This is an overview of the e-Privacy Regulation (‘ePR’), which will replace Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), or ‘e-Privacy Directive’. The e-Privacy Directive protects the confidentiality of electronic communications and applies to publicly available electronic communications services. In the U.K., the Privacy and Electronic Communications Regulation (“PECR”) implements the e-Privacy Directive.
In January 2017, the European Commission published a draft version of the ePR. In recognition of the pace of technological advancement and changes in the nature of marketing, the ePR aims to further harmonise data protection across European Union Member States, with particular focus on online and direct marketing and alignment with the principles of the GDPR. There was particular concern about the tracking of individuals.
Whilst the GDPR protects personal data and relates to individuals, the ePR relates to all types of data communicated by electronic means. It therefore includes the confidentiality of communications between companies. The e-Privacy Directive (and the ePR) covers the technical security of publicly available communications services, confidentiality of those communications, consent to electronic marketing, certain restrictions to the processing of traffic and billing data, and the anonymisation of location data.
Who does it apply to?
A key feature is that is greatly extends the scope of the e-Privacy Directive to cover so-called ‘over-the top’ (OTT) internet-based electronic communications services such as Facebook Messenger, Whatsapp, Viber, Skype and the like. It also applies to services not only accessed via the Internet, but consisting wholly or partly in the conveyance of signals, such as Voice Over IP and machine-to-machine communications. It applies to any type of direct marketing communication and communications through the so-called ‘Internet of Things’.
The ePR also covers OTT services where the communication element is only an “ancillary” feature linked to another service. This means that in theory, any website or app that includes a communication component comes within its remit. However, it does not apply to closed groups of end users, for example corporate intranet networks, but will apply to closed social media profiles and groups that users have restricted as private.
Like the GDPR, it is proposed that the ePR applies to electronic communications data that is processed in connection with the offering of the service in the European Union (‘EU’), whether or not the actual processing takes place in the EU. This means it applies globally to anyone who gathers data from devices of persons in the EU, whether payment is involved, or not.
The most controversial areas of the ePR are: the scope of its application, data subject consent, cookies and tracking walls, metadata, and direct marketing.
The Commission’s proposal for Article 9 (now amended to 4a) of the ePR adopted the GDPR’s definition of consent permitting end-users to be able to withdraw their consent at any time. Consent in the context of the ePR will be to the same standard of the GDPR, i.e. ‘clearly distinguishable, intelligible, in clear and plain language, freely given, informed, and a clear affirmative action’.
The European Data Protection Board, in a statement on the revision of the e-Privacy Regulation, has highlighted its support for the restrictive approach of the ePR, such as the prohibition of reliance on ‘legitimate interests’ and the general purpose of ‘performance of a contract’ to process electronic communications content and metadata. This has been a big issue and feeds into how cookies, data analytics and metadata will be approached.
Cookies, Data analytics, Metadata
Consent requirements will move away from coming from individual websites, to the browser providers. It is proposed that the default settings of browsers, or the software that controls cookies, is pre-set to prohibit third parties storing information on the end user’s terminal equipment without explicit consent. Cookies used for frequency capping of ads, or ad-serving, must be blocked by default unless a user opts to enable them.
The draft suggests consent will not just apply to cookies but also whenever information about the device is collected. Mobile device manufacturers and operating system manufacturers will have to ensure that software development kits (used by app developers to allow ad tech companies to collect data) are blocked by default.
However, consent will not be needed for cookies that do not invade privacy, such as those that improve functionality: for example, remembering an online customer’s shopping cart history.
Consent is also required to process metadata. Under the proposed rules, content and metadata derived from electronic communications (e.g., time of a call, location, duration, websites visited) will need to be anonymised or deleted if users have not given their consent, unless the data is essential, for instance, for billing purposes. Permitted processing of metadata has been broadened to include where it is necessary to deal with security risks, for network management and optimisation, and for statistical counting.
The Commission’s proposal is to ban unsolicited electronic communications by any means if users have not given their consent. Electronic marketing (SMS, email and the like) therefore essentially remains the same, including a ‘soft opt-in’ for contacting existing customers to offer “similar goods and services”, so long as they are given a right to object.
However unlike the GDPR, there is no inclusion on the reliance on legitimate interest in the context of marketing. Further, unlike the e-Privacy Directive, there is no reference to ‘negotiations’ so that the use of the ‘soft opt-in’ exception will become more restrictive.
There are also new transparency requirements for direct marketing calls. Marketing callers will be required to use a specific prefix number so that the receivers of the calls recognise the calls as relating to marketing.
The ePR, like the GDPR, gives individuals broader rights and allows representative bodies to bring claims on behalf of individuals, or groups of individuals. Fines for breach of the ePR are also similar:
- 2% of global turnover for providers of devices and software who fail in their privacy obligations.
- 4% for breaches of communications secrecy requirements, cookies and the use of metadata.
Where are we now?
The text was first proposed by the Commission in January 2017. Re-drafts were submitted by the Council in September and December 2017, and amendments proposed by the Parliament in October 2017 to Articles 2, 8, 9 and 10.
The Bulgarian Presidency published discussion papers in March, April and May 2018 incorporating a vast number of changes to the Commission’s January 2017 proposal. There have been five meetings of the Council Working Party on Telecommunications and Information Society (WP TELE) since January 2018. There were two more in May 2018 to discuss changes to Article 2(2) and Article 11, and other outstanding amendments. Issues debated have been: connected line identification, incoming call blocking, publicly available directories, data retention, direct marketing and the processing of metadata.
On 25 May 2018, the Bulgarian Presidency published a progress report on the WP TELE discussions and written comments submitted by delegations. The Bulgarian Presidency’s draft has said that the ePR will come into force one year after its publication in the Official Journal of the European Union, which is estimated to be around Spring 2019. However, there are still issues to determine, with a consensus draft of the ePR unlikely to occur during the Bulgarian Presidency. Most notable are: the ground of legitimate interest as a basis for processing, the permitted processing of metadata, cookies consent, and the protection of terminal equipment and privacy settings. The Council’s WP TELE is still negotiating in meetings this month.
Austria takes over the Presidency on 1 July 2018. Only once a common position within the Council is agreed, can trialogue discussions with the European Parliament and European Commission begin.
If you would like any further information or advice, I can be contacted at: firstname.lastname@example.org
 Released 28 May 2018