Stay in the know
We’ll send you the latest insights and briefings tailored to your needs
It is fair to say the European data protection and privacy framework is currently undergoing a full overhaul.
The European General Data Protection Regulation ("GDPR") and the current proposed reforms to the e-privacy regime have been firmly in the spotlight - with both initiatives supporting the European Commission's Digital Single Market Strategy for "reinforcing trust and security in digital services and in the handling of personal data".
The GDPR entered into force on 25 May 2016, with a two year implementation period before it applies from 25 May 2018. However, the scrutiny and debate is set to continue, with the Commission's long awaited first draft of the ePrivacy Regulation (the "Draft Regulation") published earlier this year. The Draft Regulation is expected to replace the existing Privacy and Electronic Communications Directive (the "ePrivacy Directive") – focusing on the processing of personal data and protection of privacy in electronic communications (compared with the more general application of the GDPR to the processing of personal data). Among other areas, it covers direct marketing, cookies and other forms of online tracking.
The proposal principally seeks to:
In this article we take a look at some of the main features of the Draft Regulation at this early stage of the European legislative process and the potential impact on organisations in the technology, media and telecoms sectors – in particular whether the draft proposal addresses the balance between improving rights to privacy and being sufficiently practical and consumer and business friendly for today's digital age.
With a far broader scope than its predecessor, enhanced privacy measures, an increased risk exposure for non-compliance due to far higher monetary sanctions for certain breaches and an ambitious timetable to apply from 25 May 2018 to align with the GDPR, one thing is for sure - compliance, marketing and advertising teams across an equally broad spectrum of international service providers will be closely following the evolving e-privacy reform alongside their existing compliance programmes.
A reform of the e-privacy and electronic communications regime has been long overdue. First established back in 2002 under the ePrivacy Directive and implemented in the UK through the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"), it was last reviewed in 2009 to provide clearer rules on customer's rights to privacy and new requirements regarding personal data breaches and cookies. As part of its Digital Single Market Strategy, the Commission launched a public consultation on the ePrivacy Directive in April 2016 (the "2016 Consultation"), attracting responses from 421 stakeholders from a cross-section of citizens, consumer and civil society associations, industry and public authorities. Whilst the results of the consultation highlighted that individuals consistently requested that their communications remain confidential with strong protection measures in place, there were more mixed views from industry and public authorities. In particular, industry responses requested rules that would not "stifle new opportunities related to use of data". The results of the 2016 Consultation fed into the Commission's review of the existing e-privacy regime and preparation of the Draft Regulation.
The proposal builds on the existing e-privacy framework, with some of the rules remaining broadly the same (e.g. in respect of direct marketing consents). Much of the proposal is in line with the Commission's approach to the GDPR, so it comes as no surprise. Some of the main features of the Draft Regulation are set out below.
1. Scope: There are a number of proposed changes that mean a whole plethora of organisations and services which were not otherwise caught by the ePrivacy Directive, will now need to comply with the regime. Organisations or services previously subject to the regime will also need to revisit their own compliance procedures in light of other broader applications of the rules:
2. Processing content and metadata:The proposal includes new rules relating to the confidentiality and processing of electronic communications data, as well as the storage and erasure of that data.
3. Cookies: Cookies and other tracking technologies (e.g. fingerprinting and spyware) have been incredibly useful tools for service providers. Designed to recognise a user's device and track the user's navigation of, for example, a website, commercial uses have been wide-ranging, such as allowing websites to improve their services through data analytics and tailoring the user experience - without requiring the user to login on each visit to that website. The rules relating to those technologies have, however, been the cause of much criticism since their inception in 2009 - with many consumers and businesses alike claiming that the related consent requirements are excessive and to the detriment of the user experience. A Commission representative has even admitted "we have tried to overcome banner-fatigue" with the Draft Regulation. It is therefore unsurprising that the proposal seeks to simplify the existing provisions relating to cookies and, at least theoretically, make them more user-friendly.
4. Direct marketing: Direct marketing can be an effective tool to market and advertise to identifiable end-users. The regime (and consent requirements) remains materially the same as under the ePrivacy Directive with some additional requirements:
5. Sanctions and enforcement: The existing enforcement action by the ICO for breach of PECR includes criminal prosecution, non-criminal enforcement and audit - these powers are not mutually exclusive. The ICO can also impose a monetary penalty notice of up to £500,000 which pales in significance to the regime envisaged under the Draft Regulation - a tiered approach to fines aligned with that of the GDPR.
As with the GDPR, the reform takes the form of a regulation (rather than a directive) in an effort to harmonise the new electronic communications privacy framework - it will be directly applicable in all EU Member States. This also seeks to address other policy issues with the existing framework around fragmentation at the national level and inconsistent enforcement. It could also simplify and lower the costs of compliance for international businesses with a cross-border EU footprint – complying with one set of e-privacy rules.
However, if the timeframe for the new e-privacy regulation coming into force remains as currently expected (i.e. before the UK leaves the EU), the existing PECR are likely to be repealed, at least in part, in anticipation of the new regime. This means that a UK exit from the EU post May 2018 will leave the UK having to take steps to adopt new e-privacy legislation when the new e-privacy regulation falls away on exit.
That aside, the extra-territorial scope of the Draft Regulation and the commercial practicality of compliance across an EU footprint, mean that in reality organisations are likely to have to comply with the new e-privacy regulation regardless of whether located in the EU or not and the UK is unlikely to want to stray far from the principles set out in any such legislation. Brexit may, however, impact the ICO's enforcement role but this will depend in part on the UK's future relationship with the EU.
Given the breadth of stakeholders with an interest in the e-privacy reform and the divided opinion flowing from the 2016 Consultation, the Commission clearly had a difficult task juggling, and seeking to satisfy, those interests, alongside its targeted initiative under the Digital Single Market Strategy.
As to whether the Draft Regulation strikes that balance; there are certainly a number of good intentions – for example: traditional telecoms providers in particular will welcome the expansion of opportunities to use electronic communications data in developing new products and services; e-commerce businesses and consumers alike will, no doubt, support the simplified, more streamlined approach to cookies and other tracking technologies; as well as supporting the consistency of an aligned approach to the new GDPR regime.
However, it remains to be seen whether those good intentions will materialise in practice or disadvantage other areas of the ecosystem as well – as highlighted by, for example, the potentially detrimental effect on online third party target advertisers of the proposed centralised consent regime based on browser settings (see "Cookies" above) - as well as the ability of that consent regime to neutralise the effect of improving the end-user journey in those circumstances.
As with most things, the devil is likely to be in the detail – for example whether the Draft Regulation truly aligns with the GDPR or whether it leads to confusion and sets up a "double regulatory regime" instead, as recently suggested by representatives of the telecommunications industry. From a UK perspective, it is also not yet clear how the Draft Regulation will interact with existing national initiatives on e-privacy, for example, the ePrivacy Direct Marketing Code forming part of the draft Digital Economy Bill and due to receive Royal Assent in spring 2017. In addition, some civil rights organisations have already commented that the proposal still requires more significant improvement to truly promote trust, privacy and innovation.
The Article 29 Working Party (made up of representatives from the data protection authority of each EU Member State, the European Data Protection Supervisor (the "EDPS") and the Commission) is expected to provide its opinion on the proposal during the course of 2017, with the EDPS listing the review as one of its strategic priorities for the year. The opinion will be reviewed with much interest across the board.
Only time will tell whether the Commission has also adequately been able to future-proof this new e-privacy regime, particularly as the reform of the telecoms regulatory framework (and related concepts under that regime) unfold in parallel.
At this early stage, the Draft Regulation is just that, a draft proposal. However, it is worth re-iterating that the proposal provides for the regulation to apply from 25 May 2018, along with the GDPR. Given the many European legislative obstacles in place before it is approved (by the European Parliament and the Council of the EU) and the likely potential for criticism from a full spectrum of European institutions and stakeholders - not least given the far wider remit of the new rules - arguably a considered debate may be difficult in the challenging time frame proposed.
It is therefore too early to fully assess the impact of the proposal on organisations at this stage. However, given the proposed timing and high monetary sanctions deterring non-compliance, compliance teams ought to consider whether the broader scope of the proposed new privacy rules could apply to their business and closely follow the evolving e-privacy reform alongside their existing compliance programmes - particularly for organisations or electronic communications services that were not previously caught by the ePrivacy Directive (such as over-the-top service providers). Affected organisations should also build e-privacy concerns into any GDPR readiness programme they are currently undertaking, given the interplay between the two pieces of legislation.
Whatever the trajectory of the current Draft Regulation, if the timing remains as currently anticipated, the run up to May 2018 is set to be a very busy period for many organisations, with preparations for the full trio of e-privacy, data protection and potentially cyber security regime compliance - the Network and Information Security Directive is also due to apply to certain "operators of essential services" and certain "digital service providers" from May 2018.
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2024
We’ll send you the latest insights and briefings tailored to your needs