The European Commission has released proposals for new legislation that seeks to create stronger privacy in electronic communications. The draft Privacy and Electronic Communications Regulation (the “Regulation”) is intended to replace the ePrivacy Directive (2002/58/EC) and will also bring the law in line with the new rules as set out in the General Data Protection Regulation (the “GDPR”) as part of the process to modernize the data protection framework in the EU. As a regulation (rather than a directive) it will apply uniformly across the EU as there will be one single set of rules which will crease more legal certainty, save for certain prescribed areas where EU Member States can have their own rules.

The key requirements of the Regulation are as follows:

  • Modern communication methods: The Regulation will apply not only to traditional telecoms operators, but also to instant messaging, Voice over IP and internet-messaging services e.g. WhatsApp, Skype, iMessage and Gmail.
  • Confidentiality: All communications made electronically must be confidential, subject to certain exceptions, for example where an individual has provided their consent.
  • Cookies: The rules in relation to cookies and consent to use cookies are to be changed so that non-privacy intrusive cookies that improve internet usage will not require consent. However, consent will be required for other cookies and technologies that track an individual’s online behaviour. More information will also need to be provided about the various privacy setting options in order to adjust the ability of cookies to be placed on an individual’s browser.
  • Communication metadata: Companies may process metadata from communications provided that it is necessary to carry out the service, for billing purposes or consent has been provided.
  • Storage and erasure: Electronic communications metadata should be erased or anonymised when it is no longer needed for the purpose of sending a communication.
  • Spam and direct marketing communications: Consent will be required before marketing communications can be made via automated calling machines, SMS or email. This will also apply to phone calls, unless national law gives individuals the right to object to such calls by, for example, being able to put yourself on a “do-not-call” list.
  • Marketing caller information: There are also requirements to provide certain identification information on calls and there are possibilities set out to block calls from unwanted numbers.
  • Penalties: Penalties will align with the harsher penalties that will be introduced by the GDPR, such that the maximum penalty for non-compliance with provisions such as the confidentiality and processing of communications will become the higher of EUR 20 million and 4% of an undertaking’s worldwide turnover. Penalties for non-compliance with provisions such as those in relation to cookies and unsolicited communications will become the higher of EUR 10 million or 2% of an undertaking’s worldwide turnover. In addition, an individual will be able to obtain compensation for damage suffered by them as a result of a breach of the Regulation from the person who has breached the Regulation.

The European Parliament and Council of Ministers will now analyse the draft and must formally approve the legislation before it becomes law. The European Commission hopes that this can take place swiftly so that it can become law on 25 May 2018, along with the GDPR. We will keep you updated on the progress of this Regulation.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kelly McMullon Kelly McMullon

Kelly M. McMullon is special international labor, employment & data protection counsel in the Labor & Employment Law Department and member of the Firm’s International Labor & Employment, Privacy & Cybersecurity and Sports Groups. Kelly has been recommended in Legal 500 UK for…

Kelly M. McMullon is special international labor, employment & data protection counsel in the Labor & Employment Law Department and member of the Firm’s International Labor & Employment, Privacy & Cybersecurity and Sports Groups. Kelly has been recommended in Legal 500 UK for her “responsiveness and practicality.”

Kelly assists clients in a variety of sectors including financial services, asset management, life sciences, fintech, consultancy, retail, sports, leisure and manufacturing in a wide range of contentious and non-contentious matters.

In her employment practice, she provides general day-to-day counselling and advice on all employment-related issues, including hires, terminations, grievances and redundancies, as well as the employment aspects of transactions.

In her data protection practice, Kelly provides strategic advice as well as practical support and guidance on all aspects of data protection compliance, including international transfers of personal data, data breaches, direct marketing and employee data protection concerns. She also provides advice on the data protection aspects of transactions.

Kelly also has experience working with businesses on CSR and ESG initiatives, human rights and modern slavery issues.

Kelly is a contributor to Proskauer’s International Labor and Employment Law and Proskauer on Privacy blogs and is the Editor for Proskauer on Privacy’s “International Data Privacy” chapter. She regularly provides training and speaks on employment and data protection issues.

Her pro bono experience includes counselling not-for-profit organizations on data privacy and employment-related issues.