EU Commission Publishes Proposal for e-Privacy Regulation: The Top Nine Key Points You Need to Know
January 10, 2017
On January 10, 2017, the European Commission published a Proposal for a Regulation (Proposal) that, if adopted, would have significant and far-reaching implications for Internet-based services and technologies.
The Proposal is the next major step in the EU's review of its data protection legal framework and follows the adoption of the General Data Protection Regulation (GDPR)2 in April 2016. Companies should consider following the legislative process and assessing how the new rules may impact their business.
This WSGR Alert provides background information, highlights the top nine key points of the Proposal, and provides an overview of the next steps.
The current EU data protection legal framework is composed mainly of two legal instruments: (1) the Data Protection Directive3 (to be replaced by the GDPR on May 25, 2018), which sets conditions for the processing of personal data; and (2) the ePrivacy Directive, which provides specific rules for the electronic communications sector. The Proposal would replace the ePrivacy Directive with an ePrivacy Regulation. Notably, in cases of conflict with the GDPR, the rules of the ePrivacy Regulation would prevail.
Key Points of the Proposal
Below are the top highlights of the Proposal:
- Increased Harmonization Across EU Countries. Like the GDPR, the Proposal is a "regulation." Regulations apply in all EU countries without the need for any implementation (as opposed to "directives"). The Proposal thus aims to harmonize the ePrivacy rules in all EU countries.
- Broader Scope. The Proposal applies to all providers of electronic communications services, including over-the-top service providers (OTTs). According to the Proposal, OTTs are the Internet-based services enabling inter-personal communications (e.g., instant messaging, VOIP services, web-based email, IoT devices, machine-to-machine communications), which are currently not covered.
- Extraterritorial Effect. The Proposal extends the reach of EU law to non-EU companies providing electronic communications services to—or processing data of—EU individuals.
- Restrictions on the Use of Electronic Communications Data (Including Content and Metadata). The Proposal significantly restricts the processing of electronic communications data, which covers both the content of the communications (e.g., text, voice, sound, images, videos) and the metadata (e.g., location, date, time, duration, type of the communication). As a rule, electronic communications data can only be processed as necessary to (i) achieve the transmission of the communication or (ii) ensure the security of the communications.
In addition, the Proposal allows the processing of metadata and the content of electronic communications in limited situations:
- Metadata can be processed: (a) if the end-user concerned consents to the processing of metadata for specific purpose(s) and provided that the purpose(s) could not be achieved by processing anonymous data; (b) if necessary to meet mandatory quality of service requirements; or (c) if required for billing, calculating interconnection payments, detecting or stopping fraudulent or abusive use, or subscription to electronic communications services.
- Content of communications can be processed: (a) for the sole purpose of providing a specific service to an end-user, if the end-user(s) concerned consent to the processing and if that processing is necessary to provide the service; or (b) if all parties to the communication consent to the processing of the content for specific purpose(s) provided that the purpose(s) could not be achieved by processing anonymous data and that the company complies the GDPR prior consultation requirement (e.g., consult with the relevant EU data protection authorities before starting the processing).
- Restrictions on the Use of Data Emitted by Users' Terminal Equipment. The Proposal sets conditions for the collection of data emitted by users' terminal equipment (e.g., MAC address, IMEI, IMSI). Such data collection is only permitted: (i) to establish a connection; (ii) if users receive a clear and prominent notice that complies with the GDPR privacy notice requirements and explains the measures individuals can take to minimize or stop the data collection; and (iii) if appropriate security measures are in place. The goal is to cover the tracking of users' devices for services such as people-counting in defined areas, or providing personalized offers to individuals as they enter a store.
- Stricter Direct e-Marketing Rules. The e-marketing rules are extended to apply to all communications means (e.g., automated phone calls, instant messaging application, social media messaging, SMS, MMS, Bluetooth, e-mails). Direct e-marketing to individuals requires prior informed (opt-in) consent, unless communications are sent to existing customers regarding the company's own similar products or services and the customers receive means to opt-out at the time of data collection and in each marketing communication.
- No Sector-Specific Data Breach Notification. The Proposal does not maintain the current sector-specific data breach notification rules of the ePrivacy Directive. Providers of electronic communications services will need to comply with the general breach notification obligations included in other legal instruments, such as the GDPR or the Directive on Security of Network and Information Systems (NIS Directive).
- Massive Fines. The Proposal provides for the same two-tiered system of administrative fines as the GDPR. The most severe infringements (e.g., breach of communications secrecy) may result in fines of up to four percent of a company's annual worldwide turnover or up to €20 million (whichever is greater).
The Proposal is just the beginning of a complex and long legislative process that is likely to take several years. The EU Parliament and Council will now review the Proposal and draft their own versions of the text. The three EU institutions (Parliament, Council, and Commission) will then negotiate a compromise version. Thus, the current Proposal is likely to change significantly during the negotiations. The timing for adoption remains uncertain, but it generally takes several years from the date of publication of a proposal. For example, it took four years in the case of the GDPR.
We will continue to monitor developments and update you on any significant news.
Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cédric Burton, Christopher Kuner, Lydia Parnes, Michael Rubin, Christopher Olsen, or another member of the firm's privacy and data protection practice.