The EU aligns its new ePrivacy Regulation to the GDPR
In January 2017, a new ePrivacy Regulation meant to repeal Directive 2002/58/EC was proposed by the European Commission and published on its website. Concerning the respect for private life and the protection of personal data in electronic communications, the regulation is part of the Digital Single Market strategy and is meant to bring the ePrivacy Regulation in line with the General Data Protection Regulation (GDPR) coming into force in May 2018.
Directive 2002/58/EC previously covered the area of personal data processing and the protection of privacy in the electronic communications sector, but with the GDPR bringing requirements up to present day standards, the ePrivacy Directive needed to receive a similar upgrade that would help complement the GDPR, in the same way it was previously aligned to the Directive 95/46/EC. The two regulations are tightly interconnected with the ePrivacy Directive clarifying and closely adhering to the GDPR.
Proposed updates to the ePrivacy Regulation
The main objectives of the review were to ensure stronger privacy in electronic communications, define clearer rules for tracking technologies such as cookies and harmonize policies across the Member States.
An interesting development is that while the previous ePrivacy Directive applied only to telecom operators, the new one will also include providers of electronic communications services such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage and Viber.
Consent requests for cookies will be streamlined, giving users more control of their settings which will make it easier for them to accept or refuse the tracking of cookies and other identifiers. Under the new regulation, no consent will be required for non-privacy intrusive cookies meant to improve internet experience or count the number of visitors to a website.
Privacy is guaranteed for both content and metadata derived from electronic communications. If the user has not given his consent, this data will have to be anonymized or deleted unless it is needed for billing purposes. Once consent is given however, traditional telecom operators will have more opportunities to use data to provide additional services.
The regulation also takes a stand against spam, banning unsolicited electronic communications by any means whether by email, SMS or phone if consent is not given.
It also promises more effective enforcement of its provisions through national data protection agencies and facilitation of international data transfers and law enforcement cooperation. The European Commission will engage proactively in reaching adequacy decisions concerning third party countries, especially key trading partners of the EU in the East and South-East Asia, but also other interested countries in Europe and Latin America.
The Report on the ePrivacy Regulation Proposal
The ePrivacy Regulation proposal is currently under review by the European Parliament. Rapporteur Marju Lauristin, Estonian MEP with the S&D Group, presented a draft report to the Civil Liberties Committee in June 2017, which was voted and passed on 19 October 2017.
The report brought a series of amendments and additions to the e-Privacy Regulation proposal, aimed at aligning its requirements with the provisions of the GDPR, but also to ensure a higher level of protection for personal data during processing.
The changes proposed in the report include the need for additional consent for any new data processing operations, even for those cases where the initial interference was allowed under exceptions listed under article 6 of the GDPR. A new point concerning end-to-end encryption was added that stipulates that such encryption should be used to ensure the security and integrity of the network and services, falling under the umbrella of security and privacy by design. It also mentions that the security provided by such solutions should not be weakened by the creation or facilitation of backdoors.
The amendments also clarify the guidelines in case of employment relationships, prohibiting the use of endpoints’ processing and storage capabilities and collection of information by anyone other than the user concerned, except when necessary in the completion of an employee’s task. It also reinforces the necessity for the implementation of company-wide technical and organizational measures to ensure a level of security appropriate to the risks.
Now that the amendments have been approved by the European Parliament, the next step for the ePrivacy Regulation is to head into the Trialogue stage where the European Commission will mediate any standing points between the European Parliament and the Council. Upon the conclusion of this stage, the proposal will move on to the plenary vote where, if the regulation is passed, it will be adopted.
The new ePrivacy Directive proposal shows the EU’s full commitment to the GDPR and its attempts to bring current legislation up to speed so that at the time of the GDPR’s implementation, they will all be in line and provide an easier framework for companies to follow.
You might also find interesting our: GDPR Infographic – Checklist and essentials