The world of privacy regulation is steeped in controversy, and the EU’s proposed ePrivacy Regulation (ePR) fits in perfectly. The ePR was drafted in September of 2016, in an attempt to replace the ePrivacy Directive of 2002 with a regulation that better aligns with the General Data Protection Regulation (GDPR). The central focus of this proposed regulation is to protect EU citizens’ and residents’ right to data privacy, as well as respect for private life and communications, by establishing a new privacy framework for electronic communications.
The ePR seeks to align with the GDPR by taking its principles and transforming them into specific rules. It also supplements the GDPR with new requirements around the handling of electronic communications data.
Because the European Commission is proposing a regulation rather than a directive, making it legally binding for all EU Member States, it has been met with some pushback. Its requirements are more detailed than the Directive’s and include penalties for non-compliance.
The controversy around the regulation has resulted in multiple drafts of the ePR – we’re now on the fourth version. The original text was officially proposed in January of 2017. Then the European Council issued redrafts in September and December, and Parliament published amendments in October of 2017. A new working draft was recently released by the Council on March 7, 2018. A final draft of the regulation has yet to be approved by the Commission, Council, and Parliament, and the draft is still open for revision.
In this post, we’ll look at the most significant and contested provisions of the ePrivacy regulation, including the scope of the regulation, the legal basis of consent, and cookies and WiFi tracking.
While the ePrivacy Regulation and the GDPR both revolve around the core principles of data privacy, they stem from two different articles of the European Charter of Human Rights. The GDPR focuses on Article 8 of the Charter, which provides for the protection of personal data. The ePR is in accordance with Article 7 of the Charter, which concerns a data subject’s right to privacy, specifically privacy of electronic communications. The ePR will dramatically impact the way companies interact with EU citizens and residents and handle their personal data.
The scope of the ePR is intentionally broad, applying to all electronic communications services (ECS), including businesses that provide WiFi and Bluetooth connections at certain locations (like a coffee shop or airport), and providers of electronic messaging tools (emails, instant messaging apps, websites).
Companies most impacted by the ePR will be those that provide media content via the Internet, (also known as over-the-top (OTT) communications). Examples of these companies include Facebook, Skype, WhatsApp, and other social media and online dating sites. The regulation will compel OTT companies to provide higher levels of privacy around the communication services they provide.
The requirements of the ePR applies to electronic communications (i.e., emails, instant messages) as well as metadata (phone calls, social media posts). According to the regulation, all electronic communications and metadata must be treated the same and must remain confidential.
The ePR proposes that consent be the only lawful basis for the processing of personal data handled in electronic communications. The ePR’s requirements for consent align with those of the GDPR. However, this proposal has not been well received by all. Many organizations rely heavily on the lawful basis of legitimate interest because it has the broadest definition under the GDPR and offers companies the ability to process data without consent. But EU authorities have stated that they believe that organizations are using legitimate interest as a loophole and are seeking to include a directive in the final draft of the ePR that will push organizations to use a more defined legal basis for data processing.
While the basic principles of consent under the ePR line up with the GDPR, it does have more stringent requirements in a few areas. One of these is the Right to Withdraw. Under the ePR, data subjects should be provided with the opportunity to withdraw consent every 6 months. But some EU authorities believe the ePR’s specific requirements here may actually undermine the GDPR. Consent has been the most redrafted issue in the Commission’s original ePR document and was amended by the European Parliament.
Commission's Text | European Council's Redraft | Parliament's Amendment |
End-users (data subjects) shall be given the possibility to withdraw their consent at any time as set forth under Article 7(3) of Regulation (EU) 2016/679 and be reminded of this possibility at periodic intervals of 6 months, as long as the processing continues. |
End-users shall be reminded of the possibility to withdraw their consent at periodic intervals of [no longer than 12 months], as long as the processing continues. |
Users shall be given the possibility to withdraw their consent at any time to set forth under Article 7(3) as long as the processing continues. |
Tracking data subjects using cookies or a WiFi or Bluetooth connection comes under greater scrutiny under the ePR. The regulation prohibits companies from using consent collection methods that force users to agree to tracking in order to receive access to services. Therefore, companies will no longer be able to use website pop-ups as a method of requesting consent for the use of cookies. Under the regulation, any use of cookies must be for a specific purpose. The ePR provides three purposes for tracking:
Cookies must be tracked within the software and the user’s browser, so users can change cookies settings to fit their needs.
The original draft of the ePR also contains provisions for the protection of data subjects using public WiFi. That initial draft stated that tracking an individual’s location through a WiFi or Bluetooth connection was permitted. However, in response, Parliament and the Working Party proposed solutions that would require businesses that have locations which provide WiFi to obtain a data subject’s consent before tracking and to post a notice on the possible dangers of using their WiFi connection in a prominent place.
The ePR’s penalties are identical to those of the GDPR. Violations of the regulation will range from 2-4% of the organization’s worldwide revenue, depending on the severity of the violation. The regulation also allows data subjects to sue any organization that violates ePR requirements.
The European Commission’s proposal for the ePrivacy Regulation has been met with controversy and a seemingly constant stream of changes. The implementation date is set to follow the GDPR, which means it could be any time between the end of May 2018 and Summer 2019, but no official date has been announced. At this point, the best next step is to monitor the proposed regulation closely. (Sign up for our Privacy Pulse newsletter to get updates right to your inbox.) The full scope of how the Regulation will affect organizations cannot be determined until it is actually implemented, but companies can keep a watchful eye on its changes and amendments to help prepare. However, companies who are implementing the GDPR may be a step ahead when it comes to ePR compliance, as the two align in many areas.
To learn more about preparing for compliance with the ePR and GDPR, schedule a meeting with one of our privacy experts.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.