Author: Yasmine Aquilina
Following a leak in early December, the European Commission has officially published the finalised proposed new legislation which aims to strengthen privacy in electronic communications. The Regulation on Privacy and Electronic Communications (“Proposal”) aims to repeal the ePrivacy Directive. These rules will be updating existing laws and bringing them in line with the new General Data Protection Regulation (“GDPR”), forming part of the Digital Single Market Strategy.
The Commission also put forward another proposal for a new set of rules which will ensure that personal data processed by EU institutions and bodies is regulated in the same way as under the GDPR in Member States.
The Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, said: “The European data protection legislation adopted last year sets high standards for the benefit of both EU citizens and companies. Today we are also setting out our strategy to facilitate international data exchanges in the global digital economy and promote high data protection standards worldwide.”
The salient features of the Proposal are the following:
- Whereas the ePrivacy Directive is only applicable to telecoms operators, the new rules will also apply to other providers of electronic communications services which have become increasingly important in recent years, e.g. Facebook Messenger, WhatsApp, Skype, Gmail, iMessage and Viber.
- Since the Directive will be replaced with a Regulation, the upshot is that a single body of laws will become applicable across the board. This will help smooth the compliance process for businesses whilst also ensuring that EU citizens will enjoy the same rights in all Member States.
- Both content and metadata (i.e. recipient, time, location or duration of the communication) will need to be anonymised or deleted if there is no consent given by the user.
- If consent is given for the data to be used, telecoms operators will be able to use this data to provide additional services.
- Requirement for cookie consent will be streamlined. Users will have more control of their settings, and there will be no need to require consent for cookies that are not privacy intrusive.
- Unsolicited electronic communication (spam) will be banned if sent without user consent.
- Enforcement of these rules will be under the responsibility of the national Data Protection Authorities.
- As in the GDPR, failure to comply may lead to fines of up to €20,000,000, or 4% of a company’s annual GDP.
The European Consumer Organization (BEUC), pointed out two key elements that are found within the GDPR, but are lacking in the Proposal: privacy by design rules and a possibility for consumers to institute a group action. Although privacy by design was included in the leaked draft, it is now no longer part of the proposed legislation. It remains to be seen whether the Proposal will be amended to include a right for group action, as in the GDPR.
The Commission aims to have these rules adopted on the 25th May 2018, the very day on which the GDPR will be coming into force.