The European ePrivacy-legislation is currently laid down in the ePrivacy Directive. The ePrivacy Directive has been implemented in the national law of all member states of the European Union. In the Netherlands, this has resulted in the Telecommunication Act (Telecommunicatiewet). Now, the European Commission has presented a draft for a new European regulation, that aims to (further) harmonize the national regulations pertaining to electronic communications (the “ePrivacy Regulation”).

Goal and background of the ePrivacy Regulation

The ePrivacy Regulation is part of the larger initiative that can be described as the ‘Digital Single Market’. The European Union strives to create a (general) Single Market: one territory without internal borders or other restrictions on the free movement of goods, services, people and capital. The Digital Single Market is a part thereof, focusing on electronic communications, e-commerce and digital marketing.

The ePrivacy Regulation aims to reconcile the ePrivacy legislation with the privacy legislation as laid down in the General Data Protection Regulation. Said regulation entered into force on 25 May 2016 and will become applicable in the European Union from 25 May 2018 onwards. The ePrivacy Regulation will use the terminology of the General Data Protection Regulation and will also apply similar sanctions (fines). Frans Timmermans, the vice-president of the European Commission, fittingly described the ePrivacy Regulation as “the completion of the European framework for data protection”. The ePrivacy Regulation is slated to enter into force on 25 May 2018, in accordance with the timeframe of the General Data Protection Regulation.

Topics regulated by the ePrivacy Regulation

The following topics are covered in the ePrivacy Regulation:

• Scope: The ePrivacy Directive only applied to traditional telecom companies. The ePrivacy Regulation will have a broader scope, as it will (also) be applicable to new players such as WhatsApp, Facebook Messenger and Gmail.
• Consent is key: Under the ePrivacy Regulation, it is no longer allowed to tap, scan or listen in on text messages, e-mails or voice mails without the (explicit) consent of the user. Moreover, the ePrivacy Regulation prescribes more strict requirements for obtaining such consent. Deviation from the requirement of consent is only possible in exceptional circumstances, which circumstances are specified in the ePrivacy Regulation.
• Confidentiality of content and meta data: The ePrivacy Regulation not only protects the confidentiality of electronic communication, but also of so-called ‘meta data’: information pertaining to the length, addressees and time of the communication. An exception has been made for information collected for billing purposes.
• Your device, your data: Phones and computers collect and store massive amounts of data. Under the ePrivacy Regulation, companies may no longer access such data without the consent of the user. It is not necessary to obtain consent in case of so-called ‘non-invasive cookies’; for example, cookies that allow for digital shopping carts to remain filled after you have switched to a different web page.
• Spam yes/no: The ePrivacy Regulation prohibits unsolicited electronic communications, whether it is in the form of e-mails or text messages. The regulation of cold calling has been left to the discretion of the member states: they can opt to have consumers choose for themselves by means of a do-not-call registry, or they can issue a full prohibition.

The enforcement of the ePrivacy Regulation will become the responsibility of national data protection authorities. In the Netherlands, this is the Personal Data Authority (Autoriteit Persoonsgegevens). This means that the Authority will be given another large responsibility, in addition to the enforcement of the notification duty pertaining to data breaches.

Consequences for civilians and companies

Inits press release of 10 January 2017, the European Commission emphasized the opportunities that the ePrivacy Regulation will offer to organizations. One particular change is that organizations will be allowed to use meta data for various purposes, once consent has been obtained from the user. Moreover, the fact that the ePrivacy legislation will be laid down in a regulation should make it easier for companies to adhere thereto, since all national legislation in the European Union pertaining to the subject will be replaced by one single set of rules. This promotes both legal unity and legal certainty within the European Union.

What happens now?

The draft text of the European Commission will now have to be formally approved by the European Parliament and the Council of the European Union. It is, however, to be expected that other European institutions will also offer their opinion on the proposed Regulation. Last July, the Article 29 Working Party (“WP29”) published an opinion on the intended revision of the ePrivacy Directive. The WP29 recommended, among other, the inclusion of guiding principles such as ‘privacy by default’ and ‘privacy by design’: the notion that the standard settings of devices offer the highest protection for privacy. These recommendations have so far not been incorporated in the current proposal for the ePrivacy Regulation. It will be interesting to see how the WP29 reviews the draft text for the ePrivacy Regulation.

Ovidius will keep you posted on further developments on our Privacy Updatepage.

Sources: Press release of 10 January 2017; ePrivacy Directive; ePrivacy Regulation.