ePrivacy laws - draft Regulation leaked
20 December 2016
As anticipated, a draft of the proposed replacement EU ePrivacy law has been leaked. While this draft still appears to be under review, it does provide an interesting indication of what we are likely to see in the proposed legislation next month. Given the extent of discussion around this revision, and the attention given to cookies over the last few years, it does not contain many surprises.
The aim of European ePrivacy legislation is to ensure protection of privacy and confidentiality in the electronic communications sector. Since the last revision of the legislation in 2009, the sector has evolved significantly from a technological standpoint. New "over the top" (OTT) services have become prevalent but are not caught by obligations in the current ePrivacy Directive which are imposed on more traditional communications services. As part of the Commission’s Digital Single Market Strategy the data protection framework has been reformed and telecoms legislation is in the process of being updated in a proposed European Electronic Communications Code. The Commission had committed to reviewing the ePrivacy Directive to ensure consistency with these pieces of legislation and to create a level playing field for all market players. This legislation includes rules on confidentiality of communications, placing of cookies on terminal equipment and sending unsolicited marketing messages.
Some key points to note are:
The leaked legislation is drafted as a Regulation
The existing legislation is a Directive and has led to particular confusion as a result of differences in local implementation which is complicated to manage in a global operation. As a Regulation, it will have direct applicability in the EU, applying 6 months from when it enters into force. This timing may be intended to ensure it applies around the same time as the General Data Protection Regulation (GDPR).
It is closely aligned with the GDPR and the proposed European Electronic Communications Code
The leaked Regulation uses concepts and definitions from the GDPR and the proposed European Electronic Communications Code (Code) which is helpful. For example, where consent is required, the conditions for valid consent set out in the GDPR apply. The cooperation and consistency procedures that apply to supervisory authorities under the GDPR also apply to this Regulation.
OTT services are included
One of the more highly discussed aspects of the reform of ePrivacy legislation has been the extension to OTT services. The current ePrivacy Directive (and telecoms regulation more generally) has been criticised for not creating a level playing field between traditional telecoms and functionally equivalent OTT services. Correcting this was one of the key objectives of the Digital Single Market Strategy. In general, OTT services are not subject to laws implementing the current Directive, which the Commission feels creates a void of protection of confidentiality for the users of those services. The leaked draft Regulation therefore states that it covers internet access services and "services consisting wholly or partly in the conveyance of signals", as well as "interpersonal communications services (which may be number based or number independent)" . This last category seems to pick up services like Facebook Messenger and WhatsApp even though they rely on existing internet access services. It may also cover machine to machine communication where personal data is involved, for example in relation to the Internet of Things.
Huge increase in potential fines for failure to get it right
The approach to fines follows that in the GDPR. This means that a breach of certain articles of the draft Regulation could lead to a fine of up to 4% or EUR 20,000,000 (which ever is the higher) of the total annual worldwide turnover of the undertaking in the preceding year. Other breaches may attract a fine of (the higher of) up to 2% of annual worldwide turnover in the preceding year or EUR 10,000,000.
The draft uses a similar approach to the GDPR in setting out the territorial reach. It covers electronic communications data (both content and metadata) processed in connection with the provision of electronic communications services: (i) in the EU, regardless of whether the processing take place in the EU; and also (ii) from outside the EU to end users in the EU. This will be of particular interest to OTT providers based outside the EU.
The rules on protection of information relating to terminal equipment remain onerous. These are often called the "cookies" rules but in fact extend more broadly to any use of a terminal equipment’s processing and storage capabilities and the collection of information about end user’s terminal equipment (including software and hardware) by a third party. This is prohibited with a few limited exceptions, such as where it is necessary to provide the service requested or the end user has given prior consent for specific and transparent purposes. In certain circumstances consent for tracking cookies may be expressed by using technical settings of a software application which enable access to the internet (where technically possible and effective), or through browser settings (eg by actively selecting tracking). This will be a welcome change for users who are irritated by multiple pop up banners, but not so welcome for those wishing to use tracking technologies.
The rules around unsolicited electronic communications are much the same. They still require prior consent (albeit with the higher GDPR standard of freely given, specific, informed, active and unambiguous consent). The "soft opt-in" for sending emails to existing customers about similar products or services remains.
We now wait for the formal proposal of this Regulation by the Commission. This is expected in January 2017, which does not leave long for any major changes to be made.