Modernisation of EU Data Protection Rules Continues: Proposed ePrivacy Regulation aims at simplifying cookie rules and involving new players
The newly proposed Regulation on electronic privacy would apply to new players providing electronic communications services, decrease red tape around cookies, and allow more extensive big data analysis with user consent. National data protection authorities would have the power to impose hefty fines for infringements.
The European Commission is proposing a new Regulation on Privacy and Electronic Communications to replace the current ePrivacy Directive transposed into the Finnish Information Society Code. The proposed legislative measure is a directly applicable EU regulation, meaning that a single set of rules would be applied across the whole EU.
The proposed ePrivacy Regulation complements the General Data Protection Regulation (GDPR) adopted in 2016 and will be applicable from May 2018 onward. Several key elements of the GDPR are also central in the ePrivacy Regulation, such as consent requirements, privacy by design and privacy by default as well as the high penalties for infringements.
The ePrivacy Regulation would, however, apply to processing of all electronic communications data, not just that comprising personal data. Protection and rights of the end users are provided not only to individuals but also to companies. The proposal is also intended to apply to the transmission of machine-to-machine communications.
What is proposed?
Among others, the proposal includes the following key features:
- Increased scope of applicability: The ePrivacy Regulation would apply when electronic communications services are provided to end users located in the EU area, regardless of where the service originates from.
- New players: Provision of internet based communication services, such as instant messaging, voice over IP and web-based email, would be included within the scope of the ePrivacy Regulation. This means that the new digital communication services would have to guarantee the same level of privacy as traditional telecom operators.
- Simplified cookie rules: To tackle "consent-fatigue", the Commission proposes that no consent would be required for non-privacy intrusive cookies; for example, when they are only used to track visitor numbers or to improve user experience by remembering shopping cart history. As previously interpreted in Finland, browser settings could be validly used EU-wide to accept and consent to cookies, meaning that a significant proportion of businesses would be able to do away with cookie banners and notices.
- Less spam: Whether done via email, SMS, phone or by other technological means, direct marketing communications to individuals and companies alike would require a prior consent of the user. Depending on national law, people would either be protected by default or be able to use a do-not-call list to ban marketing phone calls. In addition, marketing callers would need to display their phone number or use a special prefix which indicates a marketing call.
- Use of communications content and metadata: Unless consent for processing of the data is attained from the user, the data should either be anonymised or deleted, unless it is needed for billing purposes. The ePrivacy Regulation would stress the highly confidential nature of electronic communications and introduce strict rules around the processing of electronic communications data. The proposal lays down a presumption that the processing of content data results in high risks to the rights and freedoms of natural persons, which would, with certain exceptions, trigger an obligation to consult supervisory authorities prior to the processing in accordance with the GDPR.
- New business opportunities: Possibilities to process electronic communications metadata – such as location, time of a call or websites visited – would be broadened based on the end user's consent. This aims at creating new opportunities. For example electronic communications services could develop their businesses and provide additional services through big data analysis by producing, say, heat maps indicating the presence of people or displaying traffic movements.
- Stricter enforcement: The task of enforcing the proposed ePrivacy Regulation would be given to national data protection authorities, who will also be responsible for the enforcement of the GDPR. These authorities would have the power to impose administrative fines for infringements of the ePrivacy Regulation that would be in line with the fines introduced in the GDPR. Depending on the infringement, the maximum amount of fines could be either EUR 20 million or, in case of a company, up to 4% of the total worldwide annual turnover. In addition, the member states could lay down rules on other penalties applicable to infringements of the ePrivacy Regulation, in particular for infringements not subject to the administrative fines.
What happens next?
The Commission's proposal has started the EU legislative process, and the proposed ePrivacy Regulation still needs to be accepted by the European Parliament as well as the Council of Europe, which are expected to propose their own amendments to the proposal.
The aim of the Commission is that the proposal will enter into force at the same time with the applicability of the GDPR, in other words from 25 May 2018 onward.
We will be monitoring the progress of the Commission's proposal and will report back with updates.