European Commission proposes new ePrivacy Regulation
On January 10, the European Commission published a proposal for an ePrivacy Regulation. After the adoption of the General Data Protection Regulation (‘GDPR’), a new ePrivacy Regulation would be the next step in pursuing the European Commission’s Digital Single Market Strategy (‘DSM’).
If adopted, the ePrivacy Regulation will replace both the ePrivacy Directive (2002/58/EC) and the Cookie Directive (2009/136/EC). In contrast to a Directive that has to be implemented into national law by each EU Member State, a Regulation is directly applicable in all Member States. Thus a Regulation would support the harmonisation of the data protection framework.
What’s new?
Since 2009, when the ePrivacy Directive was revised last, important technological and economic developments took place. In order to adapt the legal framework to the reality of electronic communication, the scope of the proposed Regulation is widened to apply to the so called ‘over-the-top’ (‘OTT’) service providers. These OTT providers, such as WhatsApp, Skype or Facebook, run their services over the internet.
By ensuring the privacy of machine-to-machine communication, the Regulation also deals with the Internet of Things and thus seems not only to consider the current situation of electronic communication, but also to prepare for upcoming developments within the information technology sector.
Electronical communications data (metadata as well as content data) cannot be processed without complying with the requirements of the Regulation. Metadata can be processed, if necessary for mandatory quality of service requirements or for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communication services.
Content data can be used for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content or if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority.
Regarding the use of cookies, the end-users’ consent is still the basic requirement, except for first party non-privacy intrusive cookies. These cookies can now be used without the consent of the end-user. The proposed Regulation furthermore allows to use browser settings as consent.
In contrast to the draft of the Regulation leaked in December 2016, the official proposal does not contain the commitment to ‘Privacy by default’, which means that software has to be configured so that third parties cannot store information on or use information about a user’s device.
The Commission’s proposal of the Regulation just demands that software must offer the option to prevent third parties from storing information on or using information about a user’s device.
ePrivacy Regulation and GDPR
Both the ePrivacy Regulation and the GDPR are part of the above mentioned ‘DSM’. Several commonalities prove this fact. For instance, the fines in both Regulations will be the same. Furthermore, the EU Data Protection Authorities responsible for the enforcement of the GDPR will also be responsible for the ePrivacy Regulation. This will contribute to the harmonisation of the data protection framework and increase trust in and the security of digital services.
What’s next?
After being considered and agreed by the European Parliament and the Council, the Regulation could be adopted by May 25th, 2018, when the GDPR will come into force. It is to see whether this schedule is practicable, considering how long the debate about the GDPR took.