On January 10, the European Commission published the proposed text for the new e-Privacy Regulation. This new e-Privacy Regulation, if adopted, will replace the current e-Privacy Directive and will establish, together with the General Data Protection Regulation, GDPR, a new privacy legal framework for electronic communications.
The proposal aims to be lex specialis to the GDPR. Probably to ensure consistency with the new privacy legal framework for electronic communications, the entry into force provision of the leaked text has been amended to state expressly that the e-Privacy Regulation will come into force on the same date as the GDPR (25 May 2018). With many legislative hurdles still remaining before it is approved, this represents an ambitious timeline for EU legislators.
The fact that the proposal, like the leaked text, is a Regulation rather than a Directive, will help to harmonize this new privacy legal framework, since it will be directly applicable in all EU Member States.
As anticipated in our alert of December 15 on the leaked text, the new e-Privacy Regulation significantly strengthens the online and direct marketing legal landscape.
The cornerstones of the proposed e-Privacy Regulation are:
Broader material and territorial scope
The new e-Privacy Regulation will apply to all providers of electronic communications services, including so-called “over-the-top” content providers, such as voice over IP, text message and email providers, which are not subject to the current e-Privacy Directive. It will also apply to non-EU providers that provide electronic services (free and/or paid) to EU nationals.
Use of electronic communications data
As a general rule, electronic communications data, which includes both content and metadata, may be processed when necessary for specific legislated purposes or for ensuring the security of communications and/or to allow the detection of technical faults or errors.
However, the proposal also creates separate rules applicable to the use of content than to metadata:
Content data can be used either (i) with the consent of the end user or end users concerned, provided that the processing is necessary for the provision of the service; or (ii) when all the end-users concerned have given their consent for one or more purposes that cannot be fulfilled if the information is rendered anonymous (in such case, the service provider shall have consulted the competent EU Data Protection Authority before starting the processing).
The proposal also includes new rules for the storage and erasure of electronic communications content. Service providers will have to erase or render anonymous all content after receipt of that content by the end-user or the third party entrusted by them to record, store or otherwise processes such data, in accordance with the GDPR.
Metadata can be used (i) when necessary for mandatory quality of service requirements, billing, calculating interconnection payments, detecting and/ or stopping fraudulent, or abusive use of, or subscription to, electronic communications services; or (ii) when the end user’s consent has been given for one or more purposes that cannot be fulfilled if the information is rendered anonymous (in such case, the service provider shall have consulted the competent EU Data Protection Authority before starting the processing).
Once the permitted purpose has been fulfilled, the metadata must be erased or anonymized. In the specific case of processing for billing purposes, this period will end once a bill can no longer be challenged.
Cookies and similar technology consent rules
The proposal maintains the consent rules from the Directive, unless using cookies or similar technologies is (i) necessary for the sole purpose of carrying out the communication; or (ii) is strictly necessary and proportionate for the legitimate purposes of enabling the use of a specific service requested by the end-user. The proposal keeps the derogation included in the leaked text for first party “web audience measuring” cookies.
The proposal allows consent to be provided via browser settings, thereby mandating significant changes for providers of browsers. They should require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific, informed, and unambiguous agreement to the storage and access of third party tracking cookies in and from the terminal equipment;
All developers of software permitting electronic communications, shall also offer the option to prevent third party cookies. They shall inform the end-user during the initial set up about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting; and, if the software has already been installed at the entry into force of the Regulation (which aims to be at the same time as the GDPR), the software will need to be updated to come into compliance with the consent requirements at the time of the first update of the software, but no later than 25 August 2018.
The collection of data emitted by the end-user terminal equipment (such as IMSI, IMEI, MAC address, etc) will only be allowed if (i) it is done exclusively in order to, for the time necessary for, and for the purpose of, establishing a connection; or (ii) a clear and prominent notice compliant with the GDPR requirements is displayed. The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in the GDPR.
The definitions of direct marketing and electronic communications are broader than those in the Directive. The proposal distinguishes between B2C and B2B communications. For B2C communications, the proposal requires the sender of the communication to obtain the consent of individuals for direct e-marketing purposes. For B2B communications, however, the proposed Regulation leaves it to the Member States to ensure that the legitimate interest of corporate end-users are sufficiently protected from unsolicited communications.
Like under the Directive, consent will not be required when marketing similar products and services. In such case, individuals must be granted the right to object.
- The Proposal introduces fines, in line with the GDPR, which will range from EUR 10,000,000 or up to 2% of the total worldwide annual turnover of the proceeding financial year for violating the unsolicited communications rules to EUR 20,000,000 or a 4% of the total worldwide turnover for unlawfully processing communications data.
- To ensure consistency with the GDPR, the proposal establishes that the EU Data Protection Authorities will be responsible for enforcement of the Regulation and it relies on the same consistency mechanism as the GDPR.
- End-users are granted the same remedies provided by Articles 77 (right to lodge a complaint with a supervisory authority), 78 (right to an effective judicial remedy against a supervisory authority) and 79 (right to an effective judicial remedy against a controller or processor) of the GDPR. A right to compensation and damages is also envisaged.
- Interference with electronic communications data is prohibited except when permitted by the Regulation.
- Opt-in and opt-out rules will apply in relation to publicly available directories depending on whether the end-user is an individual or a legal entity. Providers shall obtain consent from individuals to include their data in such directories. Legal entities can be included on an opt out basis. Both individuals and legal entities shall be granted the option to verify, correct and review the data to be included in the directories.
- End-users will have the right to block the identification of their phone numbers or to block calls where the number has been withheld.
- Telecommunication operators will be required to deploy mechanisms to allow end users to block incoming calls from specific numbers or from anonymous sources and to stop call forwarding by a third party.