On January 10, 2017, the EU Commission published its latest draft of the new e-Privacy Regulation on Privacy and Electronic Communications (the document is available here). The following shall give a brief overview of the most important aspects in the new proposal.
The new Regulation is intended to replace the existing rulings of the e-Privacy Directive 2002/58 (e-Privacy Directive), in part also known as "Cookie Directive". In this respect, the current provisions of the e-Privacy Directive are classified by the EU Commission as no longer fit for purpose, due to continuous technical and economic progress, in particular the spread of new Internet-based services. Besides, the new provisions of the e-Privacy Regulation are intended to supplement the new General Data Protection Regulation (GDPR). The draft of the e-Privacy Regulation is currently the subject of detailed discussion by the European Parliament and the Council of the European Union. The aim is to adopt the draft soon and for it to come into effect on May 25, 2018, parallel to the GDPR.
Extended area of application
The first significant change under the new proposal concerns the area of application of the e-Privacy Regulation. It now covers all electronic communication services, irrespective of whether the user is required to pay a fee or not. Pursuant to the recitals, in particular new Internet-based communication services are also to be covered. Examples explicitly named in the e-Privacy Regulation include voice-over IP, Internet messaging and web-email services. In this regard, the draft of the e-Privacy Regulation also explicitly mentions communication services offered as an addition to an existing (main) service, for example messenger services offered by social networks (see Recital 2). As a result, the area of application of the new e-Privacy Regulation will be significantly extended compared to the existing rulings. Services such as Gmail, Skype, iMessage or Whatsapp - but also Facebook Messenger - will therefore fall under the new e-Privacy Regulation in future in the same way as traditional communication services, and thus, will be obliged to comply with the special requirements of the e-Privacy Regulation.
Relationship to the GDPR
From a content perspective, the new e-Privacy Regulation will protect on the one hand electronic communications data, processed in the context of the provision and use of electronic communication services. This will include both electronic communications content (such as pictures, texts and videos) as well as electronic communications metadata, arising in the context of the use of electronic communication services. At the same time, information related to the users' end-devices, so-called terminal equipment (e.g. smartphones, tablets), will also be covered (for example location data and identification features of a device). It should be noted that the current draft of the e-Privacy Regulation covers all communication data and information of users' terminal equipment, irrespective of whether these information constitute personal data or not. The area of application of the e-Privacy Regulation thus covers a more extensive scope of application than the GDPR. Where personal data is collected, the planned e-Privacy Regulation shall take express priority over the GDPR. Nevertheless, the provisions of the GDPR shall apply in extension.
Increased requirement for consent and interrelationship with the rulings of the GDPR
With regard to the processing and use of electronic communications data and users' terminal equipment information, the current draft of the e-Privacy Regulation lays down a general prohibition of such processing and use, however, it also includes several statutory permissions. Most often, such permission requires under the new e-Privacy Regulation the consent of the respective user. In addition however, the current draft of the Regulation also includes further statutory permissions, depending on the form of data covered by the processing. With regard to the definition and conditions for consent as well as revocation thereof the e-Privacy Regulation refers to the provisions of the GDPR. This will create a harmonizing regulatory framework between both Regulations. Leading on from this, other provisions of the draft of the e-Privacy Regulation also refer to several provisions of the GDPR, for example the obligation to provide appropriate technical and organizational measures to ensure a level of data security pursuant to Art. 32 GDPR when collecting terminal equipment information for the purpose of establishing a connection, see Art. 8 Subsection 2 (b) of the e-Privacy Regulation.
The draft of the e-Privacy Regulation also contains rulings on unsolicited communications for the purpose of direct marketing. In general, direct marketing is still subject to consent as in the current e-Privacy Direction, unless the service provider has obtained the user's respective electronic contact data in the context of a sale or service. In this case, there is a mechanism in favor of the users to opt-out such direct marketing communications. In this respect, the provisions of the new e-Privacy Regulation correlate with the previous provisions of the e-Privacy Directive that have been implemented through Section 7 Subsection 3 UWG (German Law on Unfair Competition). A new aspect however is that the regulations on direct marketing now covers all forms of advertising communications, and are no longer restricted to communications with the help of automated calling devices, fax machines or electronic post, as this was the case under the previous regulations of the e-Privacy Directive. It is therefore clear that new forms of communication, such as push notifications, etc. will also require consent if they are used for the purpose of direct marketing. By contrast, under the current draft of the e-Privacy Regulation, telephone calls for direct marketing purposes no longer require consent, but rather are the subject of an opt-out mechanism by the users. These must therefore object to direct marketing by telephone.
Sanctions and possibility of legal protection
The current proposal of the e-Privacy Regulation provides for various possibilities of legal protection and sanctions in the event of violating the rulings of the e-Privacy Regulation. For example, users are entitled to lodge a complaint with the responsible supervisory authority and to take judicial action. Furthermore, users have the power to assert claims for compensation against the service provider. In this respect, the e-Privacy Regulation refers explicitly to Articles 77, 78, 79 and 82 of the GDPR. The supervisory authorities are entitled to impose administrative fines. The level of these fines correlates to the regulations in the GDPR. Depending on the form of violation, fines of up to 10,000,000 or 20,000,000 EUR are conceivable – in case of an undertaking also up to 2% or 4% of the total worldwide annual turnover of the preceding financial year.
The latest draft of the new e-Privacy Regulation includes a number of new significant provisions. If the new Regulation is adopted by the European Parliament and the Council as intended, this will create new challenges not only for the German lawmakers who, in similar manner to the situation with the GDPR, will have to check the effects of the rulings of the e-Privacy Regulation on existing national laws and make amendments if necessary, but also for the service providers who will then also have to implement the new provisions and requirements stipulated by the e-Privacy Regulation in their business processes, in addition to implementing the requirements of the GDPR. This applies in particular to providers of Internet-based communication services that will now fall within the area of application of the new Regulation.