The draft ePrivacy Regulation has been trundling through the EU legislative bodies for the past couple of years, and is making some progress. On 4 October 2019 the European Council issued a revised draft of the Regulation, which is still subject to change.
The Regulation was initially due to come into force at the same time as the GDPR, and is intended to complement the GDPR and relate to electronic communications specifically. However inconsistencies with the GDPR and unanswered questions around parts of the draft have created uncertainty.
We consider some of the key differences between the revised draft and the current legislation below.
The material scope provisions have been updated and expanded. As with the current legislation, the rules place privacy obligations on telecoms operators, internet service providers, and those carrying out consumer direct marketing using electronic means. Specifically, the Regulation will apply to:
- the processing of electronic communications content and metadata carried out in connection with the provision and use of electronic communications services;
- the processing of data collected from end users’ terminal equipment;
- the offering of a publicly available directory of end-users of electronic communications services; and
- the sending of direct marketing communications using electronic communications services.
The Regulation will apply where services are being targeted at the EU, whether or not the service provider is established in the EU. Therefore, as with the GDPR, the Regulation will have extraterritorial effect.
The provisions around direct marketing are broadly similar to the current rules.
The definition of “direct marketing communications” has been updated and revised to mean “any form of advertising, whether written or oral, sent via a publicly available electronic communications service directly to one or more specific end-users, including the placing of voice-to-voice calls, the use of automated calling and communication systems with or without human interaction, electronic message, etc“. There is a general prohibition on the sending of unsolicited electronic direct marketing communications to individuals who have not consented, and the exception to obtaining consent where the communications are being sent in the context of the purchase by individuals of similar products or services (known as the “soft opt-in” exception) has been maintained. However the consent provided now needs to match the high threshold for valid consent that is required by the GDPR. The Regulation also states explicitly that the sender of electronic direct marketing communications needs to provide certain information each time they send a communication, including their contact details, details of their identity, and the rights of the recipient.
Bases for Processing Data and Content
The draft contains more detail around the bases for processing of electronic communications data.
The processing of such data (which may include both content and metadata) may be carried out generally in certain circumstances, such as to achieve the transmission of communications, to maintain the security of networks, and for compliance with legal obligations. Without prejudice to these general circumstances, the processing of content (i.e., text/voice/videos/images) may only be permitted where further conditions apply, for instance where it is necessary for the provision of a service requested by an end-user with their consent and causing no harm to others, or the consent of all concerned end-users has been provided. Processing of metadata (e.g., date/time/duration and type of communication) may also only be done where certain conditions apply, including where it is necessary for managing or optimising networks, necessary for billing, based on consent, or necessary in emergencies.
Protections Regarding Terminal Equipment
Whereas the privacy concerns underpinning the current legislation were focussed on data collected through cookies on browsers, the concerns have now expanded to the wider collection of information from end-users’ terminal equipment, such as around app access to data on mobile devices. Such collection and processing of information is generally prohibited unless certain exceptions apply. The exceptions include that the collection is necessary for the sole purpose of transmitting a communication, the end-user has consented, or it is necessary to provide a service requested by the end-user.
As a general rule, the Regulation states that use of the processing and storage capabilities of terminal equipment, or access to information stored in terminal equipment (for instance using cookies) “should be limited to situations that involve no, or only very limited, intrusion of privacy” unless the consent of the relevant end-user has been provided. The consent must be GDPR-standard and innovative technical means should be used to try and prevent users from being overloaded with consent requests and information.
The potential maximum fines that can be issued by supervisory authorities under the GDPR (up to 20,000,000 EUR or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher) have been carried across to the draft of the Regulation. Breaches regarding the confidentiality of communications, bases for processing electronic communications data, time limits for erasure, and non-compliance with orders by supervisory authorities would be subject to the highest fines.
The amount of redline in the current draft suggests that there is still much tuning, let alone fine-tuning, to be done to the proposed ePrivacy Regulation. The draft has also attracted criticism from industry associations which consider it to create uncertainty on several fronts, though fully support its objectives. The draft is awaiting first reading in the European Parliament and we do not expect it to be finalised by the end of this year.