Will 2020 become the year of the ePrivacy Regulation?
The GDPR has had a great impact on privacy and data protection: individuals and organizations globally were affected. It seems that organizations realize they must take measures to stay in control. It is important to realize that in addition to GDPR, the ePrivacy Regulation (“ePR”) will come into effect soon.
ePR aims to update the existing European legal framework applicable to electronic communications. It will substitute local privacy laws and particularize and complement GDPR. ePR will be a regulation rather than a directive, which will have impact on its applicability. Additionally, it will be a so-called “lex specialis”, which means it focusses on a subset of data protection, namely confidentiality of electronic communication, whereas the GDPR as a “lex generalis” concerns a broader scope of data protection in general.
ePR is currently in draft, which means there is no consensus on the final text and it is unclear when it will be finalized. The European council is still in the process of discussing the draft, but we know that the requirements in the ePR aren’t completely new. Many of the requirements in ePR are already part of the ePrivacy Directive (“Directive”), which came into effect in 1995 and is still in effect today (albeit in an updated version). In the Netherlands, the Directive is implemented in the Telecommunication Act (“Telecommunicatiewet”). The UK equivalent is called the Privacy and Electronic Communications Regulations or “PECR”. These national laws are commonly known as “cookie laws”, which is a misleading name, since the Directive covers much more than just cookies.
Key elements of the draft ePR
Article 5 forms the core of ePR. It constitutes that electronic communications data shall be confidential, and that any interference shall be prohibited. ePR provides a number of exceptions to this prohibition. In other words: third parties cannot interfere with (personal) electronic communication between individuals, unless an exception applies.
Since ePR concerns a draft that is subject to change, it is unclear which elements will and will not be included in the final version. At this point, the key elements of ePR are:
- Regulation vs directive: The new law will be a regulation with a direct effect on all EU member states, which means it does not require implementation into national law. The current law is a directive, which does not have direct effect. The main advantage of a regulation is that it harmonizes e-privacy laws throughout the EU. As a result, e-privacy laws will be the same in principle in each member state.
- Data and metadata: ePR will apply to “electronic communications data” and to “electronic communications metadata”. The scope of ePR is therefore broader than GDPR. Firstly, because electronic communications data is not limited to information relating to a natural person, electronic communications data may, for example, also reveal information concerning legal entities. Secondly, it includes metadata: information such as location of the end user, and the date, time, duration and the type of communication.
- OTT services: ePR will also apply to so-called “over the top” (“OTT”) service providers, whereas the Directive only applies to “traditional” service providers (e.g. fixed-line telephones and SMS). OTT service providers include services such as Skype, web-based email and social media communication channels (WhatsApp, Facebook Messenger, etc.). As a result, individuals using OTT services will be equally protected, and OTT service providers will have to comply with the same rules as traditional service providers, creating a “level playing field”.
- Cookies: The European Commission acknowledged that the rules in the Directive regarding cookies have been ineffective, resulting in “cookie-consent fatigue”. It therefore aims to update the cookie rules. However, this is an issue that is heavily debated. It is uncertain whether or not browser settings will allow to accept all cookies, and if cookie walls will be allowed or not.
- Enforcement: the Dutch Data Protection Authority (“AP”) will be the supervisory authority responsible for monitoring the application of ePR. Under the Directive, the Dutch Authority for Consumers & Markets (“ACM”) is responsible. Combining the authority to monitor both GDPR and ePR means that enforcement of privacy laws is centralized. At the same time, fines under ePR will be the same as under GDPR: maximum of EUR 20 million or 4% of the total worldwide annual turnover.