7 key changes to the current ePrivacy Directive: another major Mountain to climb?
As companies have rallied the past months to reach the General Data Protection Regulation (GDPR) Basecamp, they are now required to get ready for the e-Privacy Regulation (ePR) which will most likely be implemented in 2019. The next step in the Single Digital Market strategy of the European Union; and it will be another major mountain to climb.
In January 2017, the European Commission published a draft of the ePR to replace the ePrivacy Directive (ePD), which was a response to the rapidly growing digital mobile networks and the development of the information society around the year 2000. In 2009 the ePD was amended by Directive 2009/136/EC, the infamous cookie law. However, it became clear that even with this change the ePD could not keep pace with technological and legislative developments.
7 key changes to the current legislation
The European Commission has proposed repealing and replacing the ePD with the ePR, extending the scope to new communication technologies and aligning the ePR with the GDPR. The proposal will bring about some key changes to the current legislation:
- New ‘Over-the-top’ communications services, such as WhatsApp, Facebook Messenger or Gmail will be covered by the ePR. It is also meant to apply to the transmission of machine-to-machine communications, covering new technologies like the Internet-of-Things.
- The ePR will be directly applicable in all Member States of the EU and will - most likely - be enforced by the supervisory authorities who monitor the application of the GDPR.
- The ePR will have the same approach to consent of the data subjects, data breach notifications and technical and organizational measures as the GDPR. The supervisory authorities will have the power to impose administrative fines.
- Both content and metadata (electronic communications data) are identified as confidential. It is prohibited to interfere with content such as text, sound and videos, or metadata such as data used to trace and identify the location, source and destination of a communication, and the date, time, duration and the type of communication. The processing of electronic communications data is only permitted when consent is provided by the relevant end-user(s) or the processing is deemed necessary by the Regulation.
- Consent will be required before a cookie can be placed. Consent is not required when installing non-privacy intrusive cookies that improve internet functionality (e.g. shopping cart history), cookies that facilitate the collection of analytical data, or security updates (automated downloads needed to guard the device against security breaches). Consent must be unambiguous and will require an affirmative action, in alignment with the GDPR.
- Under the ePR, browser manufacturers and mobile operating system providers (iOS/Android), will have a responsibility to offer a ‘tracking consent option’ upon installation of the software on the users’ device. So users may determine their consent prior to commencing surfing the internet. However, this subject is heavily debated.
- Consent of the end-users is required before commercial electronic communications for direct marketing purposes are sent to the end-users. However, if the contact details for electronic mail have been obtained in the context of the sale of a product or a service, the contact details may be used for direct marketing of similar products or services (of the original seller). An opt-out is mandatory
Impact of the ePR
There is still much debate concerning the impact of the ePR in its current form. Just to name two issues:
Where the GDPR provides multiple lawful bases for the processing of personal data, the current proposal for the ePR mainly talks of consent. This raises questions as the GDPR is not consent orientated. Although ‘performance of a contract’ is not mentioned in the ePR as a lawful basis for processing communications content, this would provide a legal basis for processing personal data under the GDPR. So the question is whether it is mandatory to additionally seek ‘consent’ to comply with the ePR. Multiple parties have advised to implement additional legal grounds for the processing communications data in the ePR.
Another issue that is up for discussion relates to the requirements for browsers to have settings available for upfront cookie consents. This proposal has raised concerns with regard to the burden for browsers and apps. It is unclear how an end-user can consent to future cookies upfront without knowing who the controller is, or what the functionality of the cookie will be. Furthermore, it is uncertain which party is responsible when there is a miscommunication between the browser and the website, and a tracking cookie is installed on the users’ device without having obtained consent.
DPA Privacy Sherpas
It is unclear how these – and other - discussions will develop. However, DPA Privacy Sherpas will make sure that they will bring the right knowledge set and equipment for your organization to start climbing. We recognise and monitor changes in legislation and technology on a daily basis and adapt our approaches to the summit accordingly leaving no data protection surprise uncovered. If you would like to get more information please contact us or visit our page.