed, resulting in a practical set of rules that align with the wider EU data protection framework. Below, we highlight key points in the official proposal.

Background

The current law on privacy in relation to electronic communications is set out in the e-Privacy Directive (as amended). Among other things, the e-Privacy Directive governs the performance of electronic direct marketing, the use of certain location data and cookies (and other similar technology), and requires that communications data be kept confidential. Because the current law is an EU directive, Member States have each had to implement the requirements of the e-Privacy Directive into their national laws (often with significant divergences).

The intention behind the review and proposed reform of the existing e-Privacy Directive was to assess the existing law’s effectiveness and relevance in the context of today’s technological environment and also to ensure consistency with the General Data Protection Regulation (the GDPR) and across Member States. Following this review, the Commission has, through the proposed Regulation, set out what it considers to be “up to date and effective rules” to ensure that the privacy of electronic communications is protected. It further notes that it considers the new Regulation to strike the right balance between offering a high level of protection for consumers, while allowing businesses to innovate.

Key Points

The key points to note on the e-Privacy Regulation are as follows:

Legislative Approach

The new e-Privacy legislation will be introduced as a regulation. This means that, once enacted, the legislation will be simultaneously and immediately enforceable in Member States, tracking the EU’s general move towards a harmonised approach to privacy across the European Union.

Alignment with the GDPR

Unsurprisingly, the Regulation aligns the rules for electronic communications with the GDPR. The new Regulation is intended to apply from 25 May 2018, the same date as the GDPR. The Regulation requires that the supervisory authority responsible for monitoring compliance with the GDPR in Member States also be responsible for monitoring compliance with the e-Privacy Regulation. Perhaps most significantly, the Regulation’s approach to penalties closely mirrors that in the GDPR, with potential fines for non-compliant organisations being as high as EUR 20 million (approximately US$21.5 million) or 4% of worldwide annual turnover.

Territorial Scope

Similar to the GDPR, the Regulation will be extended to cover communications service providers not established in the EU, but who provide services to end-users in the EU. As with the GDPR and the NIS Directive, such overseas service providers will be required to designate a representative in a Member State.

General Scope

In accordance with the aim of bringing the existing legislation up-to-date and of trying to ensure the legislation is as future-proof as possible, the scope of the new Regulation is expanded to apply to providers of services that run over the Internet (referred to as “over-the-top” or “OTT” service providers), such as WhatsApp, Skype, Gmail, and other communication services, rather than applying only to internet service providers. The Regulation also covers machine-to-machine communications, showing that it applies in the “Internet of Things” sphere too.

Confidentiality of Communications

Communications data must be kept confidential except to the extent necessary to transmit the communication, or to maintain the security of, or detect faults in, the services. Other uses of both content and metadata (communications source and destination, device location, data, time, duration and type of communication) are possible only where the purpose cannot be achieved without the content and in anonymised form and where the end-user has consented. There are limited carve outs (e.g. for billing purposes).

Marketing

The Regulation continues to mandate that electronic marketing to individuals (B2C) be made only with consent of those individuals to the electronic marketing to be carried out.  Despite this requirement, a business continues to be permitted to market its own similar products or services to an individual who purchased a product or service from the business, provided that the individual has been given the right to opt-out (commonly known as the “soft opt-in”). Against the spirit of harmonisation, it leaves Member States to set the exact rules as to the level of protection that end-users that are “legal persons” (B2B) should receive (but it suggests some sort of protection should be offered).

The Regulation requires those placing direct marketing calls to transmit caller ID information, or present a specific code or prefix identifying the fact it is a marketing call.  There are also mandatory rules relating to caller identification and caller blocking, which assist the end-user in avoiding unwanted calls generally.

Cookies and Privacy by Design

The end-users’ consent remains the key basis for allowing the use of cookies and other tracking technology in most cases. Standardized icons representing the various uses of such technologies are encouraged but not mandated.  The Regulation clarifies that no consent is needed for first party non-privacy intrusive cookies. Although the recitals suggest that no consent would be needed for the use of analytics cookies, the text provides that only first-party analytics cookies do not require consent (thereby requiring consent for third-party analytics services commonly used by website publishers).

One of the most notable provisions of the draft leaked in December was the provision relating to ‘Privacy by design’, which required technology providers to configure all terminal equipment and software (e.g. browsers) so that their default setting would prevent third parties from storing information on, or using information about, a user’s device. This is no longer reflected in the Regulation, which will come as a relief to businesses. The Regulation now states that browser software must offer the option to prevent third parties from storing information on terminal equipment of any end-user or processing information already stored on that equipment. The user must be informed of the privacy settings and given a choice to consent upon installation. For software already installed at 25 May 2018, such requirements will need to be complied with at the first update of the software, though this will have to be undertaken no later than 25 August 2018 (meaning that some software companies may have to update their software where they might not otherwise have done so)..

Whether browser settings can achieve sufficient granularity to avoid the need for Cookie consent “pop ups” for remains to be seen.

Consent

The onerous condition for obtaining consent set out in the GDPR shall apply where the Regulation requires end-user consent. Among other things, the GDPR requires that consent language is separate from other information and is unbundled (i.e. consent will be required for each type of electronic marketing). It also requires that it must be as easy to withdraw consent as to give it.

Next Steps

This proposed Regulation will need to be considered and agreed by the European Parliament and the Council before it is adopted. The Commission is calling on the European Parliament and the Council to work swiftly to ensure the adoption by 25 May 2018, when the GDPR comes into application.

Our Take

The official proposed e-Privacy Regulation presents a more practical approach than the December leaked draft, and we expect that it will be welcomed by businesses. Nevertheless, the Regulation expands the scope of the current law to more service providers, expands the territorial scope, imposes new requirements relating to privacy setting options in software and creates more onerous requirements regarding how consent is obtained. It also significantly increases the penalties for violations. All this, coupled with the Commission’s tight timescale for implementation of the Regulation, means that all the businesses subject to the Regulation will need to carefully and promptly consider the new e-Privacy regulation and how they will comply with the requirements.

Alastair Mavor, a Trainee Solicitor in the London Office, contributed to this post.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.