New ePrivacy Regulation
The European Commission recently published a draft of the new ePrivacy Regulation (“Regulation”). The law in this area was last reviewed in 2009 and since then technology and the way we use it has changed significantly. The new Regulation aims to align and build stronger privacy and data protection regulation in respect of electronic communications as part of the Digital Single Market Strategy whilst providing businesses with new opportunities. The Regulation goes hand in hand with the new General Data Protection Regulation (“GDPR”) which will come into force in May 2018 to encourage better privacy and data protection regulation.
So what will the new Regulation propose?
1) The Regulation will iron out any differences between privacy and data protection in respect of electronic communications between EU Member States by making the rules a regulation rather than a directive. The difference means that the Regulation will directly apply to each EU Member State (like the GDPR) and businesses will therefore benefit from one single set of rules across the EU.
2) The Regulation will apply to a broader range of businesses that provide communication services other than traditional telephone calls and SMS messaging. For example, it would apply to services such as Skype, Whatsapp, Gmail, Facebook Messenger and any video/gaming apps that provide communication services. This is to ensure that the rules relating to privacy and confidentiality of communications are equal across the board and apply to such service providers in addition to the traditional telecoms operators.
3) The territorial scope of the Regulation will extend to apply to non-EU service providers that provide electronic communication services to end users in the EU, whether or not the services are paid for or not.
4) Browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers to make this more user-friendly. Also, no consent will be required for non-privacy intrusive cookies that aim to improve online experiences, e.g. remembering shopping cart history.
5) Metadata (which is data such as the timing, location and duration of a call) and user browsing history will need to be anonymised or deleted if a user has not given consent to the service provider to retain such information (unless a service provider requires such data for certain purposes, such as billing). If businesses do receive consent from the user, this can afford them with the opportunity to develop and offer new services provided that they comply with certain privacy safeguards.
6) Probably the most important change is that there will be more stringent enforcement and increased sanctions for non-compliance. The data protection authorities will be responsible for the enforcement of the Regulation. Fines imposed can be up to €20,000,000 or 4% of worldwide turnover for serious breaches or €10,000,000 or 2% of worldwide turnover for less serious breaches. These mirror the sanctions set out in the GDPR.
When will it come into force?
The European Commission is determined that the Regulation will apply at the same time as the GDPR comes into force in May 2018. The deadline is ambitious but businesses should take note of the proposals above and consider putting in measures now whilst they should be taking measures to ensure compliance with the GDPR.