Obviously, in the past period, the GDPR (the new EU Data Protection Regulation) was the focus of data protection news. However, in the shadow of the GDPR, a draft e-Privacy Regulation was also issued in January 2017, which, if adopted, would replace Directive no. 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
Why do we need new regulation in the field of electronic communications?
- Several arguments can be raised why the revision of the existing rules are necessary. The adoption and entry into force of the GDPR can in itself justify the re-regulation of the electronic communications area, as this special area needs to be adapted to the new general data protection rules. The GDPR will also apply as a background regulation to the e-Privacy area as well.
- Similarly to the adoption of the GDPR in the form of a regulation, the adoption of an e-Privacy regulation would help to ensure the uniform application of the rules, because the provisions of the regulation will be directly applicable in the Member States.
- Existing rules should be reviewed and amended anyway, since technological development requires the revision of the rules from time to time (the ePrivacy Directive was revised in 2009 by Directive 2009/136/EC).
- In some areas, practical experience indicates that it may be necessary to modify the existing regulatory environment. An example of this may be the cookie regulation, which, as acknowledged in section 22 of the preamble to the draft e-Privacy Regulation, is no longer able to achieve the original purpose of providing information to and requesting approval from end-users. By modifying the rules (e.g. by providing consent through the use of appropriate settings on browsers and other applications), the process of obtaining consent may become more user-friendly.
What are the main provisions of the draft e-Privacy Regulation? What's new in the draft?
- The e-Privacy Regulation would cover the so-called OTT services ("over the top services"), such as Skype, Facebook Messenger, Gmail, iMessage, and Whatsapp. It is also clear that the e-Privacy Regulation also applies to the Internet of Things (IoT).
- The e-Privacy Regulation, like the GDPR, would have extraterritorial effect, i.e. it would extend to providers of electronic communications services that are not established in the EU, if they provide electronic communications services to end-users within the EU (service providers who are not established in the EU must appoint a representative in writing).
- The e-Privacy Regulation applies both to natural person end-users and also to legal persons. The e-Privacy Regulation should therefore ensure that the GDPR applies to legal person end-users in this respect (including the use of the GDPR’s concept of consent).
- There are references to the GDPR in connection with the concept of consent and its content. Consent can be revoked at any time and service providers must remind users every six months about this right.
- As a main rule, electronic communications data (including electronic communications content and electronic communications metadata) are confidential. Any interference with electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by the e-Privacy Regulation.
- The e-Privacy Regulation contains provisions regarding direct marketing communications. Basically, consent is required for direct marketing communications, but where a service provider obtains electronic contact details for electronic mail from its customer, in the context of the sale of a product or a service, the service provider may use these electronic contact details for the direct marketing of its own similar products or services only if customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use (Member States' legislation may allow the use of an opt-out system in the given Member State instead of the opt-in system based on the consent).
- The supervisory authority responsible for controlling the application of the GDPR would also be responsible for controlling the application of the e-Privacy Regulation (i.e. NAIH in Hungary).
- Ensuring the uniform application of the e-Privacy Regulation will be entrusted to the European Data Protection Board established under the GDPR.
- The amount of administrative fines to be imposed should also be aligned with the GDPR, i.e. in case of certain infringements, an administrative fine of up to EUR 10 000 000 or a maximum of 2% of the total annual worldwide turnover of the preceding financial year can be imposed (the higher amount should be imposed), while administrative penalties of up to EUR 20 000 000 for major infringements and up to 4% of the total annual worldwide turnover of the preceding financial year may be imposed on undertakings (the higher amount should be imposed).
What are the opinions and criticisms concerning the draft?
Since the release of the draft in January, many reviews and criticisms have come to light. The regulation form and the consistency with the GDPR were generally welcomed. Also, in the majority of opinions it is considered as a positive feature that the supervisory authority responsible for controlling compliance with the GDPR would also check compliance with the e-Privacy Regulation. However, several critical comments have also been made.
The Article 29 Working Party’s opinion was published on April 4 (Opinion no. 1/2017). The opinion puts particular emphasis on four points of the draft:
- the tracking of the location of terminal equipment;
- the conditions under which the analysis of content and metadata is allowed;
- the default settings of terminal equipment and software; and
- about a practice when a user's access to a site or service is rejected unless you consent to tracking walls on other websites or services.
The opinion also lists additional problematic points, e.g. with regard to the material and territorial scope and the rules regarding direct marketing.
What will happen next?
The draft must go through the legislative process and be approved by the European Parliament and the Council. The text of the draft therefore will surely change but, at the same time, maintaining consistency with the GDPR will be important.
When will it come into effect?
The e-Privacy Regulation, such as the GDPR, should apply from 25 May 2018. The question is whether this tight schedule can be maintained. WP29 also refers to the importance of keeping such a tight deadline, but it is questionable whether it will be possible to keep it.
László Pók