The European Commission has published its draft e-Privacy Regulation which, if adopted, will replace the existing e-Privacy Directive. The Regulation broadens the scope of the Directive, enhances the confidentiality of communications, and simplifies the rules on cookies and unsolicited electronic marketing.
Scope
The Regulation expands the scope of the e-Privacy Directive, which only applies to traditional telecoms providers. It is proposed that the Regulation will apply to any business that provides any form of online communication service, so all internet based voice and messaging services, will be subject to the new rules. The Regulation calls these providers “over-the-top communications service providers”. So Skype, WhatsApp, Facebook Messenger, Gmail, Viber and so forth, will all come within the Regulation’s remit. This will ensure that these services guarantee the same level of confidentiality of communications as traditional telecoms operators.
Confidentiality
The Regulation guarantees the confidentiality of the content of a communication, as well as metadata (which includes traffic data and location data relating to a communication). It prohibits the interception of all electronic communications unless permitted by a Member State or EU law. The confidentiality of electronic communications data may be restricted by law where necessary to safeguard one or more of the general public interests specified in Article 23(1)(a) to (e) of the GDPR, such as to safeguard national security. The Regulation requires providers of electronic communications services to provide information to the relevant supervisory authority, on demand, about the number of requests received for access to end-users’ electronic communications data, the legal justification invoked and their response to the request.
Cookies
The Regulation simplifies the rules on cookies in an attempt to overcome the problem of ‘cookie-banner fatigue’. The European Commission recognises that users are currently overloaded with pop-up windows requesting consent to the use of cookies. The Regulation therefore proposes allowing browser settings be taken as consent. It adopts a privacy by design approach, requiring providers of browsers and similar software to provide users with cookie and tracking controls. By centralising consent in software, it is hoped to do away with cookie banners and notices.
The Regulation proposes that no consent is needed for non-privacy intrusive cookies which improve internet experience (such as to remember shopping cart history), or for cookies used to measure traffic to a particular website.
Unsolicited Marketing
The Regulation simplifies and strengthens the rules on unsolicited direct marketing. It prohibits unsolicited electronic communications by any means, including email, SMS, and in principle phone calls, if users have not given their prior consent. So an opt-in will be required for all types of electronic marketing, except where an individual’s email contact details have been obtained in the context of a sale or service, in which case an opt-out is still possible.
Prior consent will also be required for marketing phone calls, unless national law gives consumers the right to object to the reception of such calls, for example by registering their number on a ‘do-not’ call list. All marketing callers will need to display their phone number or use a special pre-fix number that indicates a marketing call.
Consent
The Regulation adopts all the definitions in the GDPR, thus any consent obtained will have to comply with the burdensome conditions set out in the GDPR, and individuals must be given the right to withdraw their consent at any time. In addition, the Regulation requires individuals to be reminded of the possibility of withdrawing their consent at periodic intervals of 6 months, as long as the data processing continues.
Enforcement
The Regulation aims to align online privacy rules with the high standards of data protection set out in the GDPR, and provides for the same hefty fines of up to €20 million or 4% of turnover for non-compliance. The supervisory authority responsible for enforcing the GDPR, will also be responsible for monitoring the application of the Regulation.
Comment
In regard to the confidentiality of electronic communications, it is worth noting that the Irish Government is currently drafting interception legislation, namely the Interception of Postal Packets and Telecommunications Messages (Regulation) (Amendment) Bill. The purpose of that legislation is to update the Postal and Telecommunications Acts 1983 and 1993, which only applies to Telecoms and Postal Service providers, to ensure that all communications delivered over the internet are subject to lawful interception.
Next Steps
The European Parliament and Council will now review the proposal. The Commission proposes bringing the Regulation into force on 25 May 2018, alongside the GDPR.