What is the e-Privacy Regulation ?

What is the e-Privacy Regulation?


The European Commission issued a proposal for a new ePrivacy law on January 10, 2017, that sought to replace the existing ePrivacy and Electronic Communications Directive, which was enacted in 2002 to oversee privacy regulations across the EU.

Who does the e-Privacy Regulation apply to?


The planned ePrivacy Regulation is intended to protect the privacy of electronic communications involving residents of EU member states. Put simply, it is about who can track the digital traces of users in e-communications, whether they are chatting via text message, on the phone, shopping or engaging in other activities online. 

It is expected that ePrivacy Regulation will focus on the protection of privacy for data being communicated electronically, in contrast to GDPR, which applies to wider protection areas by ensuring a smooth flow of data between member states. Therefore, ePrivacy Regulation will impact all those who operate telecommunication services or use commercial media services, tracking cookies and customized advertising. Examples of companies likely to be affected include;

  • Messaging service providers such as Whatsapp, Facebook, and Skype
  • Natural or legal individuals conveying direct marketing communications
  •  Website owners
  • Proprietors of apps that incorporate electronic communication
  • Internet access providers
  • Telecommunication firms

What are the penalties?


The ePrivacy Regulation applies the same fine as the GDPR. Anyone found to violate its requirements will be fined 20 million Euros or 4% of annual global revenue.

What is the scope of the e-Privacy Regulation?


Compared to the pre-existing ePrivacy Directive, which was commonly described as the ‘Cookie Law,’ the ePrivacy Regulation has a wider scope. The ePrivacy Regulation will be applicable not only towards the traditional electronic communication service providers, such as mobile and landline telephone operators, but will also cover the Web and the Internet (email, apps, etc.). Additionally, the latest draft of the ePrivacy Regulation sets out a much higher threshold for obtaining consent than under the current ePrivacy Directive. The crucial areas covered include;

Electronic Communications

The scope of the current Directive is limited to conventional forms of communication like  e-mails and Short Messaging Services. The ePrivacy Regulation seeks to incorporate modern forms of communication, such as messaging services on social media platforms like Whatsapp and Facebook Messenger, as well as VoIP providers.

Cookies

While the ePrivacy Directive obliges the user to provide cookie consent on every website they access, the ePrivacy Regulation proposes that users offer approval through browser settings. The objective of this proposal is to  make it easier  for browser settings to allow blanket acceptance or refusal of tracking cookies and identifiers

Additionally, when cookies are only used for technical reasons such as remembering the contents of a cart when shopping online, users will not be expected to provide consent for their use. However, tracking, which includes targeting and retargeting of users through the use of cookies for advertising purposes, will require consent.

Spam

The ePrivacy Regulation incorporates comprehensive protections against spam that includes text messages, unsolicited e-mails, and automated calling systems. Promotional callers must also reveal their contact number or alternative distinguishing codes to specify when it is a marketing call.

Direct Mail

Under this proposed regulation, consumers will be expected to provide explicit consent to get any marketing material from a business, in addition to being accorded the option to opt-out through unsubscribe messages

Metadata

The ePrivacy Regulation targets metadata, which describes information such as;

  • The number of times a day a device is connecting and transmitting data
  • The magnitude of downloadable files
  • Time, date, and location of data transfers

Tracking Walls

Tracking Walls is a term used to describe a website that restricts access to their content unless the visitor provides consent to the use of cookies. The ePrivacy Regulation aims to eliminate tracking walls. 

What does the e-Privacy Regulation prohibit?


This law states that any seizure or usage of electronic communications content by anyone apart from the end-user can only be done in accordance with its provisions. Keeping, tracking, listening, or scanning electronic communications will only be deemed legal if they are done in compliance with the ePrivacy Regulation.

When will the e-Privacy Regulation be Implemented?


Initially, this law was expected to come into effect on May 25, 2018 alongside the GDPR. Nonetheless, delays experienced during the approval phase resulted in its implementation being pushed back. However, it is expected to be approved in the second half of 2020 followed by a transition period of 12-24 months. 

How does the e-Privacy Regulation Compare with GDPR?


Both the GDPR and ePrivacy Regulation are concerned with data protection practices throughout the European Union. Nonetheless, while GDPR is solely focused on personal information, the ePrivacy Regulation deals with the privacy of data involved in electronic communications explicitly.

Although both laws embody similar aspects of privacy, they operate under unique legal bases. GDPR and the ePrivacy Regulation will reinforce each other. However, if a data protection problem arises, which is connected to electronic communications, the ePrivacy Regulation takes precedence.

Who will not be Affected by the e-Privacy Regulation?


This law will not cover;

  • Any activities that are not subject to EU law
  • Private electronic communications
  • EU member state activities connected to immigration and border checks
  • Radio gear that is compliant with Directive 2014.53/EU
  • Actions linked to the deterrence, investigation, or prosecution of criminal offenses

How can your Organization Prepare for the e-Privacy Regulation?


This law is not meant to replace GDPR. Instead, the two regulations are intended to work in tandem. What this means is that the ePrivacy Regulation will not introduce wholesome changes that would compel already GDPR-compliant business to re-start the entire process from scratch. It will only broaden the scope of EU privacy regulations. Therefore, companies will be expected to comply with both rules.

When the ePrivacy regulation is adopted eventually, consent is likely to be the core legal ground for data handling. However, the law utilizes the GDPR designation of consent. Devising a technique of obtaining consent that is compliant with GDPR requirements is an excellent place to start.