WSGR ALERT

EU Commission Publishes Proposal for e-Privacy Regulation: The Top Nine Key Points You Need to Know

January 10, 2017

On January 10, 2017, the European Commission published a Proposal for a Regulation (Proposal) that, if adopted, would have significant and far-reaching implications for Internet-based services and technologies.

The Proposal seeks to revise the current EU ePrivacy Directive.1 It creates strict new rules regarding confidentiality of electronic communications, including content and metadata. In addition, the Proposal amends the current rules on the use of cookies and similar technologies, and direct marketing. The rules apply to EU and non-EU companies providing services in the EU, and are backed up by massive enforcement powers—fines of up to four percent of a company's global turnover.

The Proposal is the next major step in the EU's review of its data protection legal framework and follows the adoption of the General Data Protection Regulation (GDPR)2 in April 2016. Companies should consider following the legislative process and assessing how the new rules may impact their business.

This WSGR Alert provides background information, highlights the top nine key points of the Proposal, and provides an overview of the next steps.

Background

The current EU data protection legal framework is composed mainly of two legal instruments: (1) the Data Protection Directive3 (to be replaced by the GDPR on May 25, 2018), which sets conditions for the processing of personal data; and (2) the ePrivacy Directive, which provides specific rules for the electronic communications sector. The Proposal would replace the ePrivacy Directive with an ePrivacy Regulation. Notably, in cases of conflict with the GDPR, the rules of the ePrivacy Regulation would prevail.

Key Points of the Proposal

Below are the top highlights of the Proposal:

  1. Increased Harmonization Across EU Countries. Like the GDPR, the Proposal is a "regulation." Regulations apply in all EU countries without the need for any implementation (as opposed to "directives"). The Proposal thus aims to harmonize the ePrivacy rules in all EU countries.
  2. Broader Scope. The Proposal applies to all providers of electronic communications services, including over-the-top service providers (OTTs). According to the Proposal, OTTs are the Internet-based services enabling inter-personal communications (e.g., instant messaging, VOIP services, web-based email, IoT devices, machine-to-machine communications), which are currently not covered.
  3. Extraterritorial Effect. The Proposal extends the reach of EU law to non-EU companies providing electronic communications services to—or processing data of—EU individuals.
  4. Restrictions on the Use of Electronic Communications Data (Including Content and Metadata). The Proposal significantly restricts the processing of electronic communications data, which covers both the content of the communications (e.g., text, voice, sound, images, videos) and the metadata (e.g., location, date, time, duration, type of the communication). As a rule, electronic communications data can only be processed as necessary to (i) achieve the transmission of the communication or (ii) ensure the security of the communications.

    In addition, the Proposal allows the processing of metadata and the content of electronic communications in limited situations:
    • Metadata can be processed: (a) if the end-user concerned consents to the processing of metadata for specific purpose(s) and provided that the purpose(s) could not be achieved by processing anonymous data; (b) if necessary to meet mandatory quality of service requirements; or (c) if required for billing, calculating interconnection payments, detecting or stopping fraudulent or abusive use, or subscription to electronic communications services.
    • Content of communications can be processed: (a) for the sole purpose of providing a specific service to an end-user, if the end-user(s) concerned consent to the processing and if that processing is necessary to provide the service; or (b) if all parties to the communication consent to the processing of the content for specific purpose(s) provided that the purpose(s) could not be achieved by processing anonymous data and that the company complies the GDPR prior consultation requirement (e.g., consult with the relevant EU data protection authorities before starting the processing).
  5. Changes to "Cookies Rule" and Options for Privacy Settings. The Proposal maintains the requirement to obtain prior informed consent for using cookies and similar technologies (e.g., spyware, web bugs, hidden identifiers, tracking tools, device fingerprinting) unless using such technologies is necessary for: (i) the sole purpose of carrying out the communication; or (ii) providing an information society service4 requested by the individuals. However, the Proposal slightly eases the rules by recognizing that consent could be obtained via browser settings and by creating an exemption from the consent requirement for first party analytics. In addition, the Proposal requires browser providers to allow individuals, during the initial setup, to configure their browser to prevent the use of cookies and similar technologies. Individuals should be informed of this option and asked to select a setting upon installation.
  6. Restrictions on the Use of Data Emitted by Users' Terminal Equipment. The Proposal sets conditions for the collection of data emitted by users' terminal equipment (e.g., MAC address, IMEI, IMSI). Such data collection is only permitted: (i) to establish a connection; (ii) if users receive a clear and prominent notice that complies with the GDPR privacy notice requirements and explains the measures individuals can take to minimize or stop the data collection; and (iii) if appropriate security measures are in place. The goal is to cover the tracking of users' devices for services such as people-counting in defined areas, or providing personalized offers to individuals as they enter a store.
  7. Stricter Direct e-Marketing Rules. The e-marketing rules are extended to apply to all communications means (e.g., automated phone calls, instant messaging application, social media messaging, SMS, MMS, Bluetooth, e-mails). Direct e-marketing to individuals requires prior informed (opt-in) consent, unless communications are sent to existing customers regarding the company's own similar products or services and the customers receive means to opt-out at the time of data collection and in each marketing communication.
  8. No Sector-Specific Data Breach Notification. The Proposal does not maintain the current sector-specific data breach notification rules of the ePrivacy Directive. Providers of electronic communications services will need to comply with the general breach notification obligations included in other legal instruments, such as the GDPR or the Directive on Security of Network and Information Systems (NIS Directive).
  9. Massive Fines. The Proposal provides for the same two-tiered system of administrative fines as the GDPR. The most severe infringements (e.g., breach of communications secrecy) may result in fines of up to four percent of a company's annual worldwide turnover or up to €20 million (whichever is greater).

Next Steps

The Proposal is just the beginning of a complex and long legislative process that is likely to take several years. The EU Parliament and Council will now review the Proposal and draft their own versions of the text. The three EU institutions (Parliament, Council, and Commission) will then negotiate a compromise version. Thus, the current Proposal is likely to change significantly during the negotiations. The timing for adoption remains uncertain, but it generally takes several years from the date of publication of a proposal. For example, it took four years in the case of the GDPR.

We will continue to monitor developments and update you on any significant news.

Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cédric Burton, Christopher Kuner, Lydia Parnes, Michael Rubin, Christopher Olsen, or another member of the firm's privacy and data protection practice.

Sarah Cadiot and Laura De Boel contributed to the preparation of this WSGR Alert.


1 Directive 2002/58/EC of July 12, 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended, OJ 2002 L201/37.
2 Regulation 2016/679 of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L119/1.
3 Directive 95/46/EC of October 24, 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L281/31.
4 This concept is very broad under EU law and covers "any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services."