The ePrivacy Regulation - Proposal for a Regulation on Privacy and Electronic Communications

In January 2017, the European Commission published a draft ePrivacy Regulation as part of a process to replace the current ePrivacy Directive, aiming to consolidate member state implementation and align with the General Data Protection Regulation (GDPR), which comes into force in May 2018.

Whilst the introduction of the GDPR has been dominating headlines for the past months, the proposed ePrivacy Regulation has somewhat gone under the radar.

The proposed ePrivacy’s main objectives are:

• to ensure more rigorous privacy rules for Over The Top Communication Services (OTT), including instant messaging platforms as well as traditional telecom providers;

• to ensure the rules are aligned with the GDPR and that privacy laws are harmonised across all EU member states.

The new Regulation could impact the manner in which online publishers electronically interact with EU citizens, including possible impacts to how publishers track users, collect data stored in users’ devices (including Internet of Things devices), and engage in direct marketing.

The current proposal includes some headline changes:

• Extra-territoriality and 4% fines: The new Regulation applies to data processed in connection with "electronic communications services" in the EU, regardless of whether the data is processed in the EU or elsewhere. It also applies to data associated with electronic communications sent from outside the EU to users in the EU. Breaches of some parts of the new Regulation can attract fines of up to 4% of annual worldwide turnover, just like the GDPR.

• Application to OTT, IOT, M2M and any provider of electronic communications services: The scope has been extended to apply to any company processing personal data in the context of delivering electronic communications and files, including traditional telecos as well as Over-the-Top (OTT) providers like Gmail, WhatsAppnand anyone using cookies or similar tracking technologies, or collecting information from end users’ terminal equipment. IOT and machine-to-machine communications also fall within the scope of some of its rules.

• Cookies and other online tracking devices: The focus shifts from website cookie banners to users’ browser settings, and seeks to address issues of ad-blocking and Wi-Fi location tracking.

• New rules for communications data: The new Regulation introduces new rules for processing communications content and communications metadata. The Regulation allows slightly wider uses of content and metadata.

• E-marketing: Opt-in is still required in most cases. There are slight new transparency requirements for direct marketing phone calls

As with GDPR, the UK government has confirmed that the new ePrivacy Regulation would be implemented in the UK before it leaves the EU.

The ePrivacy Regulation is due to come into effect in May 2018 alongside the GDPR.

This update is intended as a summary only and should not be regarded or relied upon as advice regarding any specific situation. For specific advice please contact our office.