Presentation of the Proposal for new ePrivacy Regulation
On January 10, 2017, the European Commission (“Commission”) issued the proposal for a Regulation on Privacy and Electronic Communications (E-Privacy Regulation, hereinafter also referred to as the “Proposal”). This Regulation will repeal and supersede the current Directive 2002/58 (“E-Privacy Directive”). The existing provisions provide privacy-related rules for telecommunications, marketing, and digital services that strengthen the provision contained in Directive 95/46/EC (“Data Protection Directive”).
The Proposal follows the last major update, the General Data Protection Regulation (hereinafter “GDPR”), for a better set of comprehensive rules about privacy and privacy rights of individuals, and to ensure consistency between the two Regulations.
The Commission anticipated its proposal by stating that the new rules will introduce major changes. Metadata, for example, is to be anonymized or deleted if users did not give their consent, unless the data is needed for billing; on the other side, once consent is given for communications data - content and/or metadata - to be processed, traditional telecoms operators will have more opportunities to provide additional services and to develop their businesses; the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined; no consent is needed for non-privacy intrusive cookies improving internet experience or cookies used by a website to count the number of visitors; unsolicited electronic; marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
The Article 7 of the Proposal obliges the provider of the electronic communications service to erase electronic communications content or make that data anonymous after receipt of electronic communication content by the recipients. The Proposal states that data may be recorded or stored by the end-users or by a third party entrusted by them to record, store or otherwise process such data, in accordance with provisions set forth by the GDPR.
Telecommunication over-the-top (“OTT”) services are taken into consideration by the Proposal. The Cmmission clearly states that the Proposal will also apply to so-called “OTT providers”, such as instant messaging and chat apps providers. Whilst several popular OTT providers comply more or less with the principle of confidentiality of communications, the protection of this fundamental right will be increasingly directed towards forms of request for consent for the use of software and application of such providers, accompanied by more information for users about their privacy settings. These principles will be achieved also by relying on the supervisory authorities and on the consistency mechanism of the GDPR.
By centralizing users’ consent in software such as Internet browsers and prompting users to choose their privacy settings and expanding the exceptions to the cookie consent rule, a significant amount of businesses would be able to avoid the use of cookie banners and notices, thus leading to potentially significant cost savings and simplification. The law requiring consent for the use of certain cookies will be reformed, so that cookies shall be not implemented except where: i) the end-user has provided his consent; or, ii) it is necessary for the purpose of carrying out communications over a network. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (‘always accept cookies’) and intermediate (‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings, asserts the Commission, should be presented in an easily visible and intelligible manner.
Where an entity obtains electronic contact details via electronic mail from its customer, in the context of the sale of a product or a service, in accordance with the GDPR, that entity may use these electronic contact details for direct marketing regarding its own similar products or services provided that customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. Such right to object shall be given at the time of collection and each time a message is sent. In other cases, where consent is not collected, the entity using electronic communications services for the purposes of placing direct marketing calls must either make available an hot line on which they can be contacted; or present itself with a specific code/or prefix identifying the fact that the call is a marketing call.
In general, there will be higher fines for breaches compared than before. The Proposal takes the same approach as the GDPR by introducing fines up to 20 million Euro or 4% of total worldwide turnover, whichever is greater.
The Proposal is set to be applied and enforced from May 25, 2018.
If you want to know more, click here.