The proposed e-Privacy Regulation: what is new?
March 2017 | EXPERT BRIEFING | DATA PRIVACY
In January 2017 the European Commission published its proposal for an e-Privacy Regulation (EPR) just weeks after an unofficial draft of the proposed law was leaked. The Commission’s proposal is still very much in draft form and will likely undergo significant amendment before being adopted as law.
The EPR forms part of the EU’s Digital Single Market policy and is aimed at modernising the laws surrounding electronic communications data in light of recent technological developments.
The EPR will repeal the e-Privacy Directive 2002, which was last updated in 2009. The choice to implement these reforms through regulation is significant, as this will ensure a greater level of harmonisation across the EU. The EPR complements and should be read in tandem with the General Data Protection Regulation (GDPR).
In terms of timing, the Commission has stated its intention for the EPR to come into effect simultaneously with the GDPR in May 2018.
Subject matter and application
The EPR will regulate the use and access to electronic communications data which is comprised of both metadata and content data.
Communications metadata consists of information about emails, phone-calls and other communications, such as the sender and recipient, their locations, the date, time and other details of the communications but not its actual content.
Content data is the actual content of an email, instant message, phone-call or other form of communication.
Importantly, the definition of “communications data” under the EPR is broader than the definition of “personal data” under the GDPR and the former includes both the communications data of legal entities, in addition to that of individuals. In fact, the EPR recognises the importance of maintaining the confidentiality of business secrets and other sensitive information that has economic value, a consideration which is not necessarily covered by the GDPR.
The current regime, under the e-Privacy Directive, applies predominantly to traditional telecommunications service providers, i.e., providers of fixed line telephone services, internet access and SMS messaging services. One of the primary changes under the EPR is that it will bring so-called ‘over-the-top’ (OTT) service providers within its expanded scope. OTT service providers are those that provide electronic communications services over the internet such as instant messaging services (Whatsapp, Viber and Facebook Messenger) and web-based email services and voice-over IP (such as Skype). At present these services are not regulated under the e-Privacy Directive in the way that traditional telecommunications service providers currently are. The EPR aims to level the regulatory playing field for electronic communications services that the Commission considered “substitutable”. The ultimate intention is that the end-users of all electronic communications services, both fixed line and internet-based, will enjoy the same level of privacy in their communications.
Importantly, the EPR will also regulate the data transmitted to and from and stored in connected devices and machines which form part of the Internet of Things. The EPR will apply to both free services and those requiring payment.
As with the GDPR, the EPR will have long-arm territorial jurisdiction, meaning that its provisions will apply to communications services that are offered to end-users within the EU and will protect devices located within the EU even where the service providers are located outside the EU.
Key obligations under the EPR
Transmission data – subject to the limited exceptions, as a general rule, Article 5 of the EPR obliges all service providers to ensure the confidentiality of all electronic communications and prohibits any interference with such data through listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing by third parties. Article 6 permits the use of communications data only where necessary to ensure the effective transmission of the communication and where it is necessary for security reasons and to detect technical faults. Similarly, communications metadata may be used only for mandatory service quality requirements, for billing and fraud detection purposes.
Significantly, both content data and metadata may be used by service providers where the end-user has given their consent to such use. Consent under the EPR must meet the same high threshold as under the GDPR – it must be revocable at any time, freely given, specific, informed and unambiguous. Furthermore, when an end-user gives such consent to the processing of their content data, the service provider must be reminded of the possibility of revoking this consent every six months. This provision targets service providers that offer reduced service charges to end-users who consent to the processing of their content data for analytics purposes.
Data stored on devices or machines. In respect of data that is stored on ‘terminal equipment’ such as smart phones, computers, tablets and other connected devices – there is a general prohibition on anybody other than the end-user accessing or collecting such data, unless it is necessary for the transmission of the service, to perform a service at the request of the end-user or the end-user has given their consent. For example, the collection of data packets sent and received between users in a messaging app is permitted because this is solely for the purpose of transmitting the communication. Similarly, the provider of a social media platform would be permitted to access the camera of a mobile device where it is performing a service at the request of the end-user (for example, uploading a photo).
A similar prohibition will apply to the collection of “information emitted” from connected devices to enable it to connect to another device or network. Of course, the use of such information is permitted where the signals emitted from the device are used for network connection purposes (for example, connecting to a WiFi-hotspot in a public place).
Beyond connectivity purposes, the collection of such information can facilitate device identification and tracking techniques, such as so-called ‘device fingerprinting’ which can be used for location monitoring purposes, and to track footfall and traffic in public places.
On the basis that such tools are often deployed without the end-user’s knowledge, the EPR will impose an obligation for service providers to display a “clear and prominent notice” in areas where such tools are used. Such notices must inform end-users that these tools are in use and meet the detailed transparency requirements of Article 13 of the GDPR (which include identifying the data collector and specifying the purposes for which the data is collected). The matching of location data emitted by mobile phones with customer profiles to provide personalised targeted advertising will also be subject to the direct marketing rules under the EPR.
Privacy settings on newly installed software and apps. A further novel aspect proposed in the EPR is the introduction of rules aimed at streamlining pop-up notices for cookies and other online tracking tools. Service providers will be obliged to configure all software “placed on the market” in such a way that enables end-users to block third-party cookies from storing information on a connected device or accessing the data already stored on the device. In short, end-users must be presented with a privacy setting whereby web cookies from parties other than the immediate service provider are blocked from the device. Separately, on the installation of all software and apps, users must be offered a prompt to choose from a menu of privacy settings, ranging from high, moderate and low. For software installed before the EPR takes effect, the privacy setting prompt must be provided on the next software update. The measures are aimed at reducing cookie pop-ups and offering end-users a choice to set a global privacy setting.
Enforcement and sanctions
When it comes to enforcement and sanctions, the EPR largely reflects the GDPR. The national supervisory authorities (SAs) responsible for monitoring and enforcing the GDPR will perform the same function under the EPR. The EPR envisages that additional resources will be allocated to the national SAs for enforcement of the EPR. Similarly, the European Data Protection Board will be tasked with ensuring the consistent application of the EPR and will issue opinions and guidelines to this end. The remedies available under EPR will match those available under the GDPR but with the important addition that legal entities, as well as individuals, will be able to seek compensation. The headline administrative fines under the GDPR will also apply under the EPR depending on the type of infringement.
While there are many significant changes proposed in the EPR, businesses would be best placed to wait until the final version of the EPR is published before making significant operational changes. However, it is important to note that the proposed lead-in period for the EPR is six months from the date of its official publication (by comparison, the GDPR lead-in period was two years) and therefore it would be prudent for businesses to keep an eye on the EPR as it makes its way through the EU’s legislative process.
Colin Rooney is a partner and Hugh McCarthy is an associate at Arthur Cox. Mr Rooney can be contacted on +353 1 618 0543 or by email: firstname.lastname@example.org. Mr McCarthy can be contacted on +353 1 779 4237 or by email: email@example.com.
© Financier Worldwide
Colin Rooney and Hugh McCarthy