The new E-Privacy Regulation: what it will mean for businesses
On 10 January 2017, the European Commission published the proposed text for a new E-Privacy Regulation. The legislative aim is that the draft regulation will bring over-the-top communication services into scope and, as it is a regulation rather than a directive, harmonise the legal approach in this area across EU member states. This will reduce compliance costs for companies in the long term.
On 10 January 2017, the European Commission published the proposed text for a new E-Privacy Regulation (the draft regulation). If adopted, the draft regulation will replace the current E-Privacy Directive (2002/58/EC) (the Directive) and establish, together with the General Data Protection Regulation (679/2016/EU) (GDPR), a new privacy legal framework for electronic communications (see box "Impact of Brexit").
Since the Directive's last update in 2009, there has been a revolution in the electronic communications sector, with the use of over-the-top (OTT) communications service providers overtaking more established forms of electronic communications (www.practicallaw.com/5-500-8201) (see box "Over-the-top communications"). The legislative aim is that the draft regulation will bring OTT services into scope and, as it is a regulation rather than a directive, harmonise the legal approach in this area across EU member states. This will reduce compliance costs for companies in the long term.
Probably to ensure consistency, the draft regulation states expressly that it will come into force on the same date as the GDPR; that is, 25 May 2018. This represents an ambitious timeline for EU legislators as there are still many legislative hurdles to overcome before the draft regulation is approved and, in addition, there is already controversy over its broader scope. Nonetheless, companies should start including the new requirements in the scope of their GDPR readiness projects (see feature article "General Data Protection Regulation: a game-changer ( www.practicallaw.com/2-632-5285) ").
Who will be affected?
The draft regulation will apply to all providers of electronic communications services, such as voice-over-internet protocol, text message and email providers. Video game companies, travel sites, hotel recommendation sites and dating apps should all expect to fall within the scope of the draft regulation if they offer any electronic communication tool to their users, even if it is ancillary to the main service. Internet of things devices have also been brought into the scope of the draft regulation, however, it remains to be seen how this will work in practice.
Content data and metadata
Under the draft regulation, electronic communications data, which includes both content data and metadata, may be processed when necessary for specific legal purposes, in order to ensure the security of communications or to allow the detection of technical faults or errors.
The draft regulation also creates separate specific rules applicable to the two different types of data:
Content data can be used either:
with the consent of the end user or users concerned, provided that the processing is necessary for the provision of the service; or
when all the end users concerned have given their consent for one or more purposes that cannot be fulfilled if the information is rendered anonymous. In these cases, the service provider must have consulted the competent national data protection authority (DPA) before starting the processing. Service providers will have to erase or render anonymous all content after receipt of that content by the end user or the third party which is entrusted by them to record, store or otherwise process that data.
Metadata can be used either:
when necessary for mandatory quality of service requirements, billing, calculating interconnection payments, or detecting or stopping fraudulent or abusive use of, or subscription to, electronic communications services; or
when the end user's consent has been given for one or more purposes that cannot be fulfilled if the information is rendered anonymous. In these cases, the service provider must have consulted the competent DPA before starting the processing. Once the permitted purpose has been fulfilled, the metadata must be erased or anonymised. In the specific case of processing for billing purposes, this period will end once a bill can no longer be challenged.
Cookies and consent
Necessary for the sole purpose of carrying out the communication.
Strictly necessary and proportionate for the legitimate purposes of enabling the use of a specific service requested by the end user.
Therefore first-party cookies (which are planted by the website that a user visits) and first-party analytics should not require consent, provided that they are necessary for the functioning of a website. There is also a derogation which means that consent is not necessary for first-party cookies that are used to measure web audiences.
The draft regulation allows consent for third-party cookies (which are planted by parties other than the owner of the website a user visits) to be provided through browser settings, thereby mandating significant changes for providers of browsers. They should require a clear affirmative action from the end user of terminal equipment to signify his freely-given, specific, informed and unambiguous agreement to the storage and access of third-party tracking cookies in and from the terminal equipment.
The draft regulation poses a challenge to any website using Google Analytics or other analytics software. Under the draft regulation, all developers of software that permits electronic communications must offer the option of preventing third-party cookies. They must inform the end user during the initial set up about the privacy settings options and require the end user to consent to a setting before the end user can continue with the installation.
Companies will need to think carefully about how they obtain user consent and ensure that they clearly explain the purpose of third-party cookies as, if the end user refuses to give consent, browsers are legally obliged to immediately block these cookies.
How this will play out in practice remains to be seen. For example, if a user consents to the use of third-party cookies on one website and refuses consent on another, there needs to be a mechanism for the browser to deal with the conflicting consents.
Relevant web browsers and software developers should be aware that if non-complying software has already been installed at the date when the draft regulation enters into force, it will need to be updated to bring it into compliance with the consent requirements at the time of the first update of the software, and no later than 25 August 2018.
Preparing for the future
Traditional players such as telecommunications companies, which already fall within the scope of the Directive, will find new business opportunities in relation to the possibility of processing content and metadata information. However, new players such as OTT communications service providers will need to incur additional costs to redesign and adapt their services to the new legal framework. Web browsers and electronic communications software providers will also have to invest in designing new privacy settings in line with the draft regulation and anticipate software updates to obtain users' consent to third-party cookies.
With the draft regulation suggesting fines ranging up to €20 million, or 4% of the total worldwide turnover for the unlawful processing of communications data, and envisaging a right to compensation and damages, it is important for companies to start to implement new internal compliance programmes. Many of the changes under the draft regulation are still controversial and their scope is unclear. Companies should expect guidance from the DPAs, which will be responsible for the enforcement of the draft regulation, in order to further clarify the scope of their obligations.
Guadalupe Sampedro is a partner at Bird & Bird LLP.
The E-Privacy Regulation is at https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications.
Impact of Brexit
The government's self-imposed deadline for triggering Article 50 of the Treaty on European Union is the end of March 2017. The UK's departure from the EU is scheduled for two years from that date. In principle, the date of implementation of the proposed new E-Privacy Regulation (the draft regulation) will fall before the UK's departure date from the EU, therefore, organisations should assume that the draft regulation will apply in the UK.
In any case, non-EU companies should note that the draft regulation will also apply to non-EU providers that provide electronic services, both free and paid, to EU nationals. This means that UK companies providing electronic services to EU nationals will have to comply with the draft regulation in respect of those services, regardless of the UK's departure from the EU.
Over-the-top (OTT) communications are content, services or applications that are provided to the end user over the open internet. OTT services, such as WhatsApp or Skype, challenge the traditional services provided by telecommunications operators.