The Commission recently published a proposal for a new ePrivacy Regulation. If adopted, this will replace the current Privacy and Electronic Communications (EC Directive) Regulations 2003.
The European Commission's research found that 92% of respondents to their survey care about their online privacy, including;
- the information on their devices
- the content of their emails and instant messages
- the trace of their activities online, and
- information stored on their physical devices
Therefore, the default position in the proposed Regulation is that content, metadata and information stored on users' devices is confidential, regardless of whether or not it is personal data.
The thrust of the proposed Regulation is to increase transparency to consumers and protect them from "surreptitious" monitoring and data gathering (a terms used repeatedly in the proposal). This is in line with the Commission's approach in General Data Protection Regulation (GDPR) so comes as no surprise.
So what's new in the proposed ePrivacy Regulation?
- Content in electronic communications, metadata related to electronic communications and information on users' devices cannot be accessed without consent, unless it is necessary to provide a service/transmit the data or necessary for billing.
- Consent will no longer be required for non-privacy intrusive cookies. The UK regulator already takes this approach, but that was more lenient than his European counterparts. So consumers will no longer be faced with a pop-up if the only cookies on a website are strictly necessary or anonymous analytical cookies.
- Browser settings can be used as consent for cookies. The Commission has rowed back on its preferred approach to where users set their cookie preferences. Rather than requiring every website operator to have its own set of cookie controls, browsers and software which enables electronic communications should enable users to set cookie preferences, but in a more granular way than is currently possible.
- The Regulation will apply to 'over the top' providers (for example, Facebook Messenger, Skype, Gmail, iMessage, Viber and WhatsApp).
- The Regulation takes into account the Internet of Things as it also ensures the privacy of machine-to-machine communications.
How does the proposed Regulation fit with GDPR?
The Regulation is a separate piece of legislation to the GDPR but there are various parallels between the two:
- It is a Regulation not a Directive to increase harmonisation.
- There are huge fines, at the same levels as in the GDPR.
- The same regulator will be used in the UK - the Information Commissioner's Office.
- Extra-territorial effect - non-EU companies providing electronic communications services to EU citizens will be subject to the Regulation.
- It is born from the need to increase transparency for consumers.
- Includes specific reference to use of standardised icons to allow users to quickly and easily understand uses of their data.
- Same definition of consent (and all definitions in the GDPR govern the proposed Regulation).
- Aim of adoption by May 2018 so that there is a simultaneous comprehensive overhaul of the legal framework for privacy and data protection.
Is anything staying the same?
- As with GDPR, this proposal is not a sea-change from the current Regulation. It builds on the current foundations, with the rules about marketing consents remaining the same (although the drafting is not entirely clear on the existence of the soft opt-in). Any type of electronic marketing is clearly brought into scope and there are stricter requirements about caller identification.
- Consent must still be obtained for any privacy-intrusive cookies.
- The lower level of damage suffered for compensation to be granted or the regulator to investigate is maintained.
What do I need to do?
Nothing yet as this is just a proposal for Regulation. The Commission are pushing for it to be adopted and come into force at the same time as GDPR though.
If adopted in its current form, it will apply to new operators who have not previously been caught by electronic communications requirements. For those who have been caught previously, it will require changes to cookie notices, changes to software used for electronic communications and new consents for use of content and metadata linked to electronic communications.