Introduction
The ePrivacy Regulation is a proposed EU law that seeks to strengthen personal data protection in the electronic communications sector. It is an update to the current ePrivacy Directive, which was adopted in 2002 and is considered outdated in light of the technological advancements and changing nature of electronic communications. The Regulation works in conjunction with the General Data Protection Regulation (GDPR) to provide comprehensive data protection for EU citizens.
The ePrivacy Regulation will apply to a wide range of electronic communications services, including internet access services, interpersonal communications services, and direct marketing communications. It will also apply to processing communications content data, such as the contents of calls and messages, and communications data, such as metadata and location data. Additionally, it will apply to audience measurement and any company that processes the personal data of EU citizens, regardless of its location.
The implementation date for the Regulation is currently uncertain as it is still under review and discussion among various European groups. Once a decision is reached, it is expected to take effect two years from the date of its official publication. It is crucial for companies operating in the electronic communications sector to stay updated on the progress of the Regulation and to prepare for its implementation accordingly.
General Data Protection Regulation (GDPR)
The ePrivacy Regulation is separate from the GDPR, but it works together with the GDPR to provide a comprehensive framework for protecting personal data in the EU. The GDPR, which came into effect in May 2018, sets out the general principles for data protection and applies to all companies processing the personal data of EU citizens, regardless of where the company is located. The ePrivacy Regulation, on the other hand, specifically addresses the processing of personal data in the electronic communications sector.
European Data Protection Board (EDPB)
The European Data Protection Board (EDPB) is responsible for providing guidance on the interpretation and application of the ePrivacy Regulation and the GDPR. The EDPB is made up of representatives from the national data protection authorities of the EU member states. The EDPB is responsible for ensuring consistency in the application of the Regulation across the EU and provides guidance on issues such as cookies and other tracking technologies.
The EDPB on the revision of the ePrivacy Regulation
The European Data Protection Board (EDPB), which represents the Data Protection Authorities of the European Union, considers the revision of the current ePrivacy Directive (2002/58/EC, amended by 2009/136/EC) as an important and necessary step that should be concluded rapidly. The widespread use of IP-based communication services, commonly known as “Over-the-Top” services, are currently not covered by the existing Directive. In order to ensure that end-users confidentiality of communications is protected while using these new services and to create a level playing field for providers of electronic communication and functionally equivalent services, the EDPB calls on the European Commission, Parliament, and Council to work together to ensure a swift adoption of the new ePrivacy Regulation, which should replace the current Directive as soon as possible after the coming into effect of the General Data Protection Regulation in May 2018.
Draft ePrivacy Regulation
The draft ePrivacy Regulation is under review by the EU Parliament and the EU Council. Ιt will replace the current ePrivacy Directive and apply to any company with an annual global turnover greater than €10m. It will also apply to any company processing data of more than 50,000 individuals per year. This draft regulation also includes some changes from the current ePrivacy Directive. For example, it will apply to any company regardless of their location, as long as they process the data of EU citizens.
Obtain prior consent
One of the key elements of the ePrivacy Regulation is the requirement for website owners and other providers of electronic communications services to obtain prior consent from users before collecting data, including cookies and other tracking technologies, such as IP addresses. This is commonly referred to as the EU Cookie Law. The Regulation requires that website owners and providers of electronic communications services provide clear and comprehensive information to users about data processing activities and obtain valid consent, which must be explicit and freely given. Users must also have the ability to withdraw their consent at any time.
Requirements for website owners and providers of electronic communications services
The ePrivacy Regulation sets out specific requirements for website owners and providers of electronic communications services concerning the collection and use of personal data. These requirements include:
Providing clear and comprehensive information to users about data processing activities.
Obtaining valid consent, which must be explicit and freely given.
Giving users the ability to withdraw their consent at any time.
Providing users with the ability to refuse cookies and other tracking technologies through software settings or other means.
Consent requests and cookie banners
Under the ePrivacy Regulation, website owners and providers of electronic communications services must obtain prior consent from users before collecting data, including cookies. One way website owners typically comply with this requirement is by displaying a cookie banner on their website that informs users about the use of cookies and other tracking technologies and requests that users provide their consent.
National laws and enforcement
The ePrivacy Regulation requires national laws to be implemented in each member state, and national data protection authorities are responsible for enforcing it. Each member state is responsible for ensuring that the ePrivacy Regulation is implemented and enforced in a way that is consistent with the GDPR and the guidance provided by the EDPB. This means there may be some variation in how the ePrivacy Regulation is applied and enforced across the EU.
Impact on electronic communications services
The ePrivacy Regulation significantly impacts electronic communications services, including internet access and interpersonal communications services. These services are required to comply with the Regulation’s requirements for obtaining prior consent, providing clear and comprehensive information, and allowing users to refuse cookies and other tracking technologies.
Impact on direct marketing communications
The ePrivacy Regulation also applies to direct marketing communications and audience measurement. This means that companies engaged in direct marketing activities, such as email marketing and telemarketing, are required to comply with the Regulation’s requirements for obtaining prior consent, providing clear and comprehensive information, and giving users the ability to opt-out of receiving direct marketing communications.
Impact on other tracking technologies and electronic communications data
In addition to cookies, the ePrivacy Regulation applies to other tracking technologies and to the processing of communications content data and communications data. Companies that use technologies such as IP addresses, device fingerprints, and browser fingerprints to track users online will also be required to comply with the Regulation’s requirements for obtaining prior consent, providing clear and comprehensive information, and giving users the ability to opt-out of tracking.
Impact on website owners and providers of electronic communications services
The ePrivacy Regulation has a significant impact on website owners and providers of electronic communications services, as they are required to comply with the Regulation’s requirements for obtaining prior consent, providing clear and comprehensive information, and giving users the ability to refuse cookies and other tracking technologies. This can be a significant challenge for companies, particularly small and medium-sized businesses, as they may need more resources or expertise to comply with the Regulation’s requirements.
Impact on internet users
The ePrivacy Regulation is intended to protect the personal data of internet users, and it gives users greater control over their personal data by requiring website owners and providers of electronic communications services to obtain prior consent, provide clear and comprehensive information, and give users the ability to refuse cookies and other tracking technologies. This can increase users’ trust in the internet and encourage them to use it more.
Penalties and fines
One of the critical aspects of the ePrivacy Regulation is the enforcement mechanism and penalties for non-compliance. National data protection authorities will enforce the Regulation, and companies that violate its provisions will be subject to fines and penalties. The maximum fines under the Regulation will be up to €20 million or 4% of the company’s annual global turnover, whichever is higher.
The penalties for non-compliance with the ePrivacy Regulation are similar to those under the General Data Protection Regulation (GDPR). Companies that fail to comply with the Regulation’s requirements may be subject to fines, penalties, and enforcement actions by national data protection authorities. The penalties for non-compliance with the Regulation will be based on a tiered system, with different levels of fines for different types of breaches.
For example, a company that fails to obtain valid consent for the use of cookies may be subject to a lower level of fine than a company that breaches the Regulation’s provisions on using personal data for direct marketing purposes. In addition, companies that fail to comply with the Regulation’s requirements may be subject to enforcement actions, such as injunctions and penalties, by national data protection authorities.
It’s important to note that the fines and penalties for non-compliance with the ePrivacy Regulation are not meant to be punitive but rather to serve as a deterrent and to encourage companies to take the necessary steps to comply with the Regulation’s requirements. Therefore, companies should take the time to review their current practices and make any changes required to ensure compliance with the Regulation.
The ePrivacy Regulation will come with strict penalties for non-compliance. Companies should be aware of these penalties and take the necessary steps to ensure compliance with the Regulation’s requirements. This includes reviewing current practices, making necessary changes, and ensuring robust consent management systems are in place. By taking these steps, companies can avoid penalties and fines and ensure that they are providing the necessary protections for the personal data of their users.
Conclusion
The ePrivacy Regulation is a proposed EU law that aims to strengthen the protection of personal data in the electronic communications sector. It is an update to the current ePrivacy Directive, which was adopted in 2002 and is considered outdated in light of the technological advancements and changing nature of electronic communications. The regulation will work in conjunction with the General Data Protection Regulation (GDPR) to provide comprehensive data protection for EU citizens.
The implementation date for the regulation is currently uncertain as it is still under review and discussion among various European groups. Once a decision is reached, it is expected to take effect two years from the date of its official publication. It is important for companies operating in the electronic communications sector to stay updated on the progress of the regulation and to prepare for its implementation accordingly.
