knowledge | 8 February 2017 |

A Decent Proposal? New EU E-Privacy Rules Proposed

A proposal for an EU Regulation which will update and expand existing rules on privacy in electronic communications, the use of cookies and direct marketing communications has recently been published.

The stated aims of the proposed EU Regulation (the “Proposed E-Privacy Regulation”) include a simplification and clarification of the regulatory environment applicable to electronic communications services, a reduction in the discretion afforded to Member States in how the EU e-privacy rules can be implemented under local law, repeal of existing provisions which have become outdated and a broadening of the exceptions to the consent rule. The proposal, to which the text of the Proposed E-Privacy Regulation is annexed, is available here.

Headline Changes

The Proposed E-Privacy Regulation, if passed, will repeal the existing E-Privacy Directive (2002/58/EC) and will introduce a number of changes to the existing EU e-privacy regime, including:

  • the extension of the territorial reach of the e-privacy regime to entities established outside of the EU, where such entities provide electronic communications services to end users located within the EU;
  • an updated concept of “electronic communications services” which will include, for the first time, “over-the-top” electronic communications services (such as VOIP services (eg Skype), instant messaging applications (eg Whatsapp, etc) which are functionally equivalent to traditional electronic communications services within the scope of the EU rules on e-privacy;
  • updated obligations on electronic communications service providers with respect to the storage and erasure of the content and metadata of electronic communications;
  • updated rules on cookies, including:
    • provisions dispensing with the consent requirement for cookies which are (i) necessary for the purposes of transmitting communications, (ii) necessary for providing an information society service requested by an enduser or (iii) necessary for web audience measuring purposes (ie web analytics); and
    • a provision that would allow the consent of an end user to the use of cookies on his or her terminal equipment to be provided through the use of appropriate settings on internet browsers;
  • an enhancement of the rules which protect individuals against unsolicited communications sent via electronic communications services; and
  • a closer alignment with the general data protection regime (as set out in the General Data Protection Regulation) from an enforcement, supervision and consistency perspective. This would include exposure, in most cases where obligations under the Proposed E-Privacy Regulation are breached, to administrative fines of up to €20,000,000 or 4% of worldwide turnover.

Ambitious Timeline

The form of the Proposed E-Privacy Regulation, as published, suggests that it shall become applicable from 25 May 2018, the same date as that on which the General Data Protection Regulation will become applicable. This is quite an ambitious timeline as it leaves just 16 months for the text of the Proposed E-Privacy Regulation (and the European Electronic Communications Code on which many of the key definitions in the Proposed E-Privacy Regulation depend) to be finalised and for Member States to introduce implementing measures into national law.

As a result, there is likely to be quite a short lead time between the finalisation of the Proposed E-Privacy Regulation and national implementing measures and the entry into force of the new rules. This short lead time will pose challenges for affected businesses who may need to update their practices with respect to cookies, marketing communications and electronic communications services to ensure ‘day one’ compliance with the new regime in the small window that is likely to be available between the finalisation of the new regime and its entry into force. Therefore, we would recommend that businesses should continue to closely monitor developments in relation to the Proposed E-Privacy Regulation, at both EU and individual Member State levels.

This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.

Key contacts