Explained: New ePrivacy Regulation

Ray Pinto

New rules on Data Protection may seem to be never ending. Below should provide some clarity in case you are wondering why after the creation of the General Data Protection Regulation (GDPR) the European Commission is again planning to release a new regulation in January, as part of its Data Package, entitled the ‘Privacy and Electronic Communications Regulation’ or ‘ePrivacy Regulation’ for short.

Actually it is not new but based on a directive created in 2002.  The Regulatory Fitness and Performance Programme (REFIT) launched by the Juncker Government to evaluate, reform and update old rules has assessed it is not fit for purpose in today’s new digital society.  Primarily because new ‘over-the-top’ (OTT) technologies, (i.e. WhatsApp, Skype, etc.) which run over the internet access service, are not seen to protect the confidentiality for users as outlined in the scope of the 2002 ePrivacy directive.

The European Commission, based on a draft document leaked to Politico, have reviewed possible options which range from far reaching enforcement to repealing the ePrivacy Directive. They have landed with a ‘measured reinforcement of privacy/confidentiality and simplification’.

What we can expect is primarily an extension or revising the scope over and beyond the 2002 ePrivacy directive to areas such as machine-to-machine data, spam, cookies, devices and browsers.

  • Extending the scope beyond OTT applications to also include machine-to-machine data as well as public hotspots. This is of particular consequence in the development of new areas such as connected cars or other examples of the Internet of Things where devices connected to the internet are speaking to each other. The ambition will be to prevent unlawful interception of communication data or trying to grab data to profile users without their consent (and yes there exists lawful interception of data in the EU please see an opinion by Fleishman here).
  • The 2002 ePrivacy directive (sometime labelled as the ‘cookie law’) fell short in the tracking of cookies and the banners required to obtain consent is now seen as ‘impairing the user’s browsing experience’. On that note FleishmanHillard released an interesting opinion on the shortcomings of the so-called cookie law process and how there was a risk of the same situation reappearing for the proposal on geo-blocking.
  • The regulation will encourage the setting of privacy rules during the ‘first use’ process (when you turn on a device for the first time).
  • Spam will also be included to address unwelcome communications through technologies such as SMS and Bluetooth. It even addresses voice-to-voice marketers who will be expected to display their company’s identity.
  • There is an effort for companies to produce browsers and terminal equipment (i.e. tablets, smartphone, etc.) to have user friendly settings where for example a user would have to actively select ‘tracking’ to confirm their agreement.

The European Commission does recognise that processing of data is useful to consumers to benefit from services that analyses traffic or to find nearby services.  It believes this regulation will not only protect fundamental rights but ensure the free movement of data. The regulation of course has a set of enforcement measures which similar to the GDPR mentions fines of up to €20m euro or 4% of worldwide revenues, whichever is higher.  The leaked draft also recognises that implementing the regulation will be heavy for browsers and apps putting in place privacy-by-design setting. It is foreseen there will be less costs for OTT communication services, web publishers and then direct marketers.

FleishmanHillard has a full service offering covering a wide range of Digital Single Market (DSM) and non DSM issues. Should you be interested to learn more or discuss please feel free to contact me.

Ray Pinto Senior Vice President

(+32 2) 230 05 45