Chatting on bridge

Data protection: the new ePrivacy Regulation

Published on 20 March 2017

The EU Commission has published its proposal for a new ePrivacy Regulation.

Key takeaway

As if there isn’t enough to think about with the General Data Protection Regulation (GDPR) (now just over a year away), the EU published a new draft Regulation on 10 January 2017 specifically addressing direct marketing, cookies and online monitoring. This will have a profound impact on messaging services, social media, VoIP and IoT technology and deserves careful study by almost every communication business, whatever the operational model.

The background

The new ePrivacy Regulation (Regulation) will replace the current Directive on Privacy and Electronic Communication (2002/58/EC) (PECD), implemented in the UK by the Privacy and Electronic Communications Regulations 2003 (PECR). The Commission has proposed that the Regulation should apply from 25 May 2018, in order to align with the GDPR coming into force.

The key development

The key developments include:

• Scope: Since PECD was implemented, new communication services have appeared, taking over from telephone calls and SMS messages. The new Regulation will cover Over-the-Top (OTT) communications services as well as the more traditional communications services. OTT services include instant messenger services (eg Messenger, WhatsApp), VoIP (eg Skype) and web-based email services (eg Gmail). It will also apply to machine-to-machine communications where personal data is transmitted, so catching IoT. “Electronic communications services” has a broad definition so almost all services with a communications element will be caught (even if ancillary to another service eg video games, dating apps). As now under PECD, any direct marketing, cookie use or tracking will be subject to the rules, whether the marketer falls within the definition or not.

• Extra-territorial effect: as with the GDPR, the Regulation will “bite” regardless of whether the processing takes place in the EU.

• Fines: the levels vary between (a) the higher of 20,000,000 EUR or up to 4% of global annual turnover (so the same as the GDPR) for breaches of confidentiality, unlawful processing of electronic communications, and time limits for erasure and (b) the higher of 10,000,000 EUR or up to 2% of global annual turnover for breaches of cookie info/consent rules, privacy by design, unsolicited communication (eg opt in) and publicly available directory provisions.

• B2C direct marketing: existing marketing consents (opt in, opt out – including “soft opt in”) remain the same as for PECR and similar transparency requirements apply (eg marketer identity, ability to opt out and that the message is a marketing communication). Key points:

– all direct marketing communications are caught (eg instant messaging, Bluetooth, MMS)
– organisations must still obtain consent prior to sending any direct marketing (ie commercial electronic communications) and such consent can be withdrawn at any time
– “soft opt in” remains (as under PECD) for existing customer relationships offering similar products or services in the context of a sale of a product or service (noting that the UK’s PECR is currently broader, extending to “sale or negotiations for a sale”)
– live telemarketing calls may still be made “opt out” by Member States, as currently in the UK.

• B2B direct marketing: The draft Regulation leaves it to Member States to ensure that the legitimate interests of corporate end users are suffciently protected from unsolicited communications.
• Content and metadata: Both are confidential and any interference is prohibited. Save for transmission or security, user consent must be obtained to use browsing history or metadata (eg timing or location data) or else be anonymised or deleted, unless the data is required for certain purposes (eg billing). Consent to both content and metadata for the provision of services can be withdrawn at any time, and service providers must remind users every six months of the right to opt out. There are specific (stricter) rules on content. Providers of electronic communication services may process content only:

– where the end user’s consent has been obtained for the processing and it is carried out for the purpose and the duration strictly necessary and proportionate for such service, or
– all end users have provided their informed consent to the processing of the content and the purpose cannot be fulfilled by processing information that has been made anonymous and the provider has consulted the supervisory authority prior to the processing.

There are also new rules on the storage and erasure of metadata and electronic communications content, in that this will need to be erased or rendered anonymous once the permitted purpose has been fulfilled.

• Cookies: The big change is the focus on browser settings. There are specific obligations on service providers to provide consent settings to individuals, which must be as simple as possible (eg “always accept cookies”, “never accept cookies”, “reject third party cookies”). Software installed before 25 May 2018 (if the Regulation is implemented by then) must offer the option settings on their first update and at the latest by 25 August 2018. What this means in practice is that website providers using cookies for marketing, tracking and behavioural purposes will need to consider the user’s browser consent settings. Put another way, websites may still choose to obtain opt-in consents to override the settings consents and in turn this may mean that the dream of a less pop up/banner-laden cookie world may yet take some time to materialise.

• Device information: The collection of device information is prohibited (eg for Wi-Fi log in), beyond connecting the device, unless a “clear and prominent” notice is displayed “on the edge of the area of coverage” with the relevant explanatory information (eg as to use, how collected and identity of the collecting entity).

• Ad blockers: There is no express regulation of ad blockers, but website providers are able to check if an end user’s device is able to receive the content requested, without seeking end user consent. And the website can then ask the end user if he/ she wants to switch off the ad blocker for the relevant website.

• Nuisance calls: Caller line identification and call blocking are also covered under the Regulation, and the rules are also updated for public directories.

Why is this important?

To stress, the current proposal is only a draft, and the new Regulation will be subject to a potentially lengthy legislative process between the European Parliament and the EU Council – noting that the European Parliament has already publicly said that it is disappointed with the lack of a requirement for explicit opt-in consent. Other key areas for thought:

• AdChoices: this works on an opt out basis…so how will this scheme operate if in fact end users are notifying their consents via browser settings (eg via a “do not track” activation button on their browser)?

• More consent pop-ups? Will web publishers become the focus for obtaining explicit consent from end users for tracking/behavioural advertising? In effect, seeking to override the “do not track” setting the end user may have chosen on browser activation?

• Is the UK lining up for a fall on the “adequacy” requirement? The new Regulation places particular emphasis on protecting the confidentiality of communications. But yet how does this sit alongside the new Investigatory Powers Act 2016 (which gives vast powers to the UK’s law enforcement bodies to disrupt terrorist attacks?) It’s quite possible that the UK will find itself ostracised from digital Europe, in a way that echoes the demise of the US Safe Harbour regime.

Any practical tips?

Audit…now! This means reviewing your full consent mechanisms, whether cookie reliant or not, in order to ensure that your business can continue to communicate with consumers in the way it wants to. Like the GDPR, the ePrivacy Regulation may only be just over a year away and achieving legal, and technical, compliance with the new rules will take significant time, wherever your business sits within the communications chain. While there may be considerable EU Parliamentary debate still to be had, the Regulation gives the clearest sign to date of what the new, consumer-facing data rules may look like from May 2018. And there is no time to lose in getting ready for the new data world order.