The European Commission has proposed a new Regulation on Privacy and Electronic Communications (dated January 10, 2017, COM (2017) 10 final) (“Draft ePrivacy Regulation”) that is intended to supplement the General Data Protection Regulation (“GDPR”) with the same effective date as the GDPR (May 25, 2018).
While some of the provisions are already known from the ePrivacy Directive other parts of the Draft ePrivacy Regulation contain significant changes:
The Draft ePrivacy Regulation has a much broader scope than its predecessor and applies to:
- the processing of electronic communications data carried out in connection with the provision and the use of electronic communication services. Electronic communications data means content data exchanged by means of electronic communications services, such as text, voice, videos, images, and sound. But it also means electronic communications metadata which is processed for the purposes of transmitting, distributing or exchanging such content (e.g. location data on the location of the equipment generated in the context of providing electronic communications services, and the date, time, duration and the type of communication).
- information related to terminal equipment of end-users which means virtually any kind of information related to devices that can be used for electronic communication by sending, processing or receiving information.
Electronic communications data (content data and metadata)
The Draft ePrivacy Regulation fosters the confidentiality of electronic communications data. At the same time it has the objective to broaden the possibilities of electronic communication service providers to process electronic communications data based on end-user consent.
Still, there hardly remains any room for processing of electronic communications data based on consent. With regard to metadata, consent can only serve as a basis for processing provided that consent is given for one or more specified purposes and the purpose(s) concerned could not be fulfilled by processing anonymized information. Similar strict requirements apply to the processing of electronic communications content which is only permitted on the basis of consent. This consent must be:
- either particularly given for the sole purpose of the provision of a specific service to an end-user while at the same time the provision of that service cannot be fulfilled without the processing of such content; or
- if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes and that those purpose(s) cannot be fulfilled by processing anonymized information. In this case, consulting the supervisory authority is an additional requirement.
Direct marketing activities
The rules concerning direct marketing activities carried out by means of electronic communications services, including the use of voice-to-voice calls and electronic mail, will not change the basic consent requirement already set out by the ePrivacy Directive. Due to the broad definition of electronic communications services and electronic mail the consent requirement does not only apply with regard to SMS and email, but basically to the use of all kinds of messaging functions (e.g. such functions contained in applications or internet portals) and messages, including such containing text, voice, video, sound or images.
Using electronic mail for direct marketing of own similar products or services will still be permitted, provided the “electronic contact details” have been obtained from a customer in the context of the sale of a product and the customer is clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The right to object shall be given at the time of collection and each time a message is sent.
Like the ePrivacy Directive the Draft ePrivacy Regulation gives EU Member States the possibility to permit voice-to-voice call marketing on an opt-out basis.
This new provision clearly and particularly aims at limiting access to terminal equipment for device fingerprinting and similar activities. The Draft ePrivacy Regulation only provides for three exceptions from the obligation to obtain consent, involving very limited or no intrusion of privacy. The relevant exceptions apply if the relevant activity is necessary for
- the sole purpose of carrying out the transmission of electronic communication (esp. transfer of an electronic message),
- providing an information society service requested by the end-user (e.g. session cookies for shipping cart functions in online shops or for the purpose of keeping track of online form input), or
- web audience measuring (e.g. web traffic), but only provided that such measurement is carried out by the provider of the information society service (i.e. not a third party) requested by the end-user.
The Draft ePrivacy Regulation clarifies that consent can be expressed by using appropriate technical settings of a software application enabling access to the internet. This in particular means that web browser settings can be used to express consent.
Privacy by design and default obligations for internet browsers and other software permitting electronic communications
In this context the Draft ePrivacy Regulation imposes new privacy by design and default obligations on providers of software permitting electronic communications particularly aiming at providers of internet browsers and similar software. The respective software must offer the option to prevent third parties from storing cookies or other information on the end-user equipment or from processing information already stored thereon. The software must be designed to, upon installation, inform the end-user about the privacy setting options of the software and require the end-user to consent to a setting to continue with the installation. The recitals of the Draft ePrivacy Regulation clarify that in this situation users should be offered a set of privacy setting options, ranging from higher (e.g. “never accept cookies”) to intermediate (e.g. “reject third party cookies” or “only accept first party cookies”) and lower (e.g. “always accept cookies”). In case of software that has already been installed before the effective date of the ePrivacy Regulation, the aforementioned requirements apply from the time of the first update of the software, but no later than August 25, 2018.
The Draft ePrivacy Regulation contains strict limitations for the collection of information emitted by electronic communication equipment that can be used for device tracking activities. Equipment connecting to electronic communications networks emits certain sets of information to enable it to connect to another device and / or to network equipment (e.g. to connect to a wireless local area network, “WLAN”). This includes identifiers like MAC addresses or IMEI. The collection of such information will be permitted in two cases only:
- if it is done exclusively in order to and for the time necessary to establish a connection (e.g. connection to a WLAN); or
- if a clear and prominent notice is displayed informing of, at least, the modalities of the collection, its purpose, the person responsible for it and some other information required under the GDPR as well as any measure the user can take to stop or minimize the collection. This second alternative aims at businesses tracking customers based on the collection of information received from user equipment, for instance, tracking movements of a customer within a shop based on information received from the customers’ smartphone via WLAN routers operated by the shop.
Liability and penalties
The Draft ePrivacy Regulation stipulates fines that are aligned to the ones contained in the GDPR. Depending on the kind of infringement the supervisory authorities are entitled to impose fines of up to EUR 10,000,000 or EUR 20,000,000, or in the case of an undertaking, up to 2 or 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Furthermore, end-users are given the right to make a claim for material or non-material damage due to infringements of the Draft ePrivacy Regulation and to receive compensation from the infringer for the damage suffered. For the infringer it will be difficult to avoid liability as the infringer will have to prove not being responsible in any way for the event that has caused the damage.