This blog post is written by Erik Myrberg, lawyer at Synch.
The proposed EU Regulation on Privacy and Electronic Communications (the “Regulation”) will replace the 2002 e-Privacy Directive (the “Directive”) and each member state’s national implementation thereof. The Regulation was proposed January 2017 by the European Commission with the intention to enter into force at the same time as the GDPR on 25 May 2018. However, due to several delays, the final form of the Regulation has yet to be agreed and it remains to be seen when the Regulation will be fully applicable in the EU.
While the Directive has resulted in uncertainty as to whether over-the-top (“OTT”) services and electronic communications data transmitted in such services fall within the scope of the Directive, the Regulation sets out to cover not only traditional telecommunications services but also services such as Voice over IP, messaging services and web-based e-mail services. Furthermore, electronic communications data transmitted solely between machines via electronic communication networks (for example IoT-devices) are suggested to fall within the scope of the Regulation as well.
Instead of having end users to deal with consent requests on almost every site they visit, the Regulation sets out to simplify the use of cookies by allowing end users to express their consent through the settings of a web browser or other application. Also, in comparison to the Directive, the Regulation provides for a larger number of exceptions when cookies may be used without the end user’s prior consent. For example, under the Regulation, the end user’s prior consent is not required upon using cookies for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end user.
Providers of software, who enable electronic communications, are obligated under the Regulation to offer functionality in the software to prevent third parties from storing information on the end user’s terminal equipment and/or processing information already stored on such equipment. Furthermore, during the installation of any software enabling electronic communications, the end user shall be informed about the privacy settings options in the software and be required to configure such settings.
In addition to the above mentioned, the Regulation also prescribes several rules on market communications including an obligation for marketers to not prevent the presentation of the calling line identification or to use a special pre-fix that indicates a marketing call.
Violations of the Regulation will be subject to the liability provisions of the GDPR meaning that a breach of the Regulation may result in an obligation to compensate end users affected by the breach as well as paying administrative fines up to 20,000,000.00 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Even if the date of application of the Regulation in uncertain and will occur earliest in 2023, businesses should already now evaluate how they may be affected and start taking preparatory measures in order to ensure a smooth transition from the Directive to the Regulation. If you have questions or would like to know more about the Regulation and how it may affect your business, do not hesitate to contact us.