Yesterday, January 10, 2017, European Commission announced its proposal for new Regulation on Privacy and Electronic Communications (ePrivacy Regulation) that will supplement General Data Protection Regulation (GDPR) and replace existing ePrivacy directive.
Aim of new ePrivacy regulation is to harmonise data protection framework relating to electronic communications within the European Union and ensure consistency with the GDPR. Main changes introduced by ePrivacy Regulation are:
- Greater scope of coverage. If current ePrivacy Directive only applies to traditional telecoms operators, new rules will also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber.
- Same law to whole EU. Current Directive that has to be adapted into each Member State’s law will be replaced with a directly applicable Regulation meaning the same ruleas and protection for electronic communications.
- Protection for content and metadata. Privacy will be guaranteed for both content and metadata derived from electronic communications (e.g. time of a call and location). Under the proposed rules, operators will have to anonymis or deleted both content and metadata if users have not given their consent, unless the data is required, for instance, for billing purposes.
- Simpler rules on cookies. Regulation will streamline so called “cookie provision” that resulted in an overload of consent requests for internet users. New rules will provide an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. No consent will be needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies set by a visited website counting the number of visitors to that website.
- Opportunities for new services. With a customers consent traditional telecoms operators will have more opportunities to use communications content and/or metadata data to provide additional services.
- Protection against spam. Proposed Regulation bans unsolicited electronic communication by any means including emails, SMS and also by phone calls if users have not given their consent. Member States may opt for a solution that gives consumers the right to object to the reception of voice-to-voice marketing calls, for example by registering their number on a do-not-call list. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
- More effective enforcement. The enforcement of the confidentiality rules in the Regulation will be the responsibility of national data protection authorities.
Commission emphasis that the proposed Regulation on Privacy and Electronic Communications will increase the protection of people’s private life and open up new opportunities for business.
Breaches of ePrivacy regulation will be punishable under GDPR and mean penalties up to EUR 20 million or 4% of the total worldwide annual turnover of company group, whichever is higher.