The ePrivacy draft regulation is turning towards a more stringent regime after the approval by the European Parliament of the latest draft.
As previously discussed, the European ePrivacy Regulation is meant to integrate the European General Data Protection Regulation when it comes to “electronic communications data”. It is still in a draft stage, and the plan is to speed up the approval process so that it will be effective from the 25th of May 2018 as the GDPR.
And a significant step forward was made with the approval by the European Parliament of an amended text of the draft ePrivacy Regulation, which seems to meet the requests from the European data protection authority for more stringent provisions in the opinion of the Article 29 Working Party on the topic. This does not mean that the ePrivacy Regulation will eventually be approved in its current wording but implies that the European Parliament gave the mandate to start negotiations with the European Council on the existing text.
The main changes that were introduced can be summarized as follows:
Broader scope for the ePrivacy Regulation
The ePrivacy Regulation now provides at recital 4 that
“electronic communications data are generally personal data as defined in the Regulation (EU) 2016/679“
The subsequent recital clarifies that the Regulation applies only to “electronic communications data that qualify as personal data” which appears in contradiction with the previous recital. But in general terms, the recital 4 seems to create a presumption that any electronic communication data falls within the scope of the GDPR. This is confirmed by the changes to the provisions relating to the material scope of the Regulation whose applicability
- is now clearly extended to the processing of any electronic communication data both online and offline through users terminals;
- includes any content transmitted, distributed or exchanged utilizing electronic communications services, including metadata;
- applies to any direct marketing communication; and
- any machine to machine service, which, therefore, would include Industrial Internet of Things communications.
Finally, the applicability to non-EU entities processing data of individuals located in the European Union (regardless of where the processing takes place) has been further expanded.
More reliance on users’ prior consent
“The provider of the electronic communications service may process electronic communications data solely for the provision of an explicitly requested service, for purely individual usage, only for the duration necessary for that purpose and without the consent of all users only where such requested processing does not adversely affect the fundamental rights and interests of another user or users.“
This position seems also confirmed concerning communications for direct marketing purposes whose provision of the ePrivacy Regulation refers to the need of prior consent, only providing for the “soft spam exemption” and without mentioning the possibility to rely on the legitimate interest which on the contrary is expressly granted by the GDPR.
Likewise, any interception of electronic communications, also through wireless networks and for traffic analytics, shall occur with the prior consent of the relevant individuals.
Cookie walls and banners are banned
- in compliance with the principle of privacy by default, the default settings of the browser or software to be used to control cookies shall be set so that the storing of information on the terminal equipment by third parties is prohibited. This might have a massive negative effect on all the applications aimed at tracking users’ behavior on the Internet, and
- users shall be given sufficient granular options as to the categories of consent to be given to have better control over them.
Substantial limitations to web analytics
No consent is required for cookies that are technically necessary for measuring the reach of an information society service requested by the user provided that such measurement is carried out by the provider or on behalf of the provider and
- data is aggregated;
- user is given a possibility to object;
- no personal data is made accessible to any third party and
- data is kept separate from the data collected in the course of audience measuring on behalf of other providers.
Broader applicability of fines
What is your view on the above? Happy to discuss and you may also find interesting my series of blog posts on the most relevant issues addressed by the GDPR