Internet services and IoT impacted by the draft EU ePrivacy Regulation
The draft European ePrivacy Regulation might have a considerable impact on Internet activities, including direct marketing, and IoT.
The review process of the EU ePrivacy Directive, which among others regulates direct marketing and cookies, is rapidly taking place. A first draft of the ePrivacy Regulation (it will no longer be a Directive) is now available and provides for much stricter obligations in line with those provided by the already approved EU General Data Protection Regulation (GDPR). This blog post was initially published on my law firm’s blog Privacy Matters.
Extending ePrivacy to VOIP and IoT
Providers of telecommunication services over internet (VoIP or “over-the-top” (OTT) players including messenger apps) are not included in the current ePrivacy Directive even though their services may be seen by end-users as functionally equivalent to traditional telecommunications providers. To level the playing field, the draft text of the ePrivacy Regulation features a technology neutral approach applying to “any exchange of information using electronic communications services and public communications networks, including content and metadata” (e.g. location data and device fingerprints). The Regulation would also apply to hotspot services and cover machine-to-machine (M2M) communications which is crucial for the development of the Internet of Things (IoT).
Expanded privacy rules
The draft ePrivacy Regulation would also spell big changes for a variety of actors beyond traditional telecoms providers:
By avoiding the need for transposition into national law, the Regulation will be directly applicable and leave less room for divergent national laws.
2. Territorial scope
The Regulation would apply to electronic communications data processed in connection with the provision of electronic communications services in the EU, regardless whether the processing takes place in the EU, and to the protection of information related to the terminal equipment of end-users in the EU.
3. Tracking tools
The Regulation confirms that the current rules on cookies apply universally to all end-users, irrespective as to whether they are individuals or corporate subscribers. The new rules would include a more stringent approach to “opt-in” consent – applying the consent regime defined by the General Data Protection Regulation. Third party cookies should be prevented by default. The rules would extend beyond cookies and pixel tags to cover any form of tracking tool, including tools that “interfere” with the terminal equipment without storing any code on the user device (such as by using the terminal equipment’s processing capabilities).
4. Communications secrecy
Metadata from all types of providers will need to be deleted except as permissible under the current exceptions (e.g. billing, quality control or cybersecurity) or if prior consent is provided under the GDPR.
The Regulation confirms that anti-spam rules will apply universally to all subscribers (including corporates). Direct e-marketing will not be permitted unless the end-user has consented, or unless to existing customers for similar products (only opt out option required). The Regulation would permit Member States by law to provide voice-to-voice on an opt-out basis.
6. Breach notification
The procedure to report breach notifications for ISPs and telecoms providers – which was introduced in 2009– is to be aligned with the breach notice requirements in the GDPR.
As with the GDPR, a violation of the e-Privacy Regulation could be fined up to 4% of the total worldwide annual turnover of an undertaking. Data protection authorities would be given powers to enforce certain provisions of the Regulation.
The draft text of the proposal is expected to be finalized in January 2017, after which it will be reviewed by the European Council (comprised of EU Member State representatives) and the European Parliament. This process could take several months or even years. Once finally adopted, the draft text currently provides for a 6 month transition period.
If you found this article interesting, please share it on your favourite social media!
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at firstname.lastname@example.org or email@example.com or via phone at +39 334 688 1147.