Friday, 16 December 2016
E-Privacy Directive may be upgraded to a Regulation
A European Commission proposal document that laid out a plan to repeal the E-Privacy Directive and replace it with a Privacy and Electronic Communications Regulation has been leaked to the weekly Brussels-based newspaper, Politico.
Upgrading from a Directive to a Regulation has major legal consequences under European Union (“EU”) law. An E-Privacy Directive would have provided a base on which EU Member States would be able to create their own versions of the law, whereas a Privacy and Electronic Communications Regulation would lay out a harmonised set of requirements that are directly applicable in EU Member States, giving them less flexibility to interpret the law for themselves.
The E-Privacy Directive, which was made law in 2002 and subsequently updated in 2009, is intended to provide clear rules on users’ rights to privacy and confidentiality in their online communications. However, the communications industry has evolved significantly in the last 15 years, particularly in the field of over-the-top (“OTT”) communications services. These services, which include well-known brand names such as WhatsApp and Skype, use Voice over Internet Protocol (“VoIP”) to provide means of communication such as instant messages and voice calls. Users can sign up to these services as an alternative to, say, the text messages and voice calls that mobile network providers offer.
The E-Privacy Directive did not previously include OTT communications services in its scope, but the new draft Regulation intends to do so. This will extend the scope of the Regulation to many businesses who were previously not technically covered by the Directive and therefore able to push the compliance boundaries. This change will be welcome news for the Regulators, but will create a huge amount of additional risk for many of our client businesses. If you would like us to review how this might affect your organisation, please contact us.
The new draft Regulation also covers access to electronic communications services by government agencies for the purposes of surveillance and monitoring, but does not include any specific provisions in the field of data retention.
The intention is for the draft Privacy and Electronic Communications Regulation to harmonise with the General Data Protection Regulation (“GDPR”), which comes into force on 25 May 2018. For this reason, several of the draft Regulation’s provisions correspond to those of the GDPR, such as consent under the Regulation being based on the requirements for consent under the GDPR. Please see our previous Pritchetts Law blog about how consent requirements will change under the GDPR.
Politico reports that the draft Regulation is expected to be published on 11 January 2017. If you would like a PDF copy of the leaked draft Regulation before then, or any advice about how the Regulation or the GDPR might affect your organisation, please contact us.