What is the e-Privacy Regulation?
The e-Privacy Regulation will replace European Directive 2002/58/EC (as amended by Directive 2009/136/EC), which was implemented in the UK by the Privacy and Electronic Communications (EC Directive) Regulations 2003. When it comes into effect, it will sit alongside the GDPR, and will form an important part of the Digital Single Market Strategy of the European Commission.
The e-Privacy Regulation will widen the scope of the regulation of electronic communications data, and will apply even if a communications service is ancillary to another service. This means that in principle it will not matter if communications are only an ancillary part of a game, or an additional feature of, say, a digital distribution platform. The e-Privacy Regulation will therefore have important implications in a number of areas for interactive entertainment, including for games or platforms which enable certain types of live voice chat, video communication, or instant messaging.
When will it come into force?
The e-Privacy Regulation had originally been timetabled to come into effect on the same day as the GDPR, on 25 May 2018. However delays have meant that it is still progressing through the EU legislative procedure. Currently it is still very much in draft form and we do not yet know when it will come into force. Initially, a proposed draft was published by the Commission in January 2017. In October 2017, the European Parliament adopted an amended version. Most recently, in July 2018, the Presidency of the Council of the European Union proposed further changes. Further amended drafts are likely to follow.
Games or platforms that incorporate certain types of voice chat, video communication, or instant messaging will now be caught
Live voice chat, video communication, and instant messaging are a feature of many popular games and platforms. Currently, these types of communication are generally not considered to be caught by the Privacy and Electronic Communications (EC Directive) Regulations 2003, on the basis that they are so-called “over-the-top” (OTT) communications (like WhatsApp messages, e-mails, and VOIP communications). However, the proposed e-Privacy Regulation extends the scope of regulation, and clarifies that OTT communications will be caught going forward.
The e-Privacy Regulation will affect how you use communications data
The proposed e-Privacy Regulation distinguishes between two types of electronic communications data:
- “content data”, which is the actual content of an electronic communication (for example, text, voice, video, images, and sound); and
- “metadata”, which is data processed for the purpose of transmitting, exchanging or distributing the content (for example, data used to trace and identify the source of a communication; data on the location of a device; or the date, time, or duration of a communication).
Since the Commission published its proposed draft of the e-Privacy Regulation in January 2017, there has been debate about the extent to which service providers should be permitted to use electronic communications data, and what restrictions should be placed on such use. The Commission’s proposal was relatively restrictive in terms of how metadata could be used. In its July 2018 amended version, the Council expressed concerns that the e-Privacy Regulation should be flexible enough to enable the use of metadata for innovative purposes for the benefit of European citizens. To address those concerns, it proposed that processing of metadata without consent should be allowed if the purpose of the processing was compatible with the purpose for which it was initially collected.
The Council’s amended text sets out a non-exhaustive list of the various factors that must be taken into account when making an assessment of whether the processing is compatible. Many interactive entertainment businesses will welcome this less strict approach to the use of metadata. However, it remains to seen whether this approach will be retained in the final text.
The e-Privacy Regulation will apply even if the data is not personal data
The e-Privacy Regulation does not draw a distinction between personal data and non-personal data in the way that the GDPR does: it applies to both personal data, and non-personal data. It will not be possible to rely on the argument that any metadata collected isn’t personal data, and therefore the e-Privacy Regulation doesn’t apply.
What are the risks of non-compliance?
The e-Privacy Regulation will include penalties for non-compliance that are in line with the GDPR, with fines of up to the greater of €20 million or 4% of worldwide turnover. End-users will also have the right to bring a claim for compensation. This is quite apart from the reputational risks associated with unlawful interception of electronic communications data.
What do interactive entertainment businesses need to do?
If you are an interactive entertainment business you should:
- Be aware that the e-Privacy Regulation is on the horizon and that it will have important implications for those who use voice chat, video communication, and instant messaging in their games or on their platforms.
- Be aware that the e-Privacy Regulation is still in draft form. There is still some way to go before it is finalised and there will most likely be some further changes, including in relation to what you can and cannot do with electronic communications data. At the moment, we still do not know what its full implications will be for interactive entertainment businesses.
- If you’re planning a new project involving use of electronic communications data, considerhow it may be affected by the e-Privacy Regulation, and, if necessary seek specialist advice at an early stage.
- Look out for further updates about the e-Privacy Regulation from Osborne Clarke.