The new e-Privacy Regulation
by Michalis Fieros
Introduction
Over the past few years, the online environment has been evolving with tremendous speed. Internet users are at the epicentre of a continuous development and evolution. Apart from computers, all sorts of ‘smart’ devices which form part of our daily lives such as smart phones, TV sets and watches perform their various operations through their connection to the internet. Information which includes technical information, personal data and may also indicate personal preferences, is collected from such ‘smart’ devices, and shared with third parties for various purposes in processing operations which lack transparency.
The Current EU Regulatory Framework
Apart from the General Data Protection Regulation (GDPR), the protection of privacy in the sphere of electronic communications is currently regulated by the Privacy and Electronic Communications Directive (PECD) (also known as the ‘‘Cookie Directive’’), a Directive which entered into force in 2002.
The new e-Privacy Regulation
The EU’s initial aim was to enact the GDPR along with the new e-Privacy Regulation, which would repeal the PECD and reinforce trust and security within the EU digital market. Unfortunately, unlike the GDPR, the new e-Privacy Regulation is not yet finalized; however, indicative draft proposals are available.
The European Commission approved a first draft of the e-Privacy Regulation in January 2017, and this draft is still under discussion. Despite not having a final text yet, the numerous drafts contain important elements which give us some indications of the direction that the upcoming regulatory framework is taking.
Territorial Scope
The territorial scope of the latest draft mirrors the respective provisions of the GDPR. Under the latest draft (January 2021), the territorial scope of the e-Privacy Regulation is extended to entities located outside the European Union when dealing with end-users located within the EU.
Scope of Regulation
According to the latest draft, the e-Privacy Regulation applies to:
- processing of electronic communications content and electronic communications metadata during the provision of electronic communications services;
- the end-user’s terminal equipment information;
- direct marketing communications to end-users;
- provision of publicly accessible directories of users of electronic communications.
Consent
Under the available drafts, the elements of a valid consent under the GDPR are retained (informed, specific and freely given); however, a provision is included which allows for such a consent to be expressed via “appropriate technical settings”.
Apart from consent, under the latest draft the collection of information from an end-user’s terminal equipment is permissible where it is necessary:
- for carrying out the transmission of an electronic communication over an electronic communications network;
- for providing a service specifically requested by the end-user;
- for web audience measurement;
- for purposes of software updates, security, fraud prevention, the detection of technical faults as well as the location of technical equipment in cases of emergency .
Remedies and Administrative Fines
As in the case of the territorial scope, the latest draft of the upcoming e-Privacy Regulation mirrors the penalty regime of the GDPR. Organizations violating the e-Privacy Regulation may be handed down administrative fines of up to €20 million or 4% of their annual global turnover.
Persons who suffer “material or non-material damage” due to infringements of the e-Privacy Regulation will have the right to receive compensation from the infringer.
Lastly, natural or legal persons other than end-users adversely affected by violations of the e-Privacy Regulation shall have the right to bring legal proceedings in respect of such infringements.
Conclusion
We look forward to the finalised version of the text, so as to be able to advise clients on compliance.
NOTE: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any subject matter. You should not act on the basis of any content included in this article without seeking legal advice.