Plans for new e-Privacy Regulation published by European Commission

Out-Law News | 10 Jan 2017 | 5:06 pm | 3 min. read

Internet service providers, mobile network operators and 'over the top' communication service providers such as Skype and WhatsApp face tough new EU rules on their processing of electronic communications data.

The European Commission on Tuesday proposed a new Privacy and Electronic Communications (e-Privacy) Regulation to replace the existing e-Privacy Directive. The plans, if implemented, would update current rules on the confidentiality of electronic communications, and bring OTT communication service providers within scope of the EU's e-Privacy laws for the first time.

The draft Regulation, amongst other things, also sets out new rules on the use of 'cookies' and other "device fingerprinting" technologies, and direct marketing via electronic communications.

Users of electronic communications services would also obtain a new right to object to the processing of their electronic communications data, and could potentially win compensation from communication providers if they have "suffered material or non-material damage as a result of an infringement" of the new rules by those companies.

If implemented, the new Regulation would also require regulators to cooperate on enforcement action where breaches have a cross-border impact, and it could also lead more internet users to block third-party adverts.

Information law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said it is clear from the proposals that the Commission wants the new e-Privacy Regulation to closely align with the new General Data Protection Regulation (GDPR).

"The Commission wants the new Regulation to come into force on 25 May 2018, the same day as the GDPR takes effect," Dautlich said. "If finalised as a Regulation, the e-Privacy rules, like the GDPR, would apply uniformly across the EU, albeit there is some scope for EU member states to draft their own rules in some areas. Many of the definitions for terms that are central to the draft Regulation, including in relation to consent, are drawn from the GDPR, and several provisions, including in respect of fines for breaches of the rules, are based on the GDPR also."

"There has been uncertainty in the market over how a reformed e-Privacy framework would interact with the broader data protection laws set out in the GDPR. Industry and practitioners will therefore welcome the certainty of moves to align the two regimes, although the detail of some of the proposals may concern them," he said.

Under the proposals, web browsers, and other providers of software that permit electronic communications, would be obliged to inform users of their options to "prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment", and to require those users to select a particular privacy setting at the point of installation.

Dautlich said publishers and the ad industry will not welcome plans which could lead to more consumers blocking access to targeted third-party advertising, from which online content providers derive revenues.

Dautlich also said that although it has not yet been proven whether a new 'consistency mechanism', designed to facilitate closer cooperation by regulators on cross-border enforcement cases under the GDPR, works in practice, in principle it was right for the system to be applied to e-Privacy cases, as the Commission proposed.

Dautlich said that responsible marketers would welcome the stiffer penalties framework that the Commission has proposed for infringements of e-Privacy rules, which mirrors that which applies under the GDPR.

"At the moment, legitimate and responsible businesses that act responsibly in observing the tight rules that apply to marketing via electronic communications are disadvantaged by the actions of those that flagrantly breach the rules," Dautlich said. "Often, marketing materials that a recipient may find pertinent is lost in 'spam' folders, or inadvertently deleted by those consumers who are tired of receiving unwanted and unsolicited marketing mail from other sources."

"The UK's Information Commissioner's Office (ICO) has particularly targeted nuisance call makers and senders of spam emails and text messages in the past year or so, and UK law has also been updated to make it easier for enforcement action to be taken. However, introducing fines of up to €10 million, or 2% of annual global turnover, whichever is highest, would be a potential game-changing deterrent and stem the flow of unsolicited marketing messages, to the benefit of consumers and businesses that abide by the rules," he said.

The ICO can fine companies up to £500,000 for breaches of the UK's Privacy and Electronic Communication Regulations (PECR). 

Like the GDPR, a tiered framework for penalties is envisaged under the draft e-Privacy Regulation. The maximum penalty that could be imposed, which only applies to certain breaches, would be a fine of up to €20 million, or 4% of their annual global turnover, whichever is the highest.

The Commission's proposals will be scrutinised by EU law makers in the European Parliament and Council of Ministers. Both bodies must formally approve the legislation for it to take effect.