Developed by Venable LLP
The ePrivacy Directive (“Directive”), first implemented in 2002, is currently the European Union’s (“EU”) controlling authority on privacy rights applied to electronic communications technology and content. Following the adoption of the General Data Protection Regulation (“GDPR”) in 2016, the European Commission determined that the Directive must be revised to: (1) comply with and particularize the GDPR; and (2) address the technological innovations created since the Directive’s last amendment in 2009. On January 10, 2017, the European Commission released the text of its proposed update to the Directive, a draft regulation titled “Regulation on Privacy and Electronic Communications” (“Regulation”). By proposing a Regulation instead of a Directive, the Regulation would be effective in all EU Member States upon finalization; it would not require separate, county-specific, implementing legislation. The Regulation could impact the manner in which online publishers electronically interact with EU citizens, including possible impacts to how publishers track users, collect data stored in users’ devices, and engage in direct marketing.
Summary of the ePrivacy Regulation
The Regulation is purposefully broad, applying to any provider of electronic communications services (“ECS”) or to any entity that processes electronic communications data.
- ECS includes voice telephony, SMS, email, internet access services, services consisting wholly or in part in the conveyance of signals (e.g., radio), VoIP, messaging services including services where the messaging function is ancillary (such as dating apps or video game services), web based email, connected devices (e.g., Internet of Things devices), and public and semi-private wifi “hotspots.”
- Entities that process electronic communications data now include telecoms, providers of publicly available directories, software providers permitting electronic communications, including the presentation and retrieval of online information, and to natural and legal persons who use ECS to send direct marketing communications or collect information from or stored in end users’ terminal equipment.
- Electronic communications data includes any information regarding content transmitted or exchanged, as well as information concerning the end-user of an ECS processed for the purpose of transmitting, distributing, or enabling the exchange of content, i.e., metadata.
The Regulation applies to data processed in connection with ECS in the EU, regardless of whether the data is processed in the EU or elsewhere. It also applies to data associated with electronic communications sent from outside the EU to users in the EU.
I. Internet Communications
Electronic communications data is considered confidential under the Regulation. The Regulation prohibits a third party from interfering with data, including the storing, monitoring, or processing of the data, unless permitted under Regulation provisions or if the user consents.
The Regulation follows the consent provisions of the GDPR by requiring a clear, affirmative action, but provides additional, expanded provisions for obtaining consent to place cookies or other tracking technologies on users. Unlike the current Directive which requires users to provide consent for cookies and similar technologies on each website the user visits, the Regulation proposes that users provide consent through browser settings, acknowledging that users are currently “overloaded” with requests to provide consent. The Regulation states that the browser should provide users with a range of privacy settings, from higher settings, rejecting all cookies, to lower settings, accepting all cookies. The Regulation provides that browsers must obtain a clear, affirmative action from the user to obtain consent, and should remind users of their ability to alter privacy settings at any time. The Regulation also notes that software providers that allow electronic communications should inform users on privacy settings at the time of installation and require that users consent in order to continue with the installation.
II. Phone Communications
The Regulation also addresses telephonic communications. Specifically, the Regulation states that providers of telephonic communications must allow the calling entity to hide its identity from the called party, and permit the called party to reject calls from unidentified lines. The Regulation also notes that the called party has the right to prevent the calling party from seeing to identify the line to which it is connected. Additionally, the Regulation recommends that providers of these telephonic communications permit users to block anonymized, fraudulent, or nuisance calls free of charge, and should inform consumers of this technology.
Providers of publicly available directories must obtain users’ consent before including users’ information in the directory. According to the Regulation, users also must consent to the type of information included in the directory. Prior to including users in the directory, public directory providers must inform users of the purposes of the directory and the search capabilities of the directory.
III. Unsolicited Direct Marketing Communications
The Regulation defines direct marketing communications as any form of advertising, written or oral, sent to one or more identified or identifiable end users of ECS, including using automated calling and communication systems with or without human interaction, email, and SMS. The Regulation requires marketers to obtain users’ consent prior to sending unsolicited marketing communications, to inform persons of the marketing nature of the communication and the identity of the marketer, and to provide information about how recipients may withdraw their consent. For direct marketing calls, the caller must disclose a number at which it can be contacted or present a specific code or prefix that indicates it is a marketing call. The Regulation notes that if a marketer obtains users’ data through a previous sale or transaction, the marketer does not need prior consent to market similar products or services; however, it must provide the opportunity to opt-out of the marketing communications.
IV. Liability and Penalties
The Regulation permits users to bring suit against any entity that violates the Regulation’s provisions. Users may sue for both material and non-material damages. Data protection authorities also have the right to impose monetary penalties for violations of the Regulation. Administrative penalties for violations of the Regulation will correspond with those laid out in the GDPR, ranging up to 10m Euro or 2% of the worldwide annual turnover to up to 20m Euro or 4% of worldwide turnover, depending on the type of violation.
Next Steps for the ePrivacy Regulation
The Regulation notes that it will take effect on May 25, 2018, but the Regulation must be approved by the European Parliament and European Council prior to taking effect. These governing bodies have the ability to negotiate and make changes to the draft. The Regulation is on an aggressive timetable, as the intent is for it to become effective at the same time as the GDPR.