For Further Information Contact:
Modernisation of EU Data Protection Rules Continues: Proposed ePrivacy Regulation
21/02/2017The newly proposed Regulation on electronic privacy would apply to new players providing electronic communications services, decrease red tape around cookies, and allow more extensive big data analysis with user consent. National data protection authorities would have the power to impose hefty fines for infringements.
The European Commission is proposing a new Regulation on Privacy and Electronic Communications to replace the current ePrivacy Directive transposed into the Finnish Information Society Code. The proposed legislative measure is a directly applicable EU regulation, meaning that a single set of rules would be applied across the whole EU.
The proposed ePrivacy Regulation complements the General Data Protection Regulation (GDPR) adopted in 2016 and applicable from May 2018 onward. Several key elements of the GDPR are also central in the ePrivacy Regulation, such as consent requirements, privacy by design and privacy by default as well as the high penalties for infringements.
The ePrivacy Regulation would, however, apply to processing of all electronic communications data, not just that comprising personal data. Protection and rights of the end users are provided not only to individuals but also to companies. The proposal is also intended to apply to the transmission of machine-to-machine communications.
What is Proposed?
Among others, the proposal includes the following key features:
Increased scope of applicability: The ePrivacy Regulation would apply when electronic communications services are provided to end users located in the EU area, regardless of where the service originates from.
New players: Provision of internet-based communication services, such as instant messaging, voice over IP and web-based email, would be included within the scope of the ePrivacy Regulation. This means that the new digital communication services would have to guarantee the same level of privacy as traditional telecom operators.
Simplified cookie rules: To tackle “consent-fatigue”, the Commission proposes that no consent would be required for non-privacy intrusive cookies, for example, when they are only used to track visitor numbers or to improve user experience by remembering shopping cart history. As previously interpreted in Finland, browser settings could be validly used EU-wide to accept and consent to cookies, meaning that a significant proportion of businesses would be able to do away with cookie banners and notices.
Less spam: Whether done via email, SMS, phone or by other technological means, direct marketing communications to individuals and companies alike would require a prior consent of the user. Depending on national law, people would either be protected by default or be able to use a do-not-call list to ban marketing phone calls. In addition, marketing callers would need to display their phone number or use a special prefix which indicates a marketing call.
Use of communications content and metadata: Unless consent for processing of the data is attained from the user, the data should either be anonymised or deleted, unless it is needed for billing purposes. The ePrivacy Regulation would stress the highly confidential nature of electronic communications and introduce strict rules around the processing of electronic communications data. The proposal lays down a presumption that the processing of content data results in high risks to the rights and freedoms of natural persons, which would, with certain exceptions, trigger an obligation to consult supervisory authorities prior to the processing in accordance with the GDPR.
New business opportunities: Possibilities to process electronic communications metadata – such as location, time of a call or websites visited – would be broadened based on the end user’s consent. This aims at creating new opportunities. For example, electronic communications services could develop their businesses and provide additional services through big data analysis by producing, say, heat maps indicating the presence of people or displaying traffic movements.
Stricter enforcement: The task of enforcing the proposed ePrivacy Regulation would be given to national data protection authorities, who will also be responsible for the enforcement of the GDPR. These authorities would have the power to impose administrative fines for infringements of the ePrivacy Regulation that would be in line with the fines introduced in the GDPR. Depending on the infringement, the maximum amount of fines could be either EUR 20 million or, in case of a company, up to 4% of the total worldwide annual turnover. In addition, the member states could lay down rules on other penalties applicable to infringements of the ePrivacy Regulation, in particular for infringements not subject to the administrative fines.
By Mika Puittinen, Partner, Pessi Honkasalo, Senior Associate, Jussi Latola, Associate, Krogerus, Helsinki, Finland, a Transatlantic Law International affiliated firm.
For further information or for any assistance, please contact Mika at finland@transatlanticlaw.com
Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 95 affiliated independent law firms worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.