European Commission: Proposal for new e-Privacy Regulation

IRIS 2017-3:1/6

Svetlana Yakovleva

Institute for Information Law (IViR), University of Amsterdam & De Brauw, Blackstone, Westbroek

On 10 January 2017, the European Commission adopted a proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications (e-Privacy Regulation). The proposed Regulation is a result of the review of the e-Privacy Directive (2002/58/EC) (see IRIS 2002-7/10) that was announced in the European Commission’s Digital Single Market Strategy (see IRIS 2015-6:1/3).

The proposed Regulation updates the e-Privacy Directive to align it with technological developments and with the General Data Protection Regulation (GDPR) adopted in May 2016. It aims “to ensure stronger privacy in electronic communications, while opening up new business opportunities.” Once adopted, the e-Privacy Regulation will be directly applicable throughout the EU.

The draft Regulation improves the existing e-privacy legal framework in a number of key ways. Firstly, it broadens the material scope of the e-privacy rules and clarifies their territorial scope. In contrast to the e-Privacy Directive (which applies only to the processing of personal data in electronic communications), the proposed Regulation covers the processing of “electronic communications data”, which includes electronic communications content and electronic communications metadata that are not necessarily confined to personal data. Furthermore, unlike the e-Privacy Directive, the proposed Regulation is binding not only on electronic communications services providers, but also on providers of so-called “over-the-top” services and machine-to-machine communications. If adopted, the Regulation will apply to “electronic communications data processed in connection with the provision and use of electronic communications services in the [EU], regardless of whether or not the processing takes place in the [EU].” Thus, the territorial scope of its application is not limited to the EU.

Second, the proposed Regulation broadens the ability of businesses to process electronic communications metadata, such as location data. Under the new rules, the consent of the end-user is required just once - encompassing the processing of both communications content and metadata. For the purposes of the e-Privacy Regulation the end-user’s consent will have the same meaning and will be subject to the same conditions as the data subject’s consent under the GDPR.

Third, the proposed Regulation streamlines the rules on cookies. In particular, it clarifies that no consent is required for cookies that are necessary for the functioning of websites, cookies that improve Internet experience (for example by remembering shopping cart history) or cookies that are used by a website to count the number of visitors. In all other cases, the processing and storage of cookies is only allowed with the consent of the end-user. In line with the principles of data protection “by design” and “by default”, as codified in the GDPR, the proposed rules also require Internet browsers to offer end-users the option of preventing third parties from storing cookies on their terminal equipment or processing cookies already stored on that equipment.

Finally, to ensure full consistency with the GDPR the proposed Regulation relies on the enforcement mechanism of the GDPR. Supervisory authorities in charge of the enforcement of the Regulation must have the power to impose penalties, including administrative fines, for any infringement of the e-Privacy Regulation. End-users are entitled to the same administrative and judiciary remedies as those available for data subjects under the GDPR.