The EU Commission’s proposal for a new Regulation on e-privacy leaked before the holidays. The draft text of the Commission’s proposal for a Regulation repealing the Directive on Privacy and Electronic Communications (2002/58/EC) was not intended to be published until 2017, but the draft text of the proposal leaked. The official version of the proposal will probably still be published in accordance with the original schedule, i.e. sometime in January 2017. As the proposal is only a draft, it will probably change in some respects before the Regulation will reach its final form.
Replacing the old Directive with a new Regulation is a part of the EU’s Digital Single Market Strategy. The draft Regulation complements the General Data Protection Regulation ((EU) 2016/679, the “GDPR”) and includes many references to it. For example, the conditions concerning a data subject’s consent for the processing of its personal data are the same as those set forth in the GDPR. According to the draft, the scope of application of the new E-Privacy Regulation would be extended, and it would also apply, for instance, to social media service providers (including Facebook and WhatsApp).
One of the most significant novelties of the Regulation is that it would require the settings of all components of terminal equipment to be configured, by default, to prevent third parties from storing or processing information. In practice, this would mean that e.g. browsers of mobile phones and computers shall in the future prevent e.g. ad-serving cookies by default. Apart from this aspect, the provisions related to cookies do not change much from the current legislation.
The restrictions regarding direct marketing are also broadened to a certain extent, as according to the draft text, direct marketing communications are only allowed in respect of end-users who have given their consent. However, in the draft’s current wording, direct marketing communications would mean any form of advertising to “identified or identifiable end-users”. As it is not defined to whom the end-user needs to be identifiable, the wording of the current draft text could lead to the Regulation being applicable even to e.g. Facebook advertising, which would mean that a user’s prior consent would be required even for this type of advertising. At the same time, the current possibility to market the same or similar products to the end-customer whose contact information has been collected in connection with the sale of a product or a service is also included in the new Regulation (with minor amendments, as usual).
Additionally, the Regulation sets principles to collection and processing of communications metadata and information relating to end-users’ terminal equipment, as well as to presentation and restriction of calling and connected line identification, incoming call blocking, publicly available directories, identifying direct marketing communications, and the role of data protection authorities.
The new Regulation seems to follow the path of the GDPR, and the administrative fines for any failure to comply with the Regulation are set remarkably higher than in the current Directive. According to the draft text of the proposal, the maximum amount of the administrative fines of certain infringements would be up to EUR 20,000,000 or in the case of an undertaking, up to four percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The Regulation becomes applicable as such, and hence, it does not leave much flexibility for the Member States. After the Commission has officially published the proposal for the Regulation, it shall pass to the Parliament and the Council for consideration. As the Regulation complements the GDPR, it is possible that the aim of the Commission is to have the new Regulation become applicable at the same time as the GDPR, i.e. on 25 May 2018. Before that, a rather considerable amount of work remains to be done. In the meanwhile, we will keep you updated!
Associate at Hannes Snellman