On January 10, the European Commission published the proposed text for the new e-Privacy Regulation ('the Regulation'). This new Regulation, if adopted, will replace the current e-Privacy Directive and will establish, together with the GDPR, a new privacy legal framework for electronic communications.
The proposal aims to be lex specialis to the GDPR. Probably to ensure consistency with the new privacy legal framework for electronic communications, the entry into force provision of the leaked text has been amended to state expressly that the Regulation will come into force on the same date as the GDPR (25 May 2018). With many legislative hurdles still remaining before it is approved, this represents an ambitious timeline for EU legislators.
The fact that the proposal, like the leaked text, is a Regulation rather than a Directive, will help to harmonise this new privacy legal framework, since it will be directly applicable in all EU Member States.
As anticipated in our alert of December 15 on the leaked text, the new Regulation significantly strengthens the online and direct marketing legal landscape.
The cornerstones of the proposed Regulation are:
The new Regulation will apply to all providers of electronic communications services, including so-called "over-the-top" content providers, such as voice over IP, text message and email providers, which are not subject to the current e-Privacy Directive. It will also apply to non-EU providers that provide electronic services (free and/or paid) to EU nationals.
As a general rule, electronic communications data, which includes both content and metadata, may be processed when necessary for specific legislated purposes or for ensuring the security of communications and/or to allow the detection of technical faults or errors.
However, the proposal also creates separate rules applicable to the use of content than to metadata:
Content data can be used either (i) with the consent of the end user or end users concerned, provided that the processing is necessary for the provision of the service; or (ii) when all the end-users concerned have given their consent for one or more purposes that cannot be fulfilled if the information is rendered anonymous (in such case, the service provider shall have consulted the competent EU Data Protection Authority before starting the processing).
The proposal also includes new rules for the storage and erasure of electronic communications content. Service providers will have to erase or render anonymous all content after receipt of that content by the end-user or the third party entrusted by them to record, store or otherwise processes such data, in accordance with the GDPR.
Metadata can be used (i) when necessary for mandatory quality of service requirements, billing, calculating interconnection payments, detecting and/ or stopping fraudulent, or abusive use of, or subscription to, electronic communications services; or (ii) when the end user's consent has been given for one or more purposes that cannot be fulfilled if the information is rendered anonymous (in such case, the service provider shall have consulted the competent EU Data Protection Authority before starting the processing).
Once the permitted purpose has been fulfilled, the metadata must be erased or anonymised. In the specific case of processing for billing purposes, this period will end once a bill can no longer be challenged.
The proposal maintains the consent rules from the Directive, unless using cookies or similar technologies is (i) necessary for the sole purpose of carrying out the communication; or (ii) is strictly necessary and proportionate for the legitimate purposes of enabling the use of a specific service requested by the end-user. The proposal keeps the derogation included in the leaked text for first party "web audience measuring" cookies.
The proposal allows consent to be provided via browser settings, thereby mandating significant changes for providers of browsers. They should require a clear affirmative action from the end-user of terminal equipment to signify his or her freely given, specific, informed, and unambiguous agreement to the storage and access of third party tracking cookies in and from the terminal equipment;
All developers of software permitting electronic communications, shall also offer the option to prevent third party cookies. They shall inform the end-user during the initial set up about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting; and, if the software has already been installed at the entry into force of the Regulation (which aims to be at the same time as the GDPR), the software will need to be updated to come into compliance with the consent requirements at the time of the first update of the software, but no later than 25 August 2018.
The collection of data emitted by the end-user terminal equipment (such as IMSI, IMEI, MAC address, etc) will only be allowed if (i) it is done exclusively in order to, for the time necessary for, and for the purpose of, establishing a connection; or (ii) a clear and prominent notice compliant with the GDPR requirements is displayed. The collection of such information shall be conditional on the application of appropriate technical and organisational measures to ensure a level of security appropriate to the risks, as set out in the GDPR.
The definitions of direct marketing and electronic communications are broader than those in the Directive. The proposal distinguishes between B2C and B2B communications. For B2C communications, the proposal requires the sender of the communication to obtain the consent of individuals for direct e-marketing purposes. For B2B communications, however, the proposed Regulation leaves it to the Member States to ensure that the legitimate interest of corporate end-users are sufficiently protected from unsolicited communications.
Like under the Directive, consent will not be required when marketing similar products and services. In such case, individuals must be granted the right to object.