Following the issue of the General Data Protection Regulation, the European Commission has now issued a proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications (“Privacy Regulation”). The proposed Privacy Regulation is intended to repeal and replace the current e-Privacy Directive.
Both the proposed Privacy Regulation and the General Data Protection Regulation (“GDPR”) are meant to be fully effective in all EU Member States by May 2018.
The following are some of the most salient points from the proposed regulation:
1. The Privacy Regulation is intended to apply to any entity worldwide which provides publicly-available “electronic communications services” to, or which gathers data from the devices of, users in the European Union. Entities found to be in breach of the proposed Privacy Regulation may incur fines of up to 4% of their annual worldwide turnover. In this respect, the new Privacy Regulation can be considered to be in line with the provisions of the GDPR.
2. The Privacy Regulation will also introduce new rules for processing the content of communications and processing communications metadata. The term “metadata” replaces the definition of “traffic data” under the current e-Privacy Directive and refers to when, where and by whom the communication was issued and other related information. The new Regulation is intended to slightly widen the use of content and metadata when compared to the current Directive.
3. The Privacy Regulation will provide a new definition of the term “Electronic Communication Services” (ECS), thus extending the scope of the e-privacy rules to cover “Over the Top” (OTT) Services. The term ECS will be defined as ‘a service normally provided for remuneration via electronic communications networks’ which would include:
(a) internet access services;
(b) interpersonal communications services, both number-based and number-independent (such as Facebook Messenger, Skype, Viber, WhatsApp, Blackberry messenger and Gmail); and
(c) transmission services used e.g. for machine-to-machine communications (M2M).
4. The Privacy Regulation will also retain the exemption from the cookie consent requirement for analytics. However, the exemption only applies for first party analytics. This therefore means that third party analytics would still require consent.
5. The Privacy Regulation is also proposing that its application should, amongst others, be extended to software providers permitting electronic communications.
The proposed Privacy Regulation, much like the GDPR, is expected to have a big impact on data processing businesses. It remains to be seen whether the proposal will be accepted in full and whether the European Commission’s ambitious deadline for implementation will be met.
For more information or if you have any questions, please feel free to contact Dr Ian Gauci on firstname.lastname@example.org
Disclaimer: This article is not intended to impart advice and readers are asked to seek verification of statements made before acting on them.