Draft e-Privacy Regulation published by EU Commission

On 10 January 2017, the European Commission presented its formal proposals for a new ePrivacy Regulation. These represent an overhaul of privacy rules relating to direct marketing, cookies and similar technologies, and other forms of online monitoring.

The Commission’s aim is to have the new Regulation adopted by 25 May 2018. Accordingly, unless the UK Government conducts its Brexit negotiations in under fifteen months (and assuming that Article 50 is triggered as planned by the end of March 2017), this Regulation will have direct effect on the UK.

In this article, we’ll take a look at the existing law forming the backdrop against this reform, examine the key features of the new draft Regulation, and offer our take on the likely benefits and challenges of the new regime.

Existing Law

At EU level, the Regulation will repeal the Privacy and E-Communications Directive 2003 (the “PECD”). Nationally, the Regulation will repeal the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “PECR”).

The PECR provides a body of rules on marketing calls, emails, texts and faxes, cookies, security of communications and customer privacy in respect of metadata. Under the existing law, a range of enforcement powers exist to ensure compliance, including criminal prosecution, and a fine of up to £500,000.

Purpose of the Regulation

Electronic communication services have evolved significantly over the past decade, with consumers and businesses relying more and more on communication via internet based services. However, existing laws have not kept pace and do not reflect current commercial practices. Most significantly, they fail to cover many key internet based services which have risen to prominence over the last ten years, for example, so called Over-The-Top (“OTT”) communication services, such as Skype, Gmail and WhatsApp.

Against this backdrop, the Commission has introduced the draft Regulation to reinforce trust and security in the Digital Single Market. Crucially, the draft Regulation also seeks to align the rules for electronic communication services with the standards set in the General Data Protection Regulations (“GDPR”).

Relationship with GDPR

It is important to note that the draft e-Privacy Regulation is being published in the wake of the GDPR, the EU’s new framework for data protection law, due to come into force on 25 May 2018. If you would like to find out more about the GDPR and the impact it may have on your business, please click here to access our guide.

The GDPR and the draft e-Privacy Regulation are distinct in scope. The GDPR only applies to the processing of the personal data of individuals. It does not cover business-to-business communications or communications between individuals, which do not include personal data. Accordingly, the e-Privacy Regulation will provide specific rights and protections which are not provided under the GDPR.

A central purpose of the draft e-Privacy Regulation is to align privacy rules with the GDPR, so that they complement one another. To this end, both Regulations share certain key definitions, such as “consent”, and enforcement mechanisms.

Key features of the Draft Regulation

  • Broader scope – The Regulation captures broader technologies, such as Voice Over IP (e.g. Skype), instant messaging (e.g. Facebook Messenger) and web-based email services (e.g. Gmail), which do not currently fall within the scope of the existing law.
  • Consent – the definition of “consent” is stricter than under the existing law, which simply requires a freely given, specific and informed indication of the individual’s wishes, by which the individual signifies his agreement. The new definition (which is the same as under the GDPR) requires a freely given, specific, informed, active and unambiguous consent, expressed by a clear statement of affirmative action.
  • Cookies – New rules are introduced in respect of the use of cookies and similar technologies which can track users’ activities. In particular, the Regulation supports the use of built in browser settings which will allow users to express consent, opting for either a high or low level of security. This may lead to reduced use of cookie banners. The new rules also require software providers to integrate settings into their products which facilitate simple opt-in and opt-out choices for users. Accordingly, these new rules present a significant change for providers of browsers and software developers.  As under the existing law, cookies required to ensure the proper functioning of websites, such as “session cookies”, will not require consent.
  • Direct marketing – The rules relating to direct marketing remain similar to under the PECR. Restrictions on unsolicited marketing communications apply to all direct marketing communications sent via “electronic communication services”, which is more broadly defined than under the previous law. The Regulation distinguishes between B2C and B2B communications. In respect of B2C communications, the Regulation requires the sender to obtain the consent of individuals for direct marketing purposes (with the exception of email marketing for similar products and services in limited situations, “the soft opt-in”). In respect of B2B communications the Regulation leaves it to Member States to ensure that the legitimate interests of corporate end-users are sufficiently protected from unsolicited communications. Overall, the Regulation emphasises the need for marketing to be transparent i.e. making clear that the relevant communications are marketing, disclosing the identity of entity doing the marketing and facilitating opt outs.
  • Content and metadata – Both content and metadata are covered by the Regulation, and both will need to be anonymised or deleted if users have not given consent, (though there are exceptions e.g. if such content/metadata is required for billing purposes).
  • Enforcement – The penalties under the new Regulation are significantly increased, and mirror those under the GDPR. A two tier penalty regime is established: i) Fines of up to 10 million EUR or 2% of annual worldwide turnover (whichever is higher). This will apply for breaches including infringement of the cookie rules. ii) Fines of up to 20 million or 4% of annual worldwide turnover (whichever is higher). By way of example, this will apply for breach of the principle of confidentiality of communications.

Data protection authorities in Member States (which are in charge of the rules under the GDPR) will enforce the e-Privacy Regulation. The UK’s data protection authority is the Information Commissioner’s Office (“ICO”). This does not represent a change for the UK as the ICO is the UK’s enforcement body under current e-Privacy law.

Pluses and Minuses

Overall, reform of this area is long overdue, so as to reflect the evolution of communication technologies and today’s commercial practices. Rules relating to cookies and tracking technologies are clearer, more appropriate to current technologies, and should ensure greater transparency. Users will generally gain a greater level of control over their privacy, facilitated by theoretically simpler and more user friendly mechanisms. In addition, replacing the e-Privacy Directive with a directly effective Regulation will ensure that one single set of rules is applied across the EU. This consistency should be fortified by uniform application of the Regulation though enforcement by data protection authorities, (the same bodies that administer compliance with GDPR).

However, it is clear that the Regulation will increase the burden on many businesses. This will be especially true for businesses which fall within scope for the first time (e.g. OTT providers), or providers of browsers and software developers who will need to integrate new settings into their products to comply with the cookie rules. However, in other respects the burden on some businesses may be reduced e.g. browser cookie settings may remove the burden on individual websites to obtain consent.

Next steps

Following its publication, the draft Regulation will now be scrutinised by EU legislators in the European Parliament and Council of Ministers. The approval of both bodies must be received in order for the legislation for it to take effect. As previously stated, the Commission’s aim is to have the new Regulation adopted by 25 May 2018. Whether this deadline is met will depend to a large degree on the level of scrutiny and attention received by the bill during the legislative process.

This article was written by Paul Herbert, Partner, Corporate, with assistance from Emily Kearsey, Trainee Solicitor.

This guide is for general information and interest only and should not be relied upon as providing specific legal advice. If you require any further information about the issues raised in this article please contact the author or call 0207 404 0606 and ask to speak to your usual Goodman Derrick contact.