In January, the European Commission proposed a new Regulation on Privacy and Electronic Communications (“Draft ePrivacy Regulation”). The Draft ePrivacy Regulation is intended to replace the existing “ePrivacy Directive” (Directive 2002/58/EC as amended by Directive 2009/136/EC) and supplement the General Data Protection Regulation (“GDPR”) as of May 25, 2018. In the following we explain the most significant changes to be expected.
Extended scope
The Draft ePrivacy Regulation has a much broader scope than its predecessor and applies to: (i) the processing of electronic communications data carried out in connection with the provision and use of electronic communication services, and (ii) information related to terminal equipment of end-users, which means virtually any kind of information related to devices that can be used for electronic communication by sending, processing or receiving information.
Direct marketing activities
The rules concerning direct marketing activities carried out by means of electronic communications services, including the use of voice-to-voice calls and electronic mail, will not change the basic consent requirement already set out by the ePrivacy Directive. Due to the broad definition of electronic communications services and electronic mail, the consent requirement does not only apply with regard to SMS and email, but basically to the use of all kinds of messaging functions (eg, such functions contained in applications or internet portals) and messages, including such containing text, voice, video, sound or images.
Using electronic mail for direct marketing of own similar products or services will still be permitted, provided the “electronic contact details” have been obtained from a customer in the context of the sale of a product and the customer is clearly and distinctly given the opportunity to object to such use, free of charge and in an easy manner. The right to object shall be given at the time of collection and each time a message is sent.
Use of cookies and similar technologies
The Draft ePrivacy Regulation contains updated rules on the use of cookies and similar, possibly more advanced, technologies that comprise the use of the processing and storage capabilities of terminal equipment and the collection of information from terminal equipment, including about its software and hardware. This new provision clearly and particularly aims at limiting access to terminal equipment for device fingerprinting and similar activities.
The Draft ePrivacy Regulation clarifies that consent can be expressed by using appropriate technical settings of a software application enabling access to the internet. This in particular means that web browser settings can be used to express consent.
Privacy by design and default obligations for internet browsers and other software permitting electronic communications
The Draft ePrivacy Regulation imposes new privacy by design and default obligations on providers of software permitting electronic communications particularly aiming at providers of internet browsers and similar software. The respective software must offer the option to prevent third parties from storing cookies or other information on the end-user equipment or from processing information already stored thereon. The software must be designed to, upon installation, inform the end-user about the privacy setting options of the software and require the end-user to consent to a setting to continue with the installation.
Liability and penalties
The Draft ePrivacy Regulation stipulates fines that are aligned to the ones contained in the GDPR. Depending on the type of infringement the supervisory authorities are entitled to impose fines of up to EUR 10,000,000 or EUR 20,000,000, or in the case of an undertaking, up to 2 or 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Contributor: Dr. Tobias Born
