In January 2017, the European Commission published the proposed text of a new draft e-Privacy Regulation (ePR) as part of its ongoing drive to advance one of its key initiatives, the Digital Single Market.

Whilst the impending introduction of the GDPR has been dominating headlines for the past months, the ePR has somewhat gone under the radar. We set out the key points to look out for with regard to the ePR and who it is likely to apply to.

What is the ePR?

The ePR, along with the GDPR, is designed to overhaul the existing Privacy and Electronic Communications Regulations (PECR). The speed at which technology is advancing means the PECR has rapidly become outdated, so the introduction of the ePR and the GDPR will provide a new and extended privacy framework for electronic communications.

The ePR’s main objectives are:

  1. to ensure more stringent privacy rules for Over The Top Communication Services (OTTs). This includes instant messaging platforms such as WhatsApp, Skype and Facebook Messenger as well as traditional telecoms providers; and
  2. to ensure the rules under the ePR are aligned with those in the GDPR and that privacy laws are harmonised across all EU member states.

Who will the ePR apply to?

The new regulation will apply to all electronic communication providers. As mentioned above, this will now capture the new entrants into the market that provide electronic communications services, such as OTTs, as well as traditional telecoms providers. It will also extend to ‘interpersonal communications services’ that are ancillary to another service.

When is the ePR coming into force?

The ePR is due to come into effect by 25 May 2018, at the same time as its sister regulation, the GDPR. With little more than a year until implementation, the EU is working to a tight timetable as the ePR still needs to be reviewed and agreed by both the European Parliament and the European Council before it can be formally adopted.

ICO has confirmed that the UK government intends to implement both the ePR and GDPR before the UK leaves the EU.

What are the key features to be aware of?

Penalties. The penalties for non-compliance with the ePR are now broadly aligned with those set out in the GDPR. As such, organisations now face being hit with fines of up to €20 million, or 4% of worldwide turnover for breaches of the ePR.

Territorial scope. The ePR will now extend to any entity that is geographically based outside of the EU but which is providing services to end-user within any EU member state territory.

Cookies. With the introduction of the ePR, fewer cookies will now require end user consent. For instance, cookies with the purpose of ensuring ‘functionality (e.g. remember items in a shopping cart) will no longer require consent. The ePR also aims to move away from the use of cookie banners in favour of configuring a user’s browser settings to accept cookies.

Spam and Direct Marketing. Service providers will now be required to obtain user consent prior to sending any unsolicited electronic communication addressed to that user or making any marketing calls to that user. Further, marketing callers will now be required to display their phone number or use a special prefix number that indicates a marketing call.

Meta-data. The ePR will guarantee privacy to both the content of communications and the metadata (i.e. the data used to identify the communication by the time, date or individuals addressed). This data will now need to be deleted or anonymised where the user withholds his/her consent, except in certain circumstances, such as support/maintenance of the service.

What are the next steps?

Although the ePR is currently still under review and will not be implemented for another 12 months, businesses should be preparing for its arrival with the same diligence and effort as with the GDPR. The penalties for non-compliance are extremely strict and may have material financial repercussions on a business.

ICO has stated that it intends to release guidance on the ePR later in the year. This is subject to the EU agreeing a fixed timetable for the reviewing the proposed draft of the ePR .