No. 54

ePrivacy Regulation:
What Changes in 2018?

The rise of the Internet, smartphone and social media has changed the way we communicate and do business. Therefore the European Commission maintains its focus on updating the legislation in order to keep up with the technological development and consumer behaviour.
In May 2018, two sets of new European rules are coming into force. The General Data Protection Regulation (GDPR) - explained in the EPTDA’s previous EU Monitoring Report -  is the first one and sets the guidelines regarding the protection of personal data.
The second one is ePrivacy Regulation, which updates the existing ePrivacy legal framework, more specifically the EU ePrivacy Directive, which goes back to 2002 and was revised in 2009, requiring prior consent regarding cookies. It is equally important and concerns the confidentiality of communications. In a world where we text, send messages via apps, make videos or GIFs, chat on social media - and promote our businesses using all these new technologies - it is vital to have a legislation that covers these aspects of our personal and professional life.
The ePrivacy Regulation aims to ensure stronger privacy in electronic communications, while opening up new business opportunities. That's why the EPTDA's members need to be aware of these legal changes.

Better Online Protection and New Business Opportunities

The proposed Regulation on Privacy and Electronic Communications will increase the protection of people's private life and open up new opportunities for business, according to the European Commission.

On one hand, the new legislation foresees providing additional protection for electronic communications by limiting and specifying the legal grounds on which basis these data can be processed.

On the other hand, Giovanni Buttarelli, the European data protection supervisor, says it will also create new jobs in the privacy sector. "We may create an unbelievable amount of new professions, jobs, opportunities for European Union small and medium size enterprises", he told EU Observer, back in October.

According to the European Commission, the real impact of the ePrivacy Regulation consists in:
  • New online players: The current ePrivacy Directive only applies to traditional telecoms operators. But with this new regulation, privacy rules will also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber.
  • Stronger rules: All people and businesses in the EU will enjoy the same level of protection for their electronic communications. Also, there will be one single set of rules applied across the entire EU.
  • Communications content and metadata: Privacy will be guaranteed for both content and metadata derived from electronic communications (e.g. time of a call and location). Both have a high privacy component and, under the proposed rules, will need to be anonymised or deleted if users have not given their consent, unless the data is required for instance for billing purposes.
  • New business opportunities: Once consent is given for communications data, both content and/or metadata, to be processed, traditional telecoms operators will have more opportunities to use data and provide additional services. For example, they could produce heat maps indicating the presence of individuals to help public authorities and transport companies when developing new infrastructure projects.
  • Simpler rules on cookies: The so called "cookie provision", which has resulted in an overload of consent requests for internet users, will be streamlined. New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.
  • Protection against spam: The new legal framework on ePrivacy bans unsolicited electronic communication by any means, e.g. by emails, SMS and in principle also by phone calls if users have not given their consent. Member States may opt for a solution that gives consumers the right to object to the reception of voice-to-voice marketing calls, for example by registering their number on a do-not-call list. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
  • More effective enforcement: The enforcement of the confidentiality rules in the Regulation will be the responsibility of national data protection authorities.

Further Recommendations

Also, The European Data Protection Supervisor (EDPS) has released further recommendations on specific aspects of the proposed e-Privacy Regulation.

With the focus being placed on the need to ensure legal certainty and a high level of privacy and data protection, the recommendations discuss various aspects of the e-Privacy Regulation, including the following:

  • Legal grounds for data processing – The rule stating that electronic communications data may only be processed in accordance with the legal grounds specified in the Regulation should apply to providers of electronic communications services as well as any other parties.
  • Legitimate interest as a legal ground - Legal grounds under the e-Privacy Regulation must not include legitimate interest. The EDPS considers that an additional exemption to the confidentiality of communications based on legitimate interest (as some amendments to the e-Privacy Regulation currently suggest) would risk taking that protection away.
  • Confidentiality of electronic communications data – This provision covers only electronic communications data while in transit (i.e. until receipt of the content of the communication by the intended addressee). The EDPS considers that the provision should be extended to cover communication when stored by the provider or any other party (such communication would, for example, be the content of emails stored in the "cloud").
  • Ensuring that consent is given the same meaning as in the GDPR – The EDPS supports amendments clarifying that all provisions related to consent (including the requirement for consent to be freely given and specific) should apply also for the purposes of the e-Privacy Regulation.

Next Steps

Although the opinions issued by EU regulators are non-binding, they may influence the reformation of the existing legal framework should they be taken on board by the Parliament and Council in the course of the legislative procedure.

The e-Privacy Regulation is set to come into effect in May 2018 along with the GDPR

Main Differences Between GDPR and ePrivacy Regulations

Each regulation was drawn up to reflect a different segment of EU law. The GDPR was created to enshrine Article 8 of the European Charter of Human Rights in terms of protecting personal data, while the ePrivacy regulation was created to enshrine Article 7 of the charter in respect to a person’s private life. The private sphere of the end user is covered under the ePrivacy regulations, making it a requirement for a user’s privacy to be protected at every stage of every online interaction.

It is important to remember that the ePrivacy regulation was created to complement and particularize the GDPR, so the rules of the GDPR are always relevant and an overall part of the legislative aspects of the ePrivacy.

Sources and Further Reading

European Commission
The Parlex Group
Copyright © 2017 EMEA Power Transmission Distributors Association, All rights reserved.

Grensstraat 7, 1831 Diegem (Brussels), Belgium | +32 2 660 05 01 |

Want to change how you receive these emails?
You can
update your preferences or unsubscribe from this list