Those who think that the EU General Data Protection Regulation is a lot to contend with are now facing the prospect of a new Regulation replacing the 2002 ePrivacy Directive. A version of the draft Regulation leaked earlier this week indicates a potentially significant impact on any organisation, whether based in the EU or elsewhere, that uses metadata, tracking software or other tools to monitor online behavior. And as under the GDPR, sanctions for non-compliance may reach 4% of global annual revenues. Moreover, the draft proposes private class action enforcement.
The 2002 ePrivacy Directive (as substantially amended in 2009) principally regulates telecommunication providers, but also includes rules on cookies and spam. If implemented as currently written, the draft e-Privacy Regulation would:
- Extend the scope of ePrivacy rules to cover explicitly voice over Internet providers, as well as telecommunication providers
- Apply rules to new tracking and e-marketing technologies
- Align privacy concepts (consent, data breaches, territorial scope, fines,…) with the GDPR
- Amend the rules on secrecy of communication metadata to require record deletion as soon as the communication has been made, unless a specific retention justification exists.
Extending ePrivacy to VOIP and IoT
Providers of telecommunication services over internet (VoIP or “over-the-top” (OTT) players, including messenger apps) are not included in the current ePrivacy Directive, even though their services may be seen by end-users as functionally equivalent to traditional telecommunications providers. To level the playing field, the draft text of the Regulation features a technology neutral approach applying to 'any exchange of information using electronic communications services and public communications networks, including content and metadata' (e.g. location data and device fingerprints). The Regulation would also apply to hotspot services and cover machine-to-machine (M2M) communications which are fundamental to the development of the internet of things (IoT).
Expanded privacy rules
The draft Regulation would also spell big changes for a variety of actors beyond traditional telecoms providers:
- Regulation: By avoiding the need for transposition into national law, the Regulation will be directly applicable and leave less room for divergent national laws.
- Territorial scope: The Regulation would apply to electronic communications data processed in connection with the provision of electronic communications services in the EU, regardless whether the processing takes place in the EU, and to the protection of information related to the terminal equipment of end-users in the EU.
- Tracking tools: The Regulation confirms that the current cookies rules apply universally to all end-users, irrespective as to whether they are individuals or corporate subscribers. The new rules critically apply a more stringent approach to consent - requiring "opt-in" consent to be secured (as defined by the GDPR) before deploying any third party or non-essential cookie. To further protect end users from unwanted tracking, device firmware and browser software must be configured to restrict these cookies by default (i.e. unless the end user subsequently accepts a cookie or changes settings). The rules extend beyond cookies and pixel tags to cover any form of tracking tool, including tools that “interfere” with the terminal equipment without storing any code on the user device (such as by using the terminal equipment’s processing capabilities).
- Communications secrecy: Metadata from all types of providers will need to be deleted except as permissible under the current exceptions (e.g. billing, quality control or cybersecurity ) or if prior consent is provided by the end-user.
- Spam: The Regulation confirms that anti-spam rules will apply universally to all subscribers (including both individual and corporate email addresses). Direct e-marketing will not be permitted unless the end-user has consented, or unless to existing customers for similar products (with an opt-out option required). The Regulation would permit Member States by law to conduct voice-to-voice marketing on an opt-out basis.
- Breach notification: The procedure for ISPs and telecoms providers to report breach notifications – which was introduced in the 2009 ePrivacy amendments – is to be aligned with the breach notice requirements in the GDPR.
- Enforcement: As with the GDPR, a violation of the e-Privacy Regulation could be fined up to 4% of the total worldwide annual revenues; data protection authorities would be given powers to enforce certain provisions of the Regulation.
The draft text of the proposal is expected to be finalized in January 2017, after which it will be reviewed by the European Council (comprised of EU Member State representatives) and the European Parliament; this process could take several months or even years. Once finally adopted, the draft text currently provides for a 6 month transition period.