e-Privacy Directive and Reform
The European Commission (the “Commission”) conducted a study in 2015 and launched a public consultation in 2016 to review and update the electronic communication sector and e-Privacy Directive to reflect technological developments and to align e-Privacy laws with the General Data Protection Regulation ((EU) 2016/679). The current e-Privacy Directive (2002/58/EC) was first introduced in 2002 and later amended in 2009. It applies to the processing of personal data in connection with electronic communications services in public communications networks within the EU and has been adopted by all member states.
Whilst the Commission’s review was resisted by telecoms bodies who called for a repeal of the e-Privacy regime, leaked text from the draft e-Privacy Regulation in December 2016, and now, the published draft e-Privacy Regulation, confirms the Commission will be taking a more stringent approach to (amongst other things) online and direct marketing, the use of cookies and the processing of location data with a view to improving individuals’ privacy and providing businesses with new opportunities.
On 10 January 2017 the European Commission (the “Commission”) published the draft e-Privacy Regulation (COM(2017) 10 final) (the “Regulation”) which is intended to replace the current e-Privacy Directive (2002/58/EC) and will be applied throughout the EU (allowing for more streamlined compliance procedures across all 28 member states).
Some of the main features of the draft Regulation are summarised below.
- Scope. The Regulation will apply to all electronic communications service providers (such as WhatsApp, Facebook Messenger and Skype) rather than just traditional telecoms service providers as provided under the current e-Privacy Directive.
- Confidentiality. The importance of confidentiality has been emphasised and all electronic communications must be kept confidential. Interference (such as listening, tapping, intercepting, scanning and storing of communications such as SMS messages, emails or voice calls) is prohibited without user consent. Consent is given the same meaning as under Article 4 of the GDPR.
- Communications content and metadata. Metadata (for example, timing, location and duration of a call) and user browsing history will need to be anonymised or deleted unless consent has been given by the users to its retention (save where the data is required for billing). Existing rules limiting how traditional telecoms operators can use this data have been expanded (subject to consent and compliance with certain safeguards) giving businesses the opportunity to expand their service offering.
- Devices. Information stored in end-user terminal equipment (for example, tablets and laptops) cannot be accessed except where consent has been given or where use of device capabilities or collection of information is necessary to facilitate technical provision of services to the user.
- Spam. Consent must be given before any unsolicited commercial communications can be sent (although the current soft opt-in for electronic mail remains). Member states may also create rules allowing individuals the right to object to marketing calls (by registering for a do-not-call list). Marketing callers will be required to display their caller ID or use a special pre-fix which identifies a marketing call.
- Cookies. The consent process for internet users is being simplified with the introduction of varying levels of privacy through users’ browser settings. The requirement for banner-type cookie consents is being removed. Cookies which are not privacy-intrusive will not require consent (for example, those used to improve user experience, remember shopping cart history and maintain login information for the same browsing session).
- Enforcement. National data protection authorities will be responsible for enforcing the new Regulation (as for the GDPR). Fines for non-compliance in relation to notice and consent, unsolicited communications and default privacy settings could be up to €10 million or 2% of worldwide annual turnover of an undertaking (whichever is higher). Higher fines of up to €20 million or 4% of worldwide annual turnover (whichever is higher) may be enforced for breaches of the provisions on confidentiality, processing of electronic communications data and limits on data erasure time periods. Individuals will have remedies against both data controllers and data processors and a right to compensation for material or non-material damage.
The Commission anticipates the Regulation will come into force from 25 May 2018, alongside the GDPR. Although ambitious (the Regulation is only at the start of a lengthy legislative process), the draft Regulation is shorter and narrower in scope than the GDPR and may not take as long to finalise; businesses should therefore keep watch over the next eighteen months to ensure they are prepared for any additional hurdles the Regulation presents to ensure their continued compliance with e-Privacy laws.
Our thinking
Paul Stone
Focus Antitrust - 14 April 2021
This week's competition update.
James Scott
ESG – Searching for substance behind the acronym
ESG is an acronym much used but perhaps less understood.
Caroline Swain
THE. PUB. IS. OPEN. but for how long?
Emma Humphreys
How will the commercial property market exit COVID-19 restrictions?
Paul Stone
Focus Antitrust - 7 April 2021
This week's competition update.
Rahim Hirji
No ticket, no merger: Viagogo and StubHub are one step closer to merging but must satisfy the CMA’s conditions
The £3.2bn acquisition of online ticketing company Stubhub by one of its competitors, Viagogo is one step closer to being finalised.
Paul Henty
Client alert: Construction under competition law spotlight
We outline the three investigations which have either recently concluded or are ongoing together with what this means for businesses.
Paul Stone
Focus Antitrust - 31 March 2021
This week's competition update.
Mark Bailey
CIS General Insurance Limited v IBM United Kingdom Limited - An analysis
Slow and chaotic – lessons from a digital transformation disaster in CIS General Insurance Limited v IBM United Kingdom Limited.
Paul Stone
Focus Antitrust - 24 March 2021
This week's competition update.
Adrian Mayer
Charles Russell Speechlys, Strategic Partners of the Asoko Insight West Africa's Family-Owned Business Report
The report is the most comprehensive study of Family-Owned Businesses throughout West Africa.
Paul Stone
Focus Antitrust - 17 March 2021
This week's competition update.
Anna Sowerby
Can linking to copyright material be restricted? Yes - clarity at last.
The Court of Justice of the European Union held that a copyright owner could indeed restrict linking to material.
Tanya Wilkie
Age Appropriate Design Code - Are You Ready?
The Age Appropriate Design Code aims to help ensure that children’s privacy is protected online.
Kerry Stares
Doing Business Responsibly: Food & Beverage
A return to growth will be a priority post-pandemic for F&B businesses, and doing business responsibly could help you to achieve it
Paul Stone
Focus Antitrust - 10 March 2021
This week's latest competition update.
Paul Stone
Focus Antitrust - 3 March 2021
This week's competition update.
Nia John
Ransomware: Proceed with Caution
It has been a busy few weeks for hackers and cybercrime specialists around the world.
Paul Stone
Focus Antitrust - 24 February 2021
Our weekly competition update.
Freddie Law
Advertising Standards: An Update
An update on advertising standards.