Data ProtectionPrivacy

Internet services and IoT impacted by the draft EU ePrivacy Regulation

The draft European ePrivacy Regulation might have a considerable impact on Internet activities, including direct marketing, and IoT. 

The review process of the EU ePrivacy Directive, which among others regulates direct marketing and cookies, is rapidly taking place. A first draft of the ePrivacy Regulation (it will no longer be a Directive) is now available and provides for much stricter obligations in line with those provided by the already approved EU General Data Protection Regulation (GDPR). This blog post was initially published on my law firm’s blog Privacy Matters.

Extending ePrivacy to VOIP and IoT

Providers of telecommunication services over internet (VoIP or “over-the-top” (OTT) players including messenger apps) are not included in the current ePrivacy Directive even though their services may be seen by end-users as functionally equivalent to traditional telecommunications providers. To level the playing field, the draft text of the ePrivacy Regulation features a technology neutral approach applying to “any exchange of information using electronic communications services and public communications networks, including content and metadata” (e.g. location data and device fingerprints). The Regulation would also apply to hotspot services and cover machine-to-machine (M2M) communications which is crucial for the development of the Internet of Things (IoT).

Expanded privacy rules

The draft ePrivacy Regulation would also spell big changes for a variety of actors beyond traditional telecoms providers:

1. Regulation

By avoiding the need for transposition into national law, the Regulation will be directly applicable and leave less room for divergent national laws.

2. Territorial scope

The Regulation would apply to electronic communications data processed in connection with the provision of electronic communications services in the EU, regardless whether the processing takes place in the EU, and to the protection of information related to the terminal equipment of end-users in the EU.

3. Tracking tools

The Regulation confirms that the current rules on cookies apply universally to all end-users, irrespective as to whether they are individuals or corporate subscribers. The new rules would include a more stringent approach to “opt-in” consent – applying the consent regime defined by the General Data Protection Regulation. Third party cookies should be prevented by default. The rules would extend beyond cookies and pixel tags to cover any form of tracking tool, including tools that “interfere” with the terminal equipment without storing any code on the user device (such as by using the terminal equipment’s processing capabilities).

4. Communications secrecy

Metadata from all types of providers will need to be deleted except as permissible under the current exceptions (e.g. billing, quality control or cybersecurity) or if prior consent is provided under the GDPR.

5. Spam

The Regulation confirms that anti-spam rules will apply universally to all subscribers (including corporates). Direct e-marketing will not be permitted unless the end-user has consented, or unless to existing customers for similar products (only opt out option required). The Regulation would permit Member States by law to provide voice-to-voice on an opt-out basis.

6. Breach notification

The procedure to report breach notifications for ISPs and telecoms providers – which was introduced in 2009– is to be aligned with the breach notice requirements in the GDPR.

7. Enforcement

As with the GDPR, a violation of the e-Privacy Regulation could be fined up to 4% of the total worldwide annual turnover of an undertaking. Data protection authorities would be given powers to enforce certain provisions of the Regulation.

The draft text of the proposal is expected to be finalized in January 2017, after which it will be reviewed by the European Council (comprised of EU Member State representatives) and the European Parliament. This process could take several months or even years. Once finally adopted, the draft text currently provides for a 6 month transition period.

If you found this article interesting, please share it on your favourite social media!


Follow me on LinkedIn – Facebook Page – Twitter – TelegramYouTube  Google+

Don't miss our weekly insights

Show More

Giulio Coraggio

I am the location head of the Italian Intellectual Property & Technology department and the global co-head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our client's success.

Related Articles

Back to top button