Earlier this month, the European Commission published a proposal for regulation that seeks to revise the current EU ePrivacy Directive.
The 35-page proposal is the result of a review of Directive 2002/58/EC (the ePrivacy Directive) called for under the Digital Single Market Strategy. The aim is to ensure users of electronic communications services receive a high level of privacy protection.
Jocelyn Paulley, director at international law firm Gowling WLG, said one of the key takeaways from the proposed revision to the ePrivacy Directive is that it demands companies get user consent before accessing any electronic communications content (or metadata related to this) or information on a user’s device. There would be limited exemptions for billing and performing services requested by the user, though.
“This is justified by the European Commission’s research showing that the vast majority of people view this data as confidential,” Paulley added.
Another key takeaway from the proposal is that rules about marketing consents would stay the same. Companies would also still have to gain consent for the use of any privacy-intrusive cookies.
Consent would not be required, however, for non-privacy intrusive cookies, such as those used for anonymous analytics. Also, website operators could point users to setting cookie controls in their browser, rather than the operator having to create their own controls within the website.
Similarities with GDPR
The revision is designed to ensure consistency between the ePrivacy Directive and the General Data Protection Regulation (GDPR), which will be introduced in May 2018.
The new proposed ePrivacy regulation is a separate to the GDPR, but there are a number of parallels between the two.
“The main concern that they [both pieces of regulation] wish to address is transparency to consumers and protecting consumers from uses of their data of which they are not aware,” Paulley said.
Both GDPR and the ePrivacy update proposal are designed to harmonise the various data protection laws that exist across the EU.
They are also both ‘regulations’ (not ‘directives’), so they will automatically apply to all EU member states without the need for governments to implement national legislation.
The fines levied for breaking the regulation would be at the same levels as those collected for breaches of the GDPR, plus, the same UK regulator – the Information Commissioner’s Office – would be used for both.
As for when the proposed regulation would be applied, Paulley said: “The European Commission wants this to be law by May 2018 to coincide with the end of the implementation period for GDPR.”
But will either of the regulations actually apply to the UK once Brexit is implemented and the UK leaves the European Union? For a start, companies outside the EU that provide electronic communications services to EU citizens would be subject to both sets of regulation.
In addition, Paulley said: “The government’s current plan is that the very misleadingly named Great Repeal Bill will convert all European laws into English law, so that all European laws will be law in the UK on the date that the UK leaves Europe.”
The British government will then have the option to revoke or amend this new legislation, but Paulley believes that, as with other laws related to privacy and the internet, “there are strong arguments to maintain harmony with the European approach to simplify the cost of compliance for businesses and unlock the €145bn e-commerce market”.