The European Commission has released proposals for new legislation that seeks to create stronger privacy in electronic communications. The draft Privacy and Electronic Communications Regulation (the “Regulation”) is intended to replace the ePrivacy Directive (2002/58/EC) and will also bring the law in line with the new rules as set out in the General Data Protection Regulation (the “GDPR”) as part of the process to modernize the data protection framework in the EU. As a regulation (rather than a directive) it will apply uniformly across the EU as there will be one single set of rules which will crease more legal certainty, save for certain prescribed areas where EU Member States can have their own rules.
The key requirements of the Regulation are as follows:
- Modern communication methods: The Regulation will apply not only to traditional telecoms operators, but also to instant messaging, Voice over IP and internet-messaging services e.g. WhatsApp, Skype, iMessage and Gmail.
- Confidentiality: All communications made electronically must be confidential, subject to certain exceptions, for example where an individual has provided their consent.
- Cookies: The rules in relation to cookies and consent to use cookies are to be changed so that non-privacy intrusive cookies that improve internet usage will not require consent. However, consent will be required for other cookies and technologies that track an individual’s online behaviour. More information will also need to be provided about the various privacy setting options in order to adjust the ability of cookies to be placed on an individual’s browser.
- Communication metadata: Companies may process metadata from communications provided that it is necessary to carry out the service, for billing purposes or consent has been provided.
- Storage and erasure: Electronic communications metadata should be erased or anonymised when it is no longer needed for the purpose of sending a communication.
- Spam and direct marketing communications: Consent will be required before marketing communications can be made via automated calling machines, SMS or email. This will also apply to phone calls, unless national law gives individuals the right to object to such calls by, for example, being able to put yourself on a “do-not-call” list.
- Marketing caller information: There are also requirements to provide certain identification information on calls and there are possibilities set out to block calls from unwanted numbers.
- Penalties: Penalties will align with the harsher penalties that will be introduced by the GDPR, such that the maximum penalty for non-compliance with provisions such as the confidentiality and processing of communications will become the higher of EUR 20 million and 4% of an undertaking’s worldwide turnover. Penalties for non-compliance with provisions such as those in relation to cookies and unsolicited communications will become the higher of EUR 10 million or 2% of an undertaking’s worldwide turnover. In addition, an individual will be able to obtain compensation for damage suffered by them as a result of a breach of the Regulation from the person who has breached the Regulation.
The European Parliament and Council of Ministers will now analyse the draft and must formally approve the legislation before it becomes law. The European Commission hopes that this can take place swiftly so that it can become law on 25 May 2018, along with the GDPR. We will keep you updated on the progress of this Regulation.