In December, we blogged that the new E-Privacy Directive was likely to be upgraded to a Regulation. Now, just one month later, the European Commission has gone ahead and published its draft Privacy and Electronic Communications Regulation (“E-Privacy Regulation”), which is intended to replace the existing E-Privacy Directive.
The existing E-Privacy Directive, which has been law since 2002 under the UK’s Privacy and Electronic Communications Regulation (“PECR”), is intended to provide clear rules on users’ rights to privacy and confidentiality in their electronic communications. The European Commission recently reviewed the existing Directive with the aim of bringing it up to date and aligning e-privacy laws with the General Data Protection Regulation (“GDPR”).
In the main, the draft E-Privacy Regulation has not changed from the version that was leaked in December:
- The Regulation still applies to over-the-top (“OTT”) communications services and anyone using cookies (or similar technologies) and machine-to-machine communications (or via the Internet of things), in addition to the more traditional telephone companies and Internet service providers.
- The Regulation provides for enhanced privacy measures concerning user consent, confidentiality and direct marketing commercial communications, by introducing new rules for processing communications content and metadata.
- The Regulation applies to the use of electronic communications services in the European Union (“EU”), regardless of where the processing takes place, and regardless of whether the service is paid for. So, a US-based data processor will need to comply with the Regulation in respect of any EU-based users.
- The Regulation leaves the notification of data security breaches/personal data breaches – which were a feature of the PECR and the existing E-Privacy Directive – to be handled by the GDPR on a much broader basis. This means that data security breaches must now be notified to the Information Commissioner’s Office (“ICO”) and data subjects by data controllers in all sectors, not just electronic service providers.
- In line with the GDPR, breaches of the E-Privacy Regulation can lead to fines of up to 20 million euro or 4% of annual global turnover, whichever is higher
- The European Commission has watered down its insistence that browser providers block cookies by default. Instead, the Regulation requires them to offer cookie consent choices to users as part of the browser software setup process.
- There is no longer an allowance for a six-month lead-in period after the Regulation is adopted. Instead, the Regulation will apply from 25 May 2018, the same date that the GDPR comes into force.
If you would like any advice about how the E-Privacy Regulation or the GDPR might affect your organisation, please contact us.