The European Commission has published its draft e-Privacy Regulation which, if adopted, will replace the existing e-Privacy Directive. The Regulation broadens the scope of the Directive, enhances the confidentiality of communications, and simplifies the rules on cookies and unsolicited electronic marketing.
The Regulation expands the scope of the e-Privacy Directive, which only applies to traditional telecoms providers. It is proposed that the Regulation will apply to any business that provides any form of online communication service, so all internet based voice and messaging services, will be subject to the new rules. The Regulation calls these providers “over-the-top communications service providers”. So Skype, WhatsApp, Facebook Messenger, Gmail, Viber and so forth, will all come within the Regulation’s remit. This will ensure that these services guarantee the same level of confidentiality of communications as traditional telecoms operators.
The Regulation guarantees the confidentiality of the content of a communication, as well as metadata (which includes traffic data and location data relating to a communication). It prohibits the interception of all electronic communications unless permitted by a Member State or EU law. The confidentiality of electronic communications data may be restricted by law where necessary to safeguard one or more of the general public interests specified in Article 23(1)(a) to (e) of the GDPR, such as to safeguard national security. The Regulation requires providers of electronic communications services to provide information to the relevant supervisory authority, on demand, about the number of requests received for access to end-users’ electronic communications data, the legal justification invoked and their response to the request.
The Regulation proposes that no consent is needed for non-privacy intrusive cookies which improve internet experience (such as to remember shopping cart history), or for cookies used to measure traffic to a particular website.
The Regulation simplifies and strengthens the rules on unsolicited direct marketing. It prohibits unsolicited electronic communications by any means, including email, SMS, and in principle phone calls, if users have not given their prior consent. So an opt-in will be required for all types of electronic marketing, except where an individual’s email contact details have been obtained in the context of a sale or service, in which case an opt-out is still possible.
Prior consent will also be required for marketing phone calls, unless national law gives consumers the right to object to the reception of such calls, for example by registering their number on a ‘do-not’ call list. All marketing callers will need to display their phone number or use a special pre-fix number that indicates a marketing call.
The Regulation adopts all the definitions in the GDPR, thus any consent obtained will have to comply with the burdensome conditions set out in the GDPR, and individuals must be given the right to withdraw their consent at any time. In addition, the Regulation requires individuals to be reminded of the possibility of withdrawing their consent at periodic intervals of 6 months, as long as the data processing continues.
The Regulation aims to align online privacy rules with the high standards of data protection set out in the GDPR, and provides for the same hefty fines of up to €20 million or 4% of turnover for non-compliance. The supervisory authority responsible for enforcing the GDPR, will also be responsible for monitoring the application of the Regulation.
In regard to the confidentiality of electronic communications, it is worth noting that the Irish Government is currently drafting interception legislation, namely the Interception of Postal Packets and Telecommunications Messages (Regulation) (Amendment) Bill. The purpose of that legislation is to update the Postal and Telecommunications Acts 1983 and 1993, which only applies to Telecoms and Postal Service providers, to ensure that all communications delivered over the internet are subject to lawful interception.
The European Parliament and Council will now review the proposal. The Commission proposes bringing the Regulation into force on 25 May 2018, alongside the GDPR.