The modernization of the data protection framework: the new e-privacy regulation
17 September 2017
by Jana Beyens
On January 10, 2017, the European Commission presented its draft regulation for the adoption of its new legal framework on e-Privacy, intended to replace the current e-Privacy Directive 2002/58/EC. The revision of the e-Privacy Directive into a regulation follows the approval of the General Data Protection Regulation (“GDPR”) aimed to create a harmonized digital single market in the EU, by obliging all Member States to implement the same set of rules in their national legislation. The entry into force of the e-Privacy Regulation is scheduled for May 2018.
The new e-Privacy Regulation shall be closely lined to the GDPR. Whereas the GDPR shall be applicable to electronic communications to ensure the protection of personal data, the new e-Privacy Regulation shall aim to ensure the confidentiality of such communications, which may also include non-personal data and data related to a legal entity.
In this blog post, we provide a high-level overview of the most important and interesting changes set out in the current proposal, in comparison to the existing e-Privacy Directive.
- First of all, the e-Privacy Regulation broadens the scope of application to all providers of electronic communications services, including Over The Top (OTT) content providers, such as Voice over IP, text message and e-mail providers, which shall include providers such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage and Viber. This extension of the scope seeks to exclude any self-regulation by the industry regarding confidentiality of communications and aims at guaranteeing the same level of confidentiality of communications as traditional telecoms operators.
- Furthermore, the proposal seeks to optimize the regulations on the management of internet cookies, and to get rid of bothersome banners asking for consent to use such cookies. Research revealed that end-users usually accept cookies without even understanding their meaning, and in some cases, are even exposed to cookies being set without their consent. The cookie consent rule is over-inclusive, as it also includes non-privacy intrusive practices for which consent is unnecessary. However, it is also under-inclusive, as it does not explicitly include certain tracking techniques which may not entail access or storage in the device, and wherefore consent normally is required. Therefore, the proposal seeks to expand the exceptions to the cookie consent rule, for example consent shall no longer be required for non-privacy intrusive cookies improving internet experience, or for cookies used by a website to count the number of visitors. It intends to be more user-friendly as browser settings will need to provide for an easy way to accept or refuse tracking cookies and other identifiers.
- Thirdly, the proposal includes the protection of end-users against any spam and aims at banning any unsolicited communications, whether using email, SMS, MMS, or automated calling and communications systems. The proposal foresees the possibility for end-users to subscribe to a ‘do not call’-list free of charge to limit the reception of unwanted calls, and includes, amongst others, the obligation for marketing callers to display their phone number and use a special pre-fix indicating that the call is a marketing call.
- Finally, to ensure the enforcement of the new e-Privacy Regulation, the proposal explicitly refers to the independent supervisory authorities already competent to enforce the GDPR, who shall become competent to impose fines in the event of an infringement of the e-Privacy Regulation. In Belgium, this independent supervisory authority shall be the Privacy Commission, whose competences shall be broadened.
Although all these changes surely sound promising, they are still subject to approval by the EU Commission and Parliament. We definitely look forward to the final e-Privacy Regulation and follow up closely on any evolutions in this regard.