e-Privacy Directive and Reform

The European Commission (the “Commission”) conducted a study in 2015 and launched a public consultation in 2016 to review and update the electronic communication sector and e-Privacy Directive to reflect technological developments and to align e-Privacy laws with the General Data Protection Regulation ((EU) 2016/679). The current e-Privacy Directive (2002/58/EC) was first introduced in 2002 and later amended in 2009. It applies to the processing of personal data in connection with electronic communications services in public communications networks within the EU and has been adopted by all member states.

Whilst the Commission’s review was resisted by telecoms bodies who called for a repeal of the e-Privacy regime, leaked text from the draft e-Privacy Regulation in December 2016, and now, the published draft e-Privacy Regulation, confirms the Commission will be taking a more stringent approach to (amongst other things) online and direct marketing, the use of cookies and the processing of location data with a view to improving individuals’ privacy and providing businesses with new opportunities.

On 10 January 2017 the European Commission (the “Commission”) published the draft e-Privacy Regulation (COM(2017) 10 final) (the “Regulation”) which is intended to replace the current e-Privacy Directive (2002/58/EC) and will be applied throughout the EU (allowing for more streamlined compliance procedures across all 28 member states).

Some of the main features of the draft Regulation are summarised below.

• Scope. The Regulation will apply to all electronic communications service providers (such as WhatsApp, Facebook Messenger and Skype) rather than just traditional telecoms service providers as provided under the current e-Privacy Directive.
  
  
• Confidentiality. The importance of confidentiality has been emphasised and all electronic communications must be kept confidential. Interference (such as listening, tapping, intercepting, scanning and storing of communications such as SMS messages, emails or voice calls) is prohibited without user consent. Consent is given the same meaning as under Article 4 of the GDPR.
  
  
• Communications content and metadata. Metadata (for example, timing, location and duration of a call) and user browsing history will need to be anonymised or deleted unless consent has been given by the users to its retention (save where the data is required for billing). Existing rules limiting how traditional telecoms operators can use this data have been expanded (subject to consent and compliance with certain safeguards) giving businesses the opportunity to expand their service offering.
  
  
• Devices. Information stored in end-user terminal equipment (for example, tablets and laptops) cannot be accessed except where consent has been given or where use of device capabilities or collection of information is necessary to facilitate technical provision of services to the user.
  
  
• Spam. Consent must be given before any unsolicited commercial communications can be sent (although the current soft opt-in for electronic mail remains). Member states may also create rules allowing individuals the right to object to marketing calls (by registering for a do-not-call list). Marketing callers will be required to display their caller ID or use a special pre-fix which identifies a marketing call.
  
  
• Cookies. The consent process for internet users is being simplified with the introduction of varying levels of privacy through users’ browser settings. The requirement for banner-type cookie consents is being removed. Cookies which are not privacy-intrusive will not require consent (for example, those used to improve user experience, remember shopping cart history and maintain login information for the same browsing session).

• Enforcement. National data protection authorities will be responsible for enforcing the new Regulation (as for the GDPR). Fines for non-compliance in relation to notice and consent, unsolicited communications and default privacy settings could be up to €10 million or 2% of worldwide annual turnover of an undertaking (whichever is higher). Higher fines of up to €20 million or 4% of worldwide annual turnover (whichever is higher) may be enforced for breaches of the provisions on confidentiality, processing of electronic communications data and limits on data erasure time periods. Individuals will have remedies against both data controllers and data processors and a right to compensation for material or non-material damage.

The Commission anticipates the Regulation will come into force from 25 May 2018, alongside the GDPR. Although ambitious (the Regulation is only at the start of a lengthy legislative process), the draft Regulation is shorter and narrower in scope than the GDPR and may not take as long to finalise; businesses should therefore keep watch over the next eighteen months to ensure they are prepared for any additional hurdles the Regulation presents to ensure their continued compliance with e-Privacy laws.