ePrivacy draft regulation gets stricter after European approval
The ePrivacy draft regulation is turning towards a more stringent regime with after the approval by European Parliament of the latest draft.
As previously discussed, the European ePrivacy Regulation is meant to integrate the European General Data Protection Regulation when it comes to “electronic communications data“. It is still in a draft stage and apparently the plan is to speed up the approval process so that it will be effective from the 25th of May 2018 as the GDPR.
And a major step forward was made with the approval by the European Parliament of an amended text of the draft ePrivacy Regulation which seems to meet the requests from the European data protection authority for more stringent provisions in the opinion of the Article 29 Working Party on the topic. This does not mean that the ePrivacy Regulation will be eventually approved in its current wording, but just means that the European Parliament gave a mandate to start negotiations with the European Council on the current text.
The main chages that were introduced can be summarized as follows:
Broader scope for the ePrivacy regulation
The ePrivacy regulation now provides at recital 4 that
“electronic communications data are generally personal data as defined in the Regulation (EU) 2016/679“
The subsequent recital clarifies that the regulation applies only to “electronic communications data that qualify as personal data” which appears in contradiction with the previous recital. But in general terms the recital 4 seems to create a presumption that any electronic communication data falls within the scope of the GDPR. This is confirmed by the changes to the provisions relating to the material scope of the regulation whose applicability
- is now clearly extended to the processing of any electronic communication data both online and offline by means of users terminals;
- includes any content transmitted, distributed or exchanged by means of electronic communications services, including metadata;
- applies to any type of direct marketing communication; and
- any machine to machine service, which therefore would include Industrial Internet of Things communications.
Finally, the applicability to non-EU entities processing data of individuals located in the European Union (regardless of where the processing takes place) has been further expanded.
More reliance on users’ prior consent
“The provider of the electronic communications service may process electronic communications data solely for the provision of an explicitly requested service, for purely individual usage, only for the duration necessary for that purpose and without the consent of all users only where such requested processing does not adversely affect the fundamental rights and interests of another user or users.“
This position seems confirmed also in relation to communications for direct marketing purposes whose provision of the ePrivacy regulation refers to the need of a prior consent, only providing for the “soft spam exemption” and without mentioning the possibility to rely on the legitimate interest which on the contrary is expressly provided by the GDPR.
Likewise any interception of electronic communications, also by means of wireless networks and for traffic analytics, shall occur with the prior consent of the relevant individuals.
Cookie walls and banners are banned
- in compliance with the principle of privacy by default, the default settings of the browser or software to be used to control cookies shall be set so that the storing of information on the terminal equipment by third parties is prohibited. This might have a massive negative effective on all the applications aimed at tracking users’ behaviour on the Internet and
- users shall be given sufficient granular options as to the categories of consent to be given in order to have a better control on them.
Strong limitations to web analytics
No consent is required for cookies that are technically necessary for measuring the reach of an information society service requested by the user provided that such measurement is carried out by the provider or on behalf of the provider and
- data is aggregated;
- user is given a possibility to object;
- no personal data is made accessible to any third party and
- data is kept separate from the data collected in the course of audience measuring on behalf of other providers.
Broader applicability of fines
What is your view on the above?Happy to discuss and you may find also interesting my series of blog posts on the most relevant issues addressed by the GDPR
As usual, if you found this article interesting please share it on your favourite social media.
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at firstname.lastname@example.org or email@example.com or via phone at +39 334 688 1147.