Data ProtectionPrivacy

ePrivacy draft regulation gets stricter after European approval

The ePrivacy draft regulation is turning towards a more stringent regime after the approval by the European Parliament of the latest draft. 

As previously discussed, the European ePrivacy Regulation is meant to integrate the European General Data Protection Regulation when it comes to “electronic communications data”. It is still in a draft stage, and the plan is to speed up the approval process so that it will be effective from the 25th of May 2018 as the GDPR.

And a significant step forward was made with the approval by the European Parliament of an amended text of the draft ePrivacy Regulation, which seems to meet the requests from the European data protection authority for more stringent provisions in the opinion of the Article 29 Working Party on the topic. This does not mean that the ePrivacy Regulation will eventually be approved in its current wording but implies that the European Parliament gave the mandate to start negotiations with the European Council on the existing text.

The main changes that were introduced can be summarized as follows:

Broader scope for the ePrivacy Regulation

The ePrivacy Regulation now provides at recital 4 that

electronic communications data are generally personal data as defined in the Regulation (EU) 2016/679

The subsequent recital clarifies that the Regulation applies only to “electronic communications data that qualify as personal data” which appears in contradiction with the previous recital. But in general terms, the recital 4 seems to create a presumption that any electronic communication data falls within the scope of the GDPR. This is confirmed by the changes to the provisions relating to the material scope of the Regulation whose applicability

  • is now clearly extended to the processing of any electronic communication data both online and offline through users terminals;
  • includes any content transmitted, distributed or exchanged utilizing electronic communications services, including metadata;
  • applies to any direct marketing communication; and
  • any machine to machine service, which, therefore, would include Industrial Internet of Things communications.

Finally, the applicability to non-EU entities processing data of individuals located in the European Union (regardless of where the processing takes place) has been further expanded.

More reliance on users’ prior consent

The ePrivacy draft regulation relies on the users’ consent more than the GDPR, which provides a broader number of alternative solutions, including legitimate interest. On the contrary, the latest draft of the Regulation emphasizes that

The provider of the electronic communications service may process electronic communications data solely for the provision of an explicitly requested service, for purely individual usage, only for the duration necessary for that purpose and without the consent of all users only where such requested processing does not adversely affect the fundamental rights and interests of another user or users.

This position seems also confirmed concerning communications for direct marketing purposes whose provision of the ePrivacy Regulation refers to the need of prior consent, only providing for the “soft spam exemption” and without mentioning the possibility to rely on the legitimate interest which on the contrary is expressly granted by the GDPR.

Likewise, any interception of electronic communications, also through wireless networks and for traffic analytics, shall occur with the prior consent of the relevant individuals.

Cookie walls and banners are banned

The ePrivacy draft regulation takes a strong position against cookie walls and banners, which, on the contrary, are the solution provided by the guidelines of the Italian data protection authority. On the contrary, more control shall be given to users by means, for instance, of browser settings. This solution is aimed at avoiding a sort of unknown approval by users that are just bothered by cookie walls and accept it without reading the terms of the applicable cookies policy. But the draft regulation also adds that
  • in compliance with the principle of privacy by default, the default settings of the browser or software to be used to control cookies shall be set so that the storing of information on the terminal equipment by third parties is prohibited. This might have a massive negative effect on all the applications aimed at tracking users’ behavior on the Internet, and
  • users shall be given sufficient granular options as to the categories of consent to be given to have better control over them. 

Substantial limitations to web analytics

No consent is required for cookies that are technically necessary for measuring the reach of an information society service requested by the user provided that such measurement is carried out by the provider or on behalf of the provider and

  1. data is aggregated;
  2. user is given a possibility to object;
  3. no personal data is made accessible to any third party and
  4. data is kept separate from the data collected in the course of audience measuring on behalf of other providers.

Broader applicability of fines

The scenarios in which the highest fine of 4% of the global turnover or € 20 million is applicable have been extended to include, for instance, the breach of the provisions on consent and privacy settings for cookies. Also, it has been clarified that if the same conduct represents a breach both under the GDPR and the ePrivacy Regulation, the highest fine will apply.
My impression is that the European regulators are setting a regime that is excessively restrictive and might render the European market less attractive in a period when there is a strong tendency towards digitalization and the usage of tools of machine learning, artificial intelligence, and IoT. The goal is to protect consumers, but I am concerned that the European Union is currently in an economic condition to be able to “set the path”. At the same time, a more balanced approach might encourage investments.

What is your view on the above? Happy to discuss and you may also find interesting my series of blog posts on the most relevant issues addressed by the GDPR

#1 Which companies shall care about it?

#2 Will fines are massive?

#3 Did you run a privacy impact assessment?

#4 New risks for tech suppliers

#5 What changes with the one-stop-shop rule?

#6 How the new privacy data portability right impacts your industry

#7 What issues for Artificial Intelligence?

#8 How to get the best out of data?

#9 Are you able to monitor your suppliers, agents, and shops?

#10 What liabilities for the data protection officer?

#11 Are you able to handle a data breach?

#12 Privacy by design, how to do it?

#13 How data on criminal convictions of employees become a privacy risk

#14 Red flag from privacy authorities on technologies at work

#15 Need a GDPR compliant data processing agreement?

#16 Is your customers’ data protected from your employees?

#18 Data retention periods, an intrigued rebus under the GDPR

#19 Legitimate interest and privacy consent, how to use them?

#20 How privacy consent changes with the GDPR?

#21 Privacy information notice: how to make it transparent when it’s complicated?

#22 How direct marketing changes with the GDPR?

Don't miss our weekly insights

Show More

Giulio Coraggio

I am the head of the Italian Technology sector and the global head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our clients' success.

Related Articles

Back to top button