updated on 10 April 2018
QuestionWhat do you need to know about the forthcoming ePrivacy Regulation?
On 25 May 2018 the General Data Protection Regulation (GDPR) will come into effect. Many headlines have been written about the risks of non-compliance with the GDPR and many organisations will have spent months preparing for its introduction. However, 25 May 2018 is also the date the European Commission has proposed for the commencement of the ePrivacy Regulation (EPR). The EPR has not attracted as much attention as the GDPR, in part because of its more limited application and because it is still in draft form. However, the two are intended to work in tandem. Organisations should therefore familiarise themselves with the proposals and track the progress of the legislation to ensure that they can achieve or maintain compliance. This article will provide a brief overview of the proposals, the debate, and the next steps.
The EPR will replace the existing ePrivacy Directive (EPD), and applies to the processing of electronic communications data carried out in connection with the provision and use of electronic communications services and to information related to the terminal equipment of end-users. The EPR will bring the provisions of the EPD in to line with the GDPR and address technological developments that have occurred since the EPD was implemented. Further, the EPR will ‘harmonise’ rules across member states as EU regulations, unlike directives, are directly effective.
The European Commission released its draft EPR in January 2017. As compared against the existing EPD, a brief summary of some of the main changes proposed by the EPR is below.
The EPD applies to traditional telecommunication companies and internet service providers. However, the draft EPR also applies to over-the-top (OTT) providers (ie, capturing messaging applications such as WhatsApp and VOIP services such as Skype) and machine-to-machine (M2M) communication services (ie, capturing Internet of Things services).
Changes to cookie rules
The GDPR’s more onerous consent requirements will apply. However, in the press release that accompanied the draft EPR, the European Commission acknowledged that the EPD’s cookie rules resulted in “an overload of consent requests”. The draft EPR therefore attempts to address this by allowing browser settings to be pre-configured to accept or refuse tracking cookies and other identifiers. This will have to be done as part of the browser set-up. The EPR also proposes that consent will not be needed for various types of cookie, such as functional cookies that improve user experience and first-party analytic cookies.
The draft EPR allows for the collection of data emitted by terminal equipment to enable it to connect to another device and/or network equipment. This could be used to, for example, monitor location data emitted by mobile phones in a public space to determine levels of traffic. The draft EPR allows this kind of activity where there is a clear and prominent notice, so does not require consent.
The EPR proposes to align the sanctions for non-compliance with the sanctions under the GDPR. This means that breaches under the EPR could attract fines of up to 4% of annual worldwide turnover or up to €20 million, whichever is higher.
Since the draft EPR was published, the Article 29 Working Party (A29WP), EU Council and EU Parliament have published opinions or proposals for amendments. There are a number of areas of contention.
The A29WP and European Parliament expressed concern about the extent of device tracking permitted under the draft EPR, opining that consent or anonymisation should be required to allow such processing. The changes to rules concerning cookies has also stirred debate. The A29WP suggested that “cookie walls”, which do not allow users to access a website until cookies have been accepted, should be prohibited. The A29WP and European Parliament agree that the default position for web browsers should be protective of users’ privacy, and that users should be given the choice to withdraw their consent every six months. There has also been some debate regarding the extended scope of the draft EPR. The A29WP, EU Council and EU Parliament have all either asked for clarification as to the extension, or suggested that not all M2M communications should be included. An area that is not up for debate is that breach of the new rules will carry the same penalties as for breach of the GDPR.
On 26 October 2017 the European Parliament approved the decision of the Civil Liberties, Justice and Home Affairs Committee to amend the EPR. The next stage of the process is for the European Parliament to open negotiations with EU member states. It is now for the member states to determine their negotiating positions before the first reading in the European Parliament. There is currently no date set for the first reading. While the scope of the EPR is clearly narrower than that of the GDPR, it took the GDPR years, rather than months, to be finalised. Lobbyists on behalf of the marketing industry are likely to want to have their say on the rules that will shape their business. The European Council has described the proposed date of entry of 25 May 2018 as “unrealistic”.
Daniel Millard is a first-year trainee in the TTG Group at Cooley.