The European Commission’s draft Regulation on Privacy and Electronic Communications introduces stronger privacy rules for electronic communications

Written on 16 Jan 2017

On 10 January 2017, the European Commission announced the publication of its draft Regulation on Privacy and Electronic Communications (e-Privacy Regulation).

The draft represents just the first key stage of the European legislative process – and it will almost certainly be subject to change before it is finally approved by the European Parliament. Nonetheless, the draft e-Privacy Regulation looks set to introduce a number of very significant reforms, including in the following areas:

  • scope and territorial application: the e-Privacy Regulation as currently drafted would cast a much wider net than the existing e-Privacy Directive; both in terms of the types of services that are caught by it (including so-called Over-the-Top communications services (OTTs) and communications between Internet of Things (IoT) devices), and its territorial application;
  • new rules for processing “electronic communications data“: except in very limited circumstances, the interception of electronic communications data (which includes content and metadata) will be prohibited without the consent of the end-user concerned;
  • cookies (and similar technologies): the draft suggests an alternative approach to obtaining end-users’ consent to cookies, requiring that providers of browsers and similar software offer a range of privacy settings on installation (thereby removing the need for cookie banners); the good news is that fewer cookies will require consent (including not only those which are “strictly” necessary, but those which are used for purposes such as form filing, language preferences and shopping cart functionalities);
  • direct marketing: the draft would extend direct marketing rules (requiring opt-in consent, in most cases) to OTTs such as instant messaging and in-app notifications; and
  • sanctions: the draft would provide a much tougher sanctions regime, with fines of up to €20 million or 4% of worldwide turnover for certain breaches, and end-users given the right to sue for compensation.

The background to the e-Privacy Regulation

The current E-Privacy Directive (Directive 2002/58/EC) is part of the EU regulatory framework for communications.  It aims to reinforce trust and security in digital services in the EU, by ensuring a high level of protection for privacy and confidentiality in the electronic communications sector, as well as seeking to ensure the free flow of movement of personal data and of electronic communications equipment and services in the EU.

The Directive was revised in 2009 (by Directive 2009/136/EC), to include provisions on cookies (and similar technologies).  This led to a major flurry of activity in reviewing and amending website operators’ practices in relation to consent for cookies.

More recently, the Commission’s Digital Single Market Strategy included a commitment to review the Directive again following adoption of the General Data Protection Regulation (GDPR).  It has therefore carried out a “Regulatory Fitness and Performance Programme” (REFIT) evaluation of the Directive and – in 2016 – issued a stakeholder consultation on that evaluation and on possible changes.

The Commission had already identified several policy issues that it saw as needing to be addressed, including:

  • ensuring consistency with the GDPR;
  • enhancing security and confidentiality of communications;
  • addressing inconsistent enforcement and fragmentation at national level; and
  • updating the scope of the Directive to take account of technological and market changes.

Those policy objectives appear to underlie many of the changes proposed in the draft e-Privacy Regulation.

Regulation, not a Directive

The first significant change to note is that the e-Privacy Regulation is not a Directive (it is, as the name suggests, a Regulation).

Consequently, the e-Privacy Regulation will be directly applicable in each EU member state; it will not require national legislation for its implementation.  The potential for different implementation and application in different territories – as we have seen for instance with cookies laws – is therefore significantly reduced (although not entirely eliminated).

It is not particularly surprising that the Commission has opted for a Regulation, with the same approach being taken with the GDPR.  Some questioned whether a separate legal instrument governing the privacy and confidentiality of electronic communications was required at all in light of the GDPR.  The Commission concluded that it was: while the GDPR ensures the protection of personal data generally, the e-Privacy Regulation imposes specific rules on the electronic communications sector, which ensure the confidentiality of communications (whether consisting of personal data or not, and whether relating to a natural or legal person).  To avoid regulatory duplication, the e-Privacy Directive refers to relevant provisions of the GDPR where appropriate.

Overall scope and territorial application

The e-Privacy Regulation casts a much wider net than the existing e-Privacy Directive; both in respect of the types of services which are caught by it, and its territorial application.

Overall scope

The e-Privacy Regulation applies to “the processing of electronic communications data carried out in connection with the provision and use of electronic communications services and to information related to the terminal equipment of end-users

Electronic communications data” means content that is exchanged by means of electronic communications services (such as text, videos, images and sounds), and the associated metadata (such as the location of a device or the date and time of a communication).

Electronic communications services” include internet access services, services consisting wholly or partly in the conveyance of signals and interpersonal communications services, which may or may not be number-based.  That means that communications made via OTTs – such as Skype, iMessage and Facetime – will be caught.  Machine-to-machine communications (as between IoT devices) will also be caught.

Ulrich Baumgartner, a privacy partner in Osborne Clarke’s Munich office, points out that “the expanded scope of the Regulation, which comes with a general consent requirement also for M2M and IoT applications, has the potential to render big data analytics more difficult. Thus, where the GDPR opened the door a bit by introducing some exceptions from the purpose limitation requirement, the draft Regulation seems to be closing this door again.

Territorial application

Taking a leaf out of the GDPR’s book, the e-Privacy Regulation has a broad territorial reach.  It applies not only to entities which are located, or which process electronic communications data, within the EU.  It will also apply in the context of any electronic communications services provided to, or used by, end-users within the EU, and to any use of cookies or device fingerprinting (or similar) on the terminal equipment (or devices) of end users located in the EU (irrespective of where the provider is located, or where the processing takes place).

Emily Jones, Head of Osborne Clarke’s Silicon Valley office explains that “as with the GDPR, some businesses outside the EU will be required to appoint a representative within the EU.  The representative needs to be located in one of the EU Member States where end-users are located.  This means that companies will need to carefully assess what their obligations will be under both Regulations even if they are not based in the EU.

What does the e-Privacy Regulation mean for electronic communications data?

Essentially, the e-Privacy Regulation requires electronic communications data (content and metadata) to be treated as confidential.

Except in very limited circumstances, the interception of electronic communications data – whether through human intervention or through automated processing by machines (for example, when tracking visits to a website) – is prohibited without the consent of the end-user concerned.  The standard of “consent” is the same under the e-Privacy Directive as it is under the GDPR (which includes a requirement that it must be as easy to withdraw as it is to give).

By way of example, that means that location data which is generated for the purposes of granting and maintaining access to an electronic communications service (such as an IoT device or an instant messaging service) must only be processed with the end-user’s consent.  Location data which is generated other than in the context of providing electronic communications services would not be subject to the same rules.

What does the e-Privacy Regulation mean for cookies (and similar technologies)?

There are some significant changes to the rules protecting end-users’ terminal equipment.  These include the protection of information which is stored in or emitted by such equipment, and which is requested from, or processed in order to enable it to be connected to, another device or network equipment (for example, when connecting to a public Wi-Fi network).

These are the so-called “cookies” rules, which of course cover a much wider range of technologies and activities than simply posting and accessing cookies.  The recitals to the e-Privacy Regulation list spyware, web bugs, hidden identifiers, tracking tools and device fingerprinting as the kinds of activities which can seriously intrude on the privacy of end-users and which are caught by the e-Privacy Regulation.

Interference with an end user’s equipment is generally only allowed with the end-user’s consent, and for specific and transparent purposes.  This is already the position under the e-Privacy Directive; except that under the e-Privacy Regulation, consent is now required at the more stringent level required under GDPR.

Methods of obtaining consent

The e-Privacy Regulation suggests a new approach to obtaining consent for cookies (and similar technologies), compared with the current position where (in the Commission’s view), “end-users are overloaded with requests to provide consent”.  The e-Privacy Regulation expressly provides that software applications which permit the retrieval and presentation of information on the internet (such as web browsers) should – on installation – offer a range of privacy settings; from higher (to reject all cookies), to lower (to accept all cookies), to something in between.

To obtain valid consent, web browsers should require a clear, affirmative action from the end-user, indicating their freely given, specific, informed and unambiguous agreement.  The e-Privacy Regulation does not (quite) go as far as saying that the default settings should be to reject all cookies; although some will argue that is the implication.  Whatever choice is made by the end-user, it must be respected.

This will all sound very familiar to those who are aware of Do Not Track (DNT) as a means of disabling tracking technologies.  Most organisations do not currently recognise DNT signals (and expressly say so in their privacy or cookies policies).  That may be about to change…

Flemming Moos, Partner in Osborne Clarke’s Hamburg office, comments: “it remains unclear what this precisely means for third-party cookies which are an essential feature of online behavioural advertising services. In order not to dry out an important source of finance for the free internet, the “privacy by design element” must be applied with caution, here.

Exceptions to the requirement to obtain consent

As under the current e-Privacy Directive, there are circumstances in which consent to interfere with an end user’s equipment – including to place cookies and similar tracking tools – will not be required.

The good news for service providers is that, under the e-Privacy Regulation, the scope of the exceptions appears to be wider.  Cookies (or similar) no longer need to be “strictly” necessary, nor must the service be “explicitly” requested by the end-user.  The recitals suggest a broader approach that would allow cookies without consent for purposes such as form filling, language preference and shopping cart functionalities. The Regulation also permits cookies without consent for web audience measuring, provided that it is carried out by the provider of the information society service.

In practice, cookies and similar technologies will sit on a sliding scale – with privacy-neutral cookies at one end, and more intrusive uses of technology at the other end.  The e-Privacy Regulation should prompt a review of organisations’ existing technologies to ascertain where they sit on the scale (and the implications of that), and a mechanism for assessing the impact of any new technologies.

What does the e-Privacy Regulation mean for direct marketing?

Electronic communications

The most significant change to the direct marketing rules is that they would now apply to communications sent via OTTs (such as instant messages services and in-app notifications), as well as automated calls, e-mail and SMS.  This is because (in the Commission’s view), “the degree of privacy intrusion and nuisance is considered relatively similar independently of the wide range of technologies and channels used to conduct electronic communications”.

The basic position remains that prior opt-in consent is required for electronic communications.  The “soft opt-in” exception is also still available for communications sent to existing customers promoting similar products or services, subject to an opt-out being offered at the time of data capture and with each message.

Nick Johnson, Partner in Osborne Clarke’s London office explains that “there was some concern, in that the same rules (requiring opt-in consent to electronic communications) would apply to communications sent to company employees (that is, B2B marketing).  That would be contrary to the position in some Member States at the moment, which allow B2B marketing (to certain employees) without any opt-in requirement.  However, it would seem that, in the draft e-Privacy Regulation, the opt-in requirement only applies to B2C marketing.”

Telephone marketing

The e-Privacy Regulation maintains the position under the e-Privacy Directive, that Member States are free to provide for either an opt-in or an opt-out regime for unsolicited communications by way of voice-to-voice live calls.

Eye-watering penalties

The draft e-Privacy Regulation includes a much tougher sanctions regime that will make businesses sit up and take notice of it.

In line with the position under the GDPR, infringements of the e-Privacy Regulation would be subject in some cases to fines of up to €20 million or 4% of worldwide annual turnover (whichever is higher), and in other cases to fines of up to €10 million or 2% of worldwide annual turnover.

The e-Privacy Regulation also gives end-users the right to sue for compensation for “material or non-material damage” caused by any infringement, although the possibility of class actions (which was included in a leaked version of the draft) seems to have been removed.  Natural or legal persons other than end-users affected by infringements of the e-Privacy Regulation, but who have a legitimate interest in the cessation or prohibition of alleged infringements – which might include competitors, for example – also have a right to bring legal proceedings.

The e-Privacy Regulation will be enforced by national data protection authorities.  To facilitate effective co-operation between those authorities, the e-Privacy Regulation incorporates the co-operation procedure (the “one-stop shop”) from the GDPR.

What next?

The e-Privacy Regulation now needs to make its way through the European Union’s legislative procedure, which will see it pass through the European Parliament and the Council up to three times, depending on how many (if any) changes are proposed.

The ambition (as expressly stated in the draft e-Privacy Regulation) is that it will apply from 25 May 2018, the same day that the GDPR comes into effect.  For those who remember patiently waiting for the GDPR to be agreed (over the course of four long years of negotiation), that timeline may seem a little optimistic.

Mark Taylor, Partner in Osborne Clarke’s London office observes that: “if there are delays in the legislative process, then the new e-Privacy Regulation may or may not be caught by the sweep-up transposition provisions of the UK’s proposed “Great Repeal Bill”. If there are delays so that it is not caught, then it is possible that it will not apply in the United Kingdom following its exit from the European Union.  The UK Government has confirmed that the GDPR (and, most recently, the Network and Information Security Directive) will be implemented in the UK despite Brexit; will it say the same about the e-Privacy Regulation?