Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
EU e-Privacy Reforms: status update
GDPR level fines proposed to apply to direct marketers and providers of IoT devices, Over The Top services, web browsers and communications software
In the UK, failure to comply with e-Privacy laws, especially with regard to direct marketing, is one of the most common reasons for aggressive enforcement action by the Information Commissioner’s Office (ICO), the UK’s data protection regulator. In the last year alone, the ICO has issued 23 penalties totalling £1,923,000 for unlawful marketing, a record number (see ICO 2016/17 Annual Report).
Now that the General Data Protection Regulation (GDPR) has been adopted and will come into effect from 25 May 2018, the European Commission (Commission) is turning its attention to the European Union’s (EU) e-Privacy laws to modernise and align them with the GDPR. Under the proposed new laws the maximum fines, and accompanying reputational damage, are set to increase significantly.
- What is happening?
- Why are there specific rules on e-Privacy?
- Who do these e-Privacy rules apply to?
- Why is it necessary to amend the current e-Privacy laws?
- What are the key changes proposed?
- Will “soft opt-in” be retained?
- What about voice-to-voice direct marketing calls?
- What is the relationship with the GDPR?
- What about Brexit?
- What is the timetable for implementation?
As with the legislative process leading up to the adoption of the GDPR, the current draft of the new law is being robustly scrutinised and challenged. Given that considerable amendments are likely before it is finalised, we will continue to monitor developments so please look out for our further updates.
What is happening?
In January 2017, the Commission published a proposed draft of the new regulation concerning the respect for private life and the protection of personal data in electronic communications (e-Privacy Regulation), which is intended to come into effect at the same time as the GDPR on 25 May 2018 (see our previous blog posts on the GDPR here.
Upon coming into effect, the e-Privacy Regulation will repeal and replace both the current e-Privacy Directive 2002/58/EC as amended (e-Privacy Directive) and all national implementing laws in each of the 28 EU Member States. In the UK, this will result in the repeal of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended).
Why are there specific rules on e-Privacy?
Respect for communications is a fundamental right that is recognised in the Charter of Fundamental Rights of the European Union. The principal reasons for needing to have specific e-Privacy rules to protect both individuals and businesses include:
- the content of electronic communications and related “metadata” (such as the number called, the time, date and duration of a call, websites visited, geographical location of an end-user etc) must be kept secure because they can reveal information in relation to:
- individual end-users of ECS: very sensitive and personal information about the individuals, such as emotions, medical conditions, sexual preferences and political views;
- businesses: trade secrets or other sensitive information with economic value;
- technology has enabled mass direct marketing to individuals in ways which can be intrusive and cause annoyance or even distress; and
- cookies and other technologies allow individuals to be ‘tracked’ when using online services.
The existing e-Privacy regime created under the e-Privacy Directive forms part of the EU regulatory framework for electronic communications. Its purpose is to complement the existing EU data protection regime created under the Data Protection Directive 95/46/EC (which is to be replaced by the GDPR) by creating specific rules intended to:
- ensure the protection of fundamental rights and freedoms, in particular the respect for private life, confidentiality of communications and the protection of personal data in the electronic communications sector; and
- guarantee the free movement of electronic communications data, equipment and services in the EU.
At a broader level, the need for robust e-Privacy laws forms part of the EU’s strategy to create a Digital Single Market by increasing trust in, and the security of, digital services. Now that the GDPR has been agreed and will come into effect from 25 May 2018, the Commission has turned its attention to reforming the e-Privacy Directive.
Who do these e-Privacy rules apply to?
A broad range of organisations are caught by the existing rules including:
- Businesses which engage in direct marketing through calls, email, SMS and fax.
- Providers of publicly available ECS, such as providers of publicly available telecommunications and internet services.
- Providers of publicly available telephone directories or similar directories.
As explained below, the e-Privacy Regulation seeks to expand this scope to cover new technologies including:
- Providers of “Over The Top” (OTT) communications services which enable inter-personal communications such as Voice over IP (VoIP), instant messaging and web-based e-mail services in replacement of their traditional functional equivalents (namely, voice telephony, SMS texts and non-web based email). The e-Privacy Regulation applies to all “end users” of ECS as the current distinction between subscribers and other users has been abolished.
- Manufacturers of IoT devices such as internet-connected domestic appliances and automobiles, and machine-to-machine devices that communicate with each other.
- Providers of software which permits electronic communications.
Why is it necessary to amend the current e-Privacy laws?
The current law has become outdated due to rapid changes in technology. It also needs to be aligned with the data protection reforms being brought in under the GDPR to ensure consistency and certainty. Since the e-Privacy Directive was last revised in 2009, important technological and economic developments have taken place in the electronic communications market and in individuals’ daily working and social lives. For example:
- OTT communications services: Such services are increasingly relied on by consumers and businesses but are not generally subject to the e-Privacy Directive and related communications laws.
- Tracking techniques: Such as device fingerprinting are being used to track individuals in their daily lives but these are often not well understood by individuals and do not always fall within the scope of the “cookies” provisions under the current law.
- Terminal equipment: Such as mobile devices, tablets and laptops have become increasingly indispensable as a means of storing individuals’ sensitive information, both in their work and personal lives.
- IoT & machine-to-machine communication: Internet-connected devices and machines are increasingly communicating with each other by using electronic communications networks. Such communications must be secure to promote trust in the emerging IoT environment.
The inability of the e-Privacy Directive to keep pace with such developments has, as the Commission openly acknowledges, resulted in a “void of protection” for end-users and for businesses. The e-Privacy Regulation intends to fill this void and ensure that all end-users are adequately protected by implementing a future proof regime covering all current and future communications technologies.
What are the key changes proposed?
The e-Privacy Regulation is a complex and technically intricate law which aims to modernise, streamline and strengthen the current law as well as to align it with the GDPR. The key changes proposed to achieve these aims include:
- Harmonisation: As a Regulation (rather than a Directive), the e-Privacy Regulation will have direct effect in each EU Member State without the need for national implementing laws. This approach was adopted with the GDPR and is aimed at reducing the compliance burden for businesses operating cross-border in the EU by eliminating the differences between the national implementing laws of Member States.
- Alignment with GDPR: Many key provisions will be aligned directly with the GDPR, such as definitions and the enforcement mechanisms and sanctions. See below for more on this.
- Broader scope: A much broader range of businesses will be required to comply with the e-Privacy Regulation. For example, in relation to ensuring the confidentiality of communications businesses ranging from providers of OTT services (such as WhatsApp, Skype and Gmail) and public WiFi hotspots through to manufacturers of IoT devices will all need to comply with this core obligation.
- Extraterritoriality: As with the GDPR, the e-Privacy Regulation will apply to non-EU providers of ECS to end-users in the EU, irrespective of whether the service is paid for or free. All non-EU based providers must appoint an EU-based representative as a contact point for supervisory authorities and end-users. The Article 29 Working Party (A29WP) has called for the principle of extraterritoriality to extend to all entities falling within the scope of regulation, such as providers of publicly available directories and software providers permitting electronic communications, not just ECS providers.
- Cookies: The new law aims to address the issues raised by the Commission in its analysis of the e-Privacy Directive, namely that the current consent rule is both:
- over-inclusive: because it also covers non-privacy intrusive practices; and
- under-inclusive: because it does not clearly cover some highly intrusive tracking techniques such as device fingerprinting, which may not entail access/storage in the device.
The proposals therefore focus on clarifying and simplifying the consent rules to make it easier for end-users to accept or reject cookies and other identifiers through adjusting the privacy settings on their web browsers. End-users’ consent will not always be required, for example in respect of: (i) non-intrusive functional cookies required for the service, such as those which recall shopping cart history or maintain log-in information for future sessions; and (ii) web audience measuring cookies used by the provider of the relevant service.
Browser providers will naturally need to ensure that their browsers are compliant with the new rules. The draft provisions have been strongly criticised by the EU’s advisory bodies as permitting a “take it or leave it” approach to tracking walls which could force end-users to consent to tracking if they want to access a particular service.
- IoT manufacturers: Manufacturers of IoT internet-connected devices which collect information from such devices post-sale should note that:
- as with the current law, consent will usually be required to access information on such devices; and
- in respect of machine-to-machine communication, where information emitted from terminal equipment is collected then the information notice requirements of the GDPR must be complied with except where this is purely for the purpose of establishing a connection.
If retained in the final law, this obligation will require such manufacturers to consider how to fulfil these requirements from a “privacy by design” perspective when developing new products. The A29WP has called for stronger default privacy settings and mandating compliance with the DNT (Do Not Track) standard for all IoT devices.
- Software providers: All providers of software which permits electronic communications, including the retrieval and presentation of information on the internet, must help end-users to make effective choices about privacy settings by presenting the different options in an easily visible and intelligible manner. Specifically, such providers must offer the option to prevent third parties from storing information on terminal equipment, or from processing information already stored on that equipment, and the software must obtain the end-user’s consent to the privacy settings options at the time of installation. For software already installed on 25 May 2018, these requirements must be met at the time of the first update thereafter and, at the latest, by 25 August 2018.
- WiFi tracking areas: Technologies have emerged which can track mobile devices within local WiFi areas such as retail premises using the unique MAC and other identifiers emitted by devices to collate aggregate data on numbers of people, average waiting times etc. Providers which use such data to engage in higher privacy risk processing activities, such as tracking individuals over time, must display prominent notices on the edge of the relevant area informing individuals of these practices and any technical measures to minimise or stop the collection of such data. These provisions have been singled out for criticism by the EU’s advisory bodies on the basis that, in their draft form, they fail to provide GDPR level protection for such data as in most circumstances such collection will require the consent of individuals.
- Content & Metadata: These are treated separately in the new law, which sets out detailed requirements for processing such information including, for example, where this is necessary for aspects of service delivery (e.g. billing, maintaining security) or where consent has been obtained. As a general rule, such information should be deleted or anonymised when no longer required, except in the case of metadata when it is required for billing. The new rules aim to promote big data analysis and innovation by allowing providers to process communication content and metadata for purposes other than the provision of the communications service if users have given their consent and provided that privacy safeguards are complied with. High risk processing such as scanning email content to remove certain content must always be cleared with the regulator before being undertaken. This has been seriously criticised by the A29WP, which argues that this is very high risk processing and so, as a starting point, the consent of all end users (senders and recipients) should always be required.
- Technologically neutral definitions: To ensure that the e-Privacy Regulation is future-proof, technologically neutral definitions have been adopted in anticipation of new services and technologies. Detailed recitals do, however, provide additional context to assist with interpreting the e-Privacy Regulation’s provisions in light of currently available technologies.
Will “soft opt-in” be retained?
Yes. The e-Privacy Regulation expressly retains the “soft opt-in” provisions of the e-Privacy Directive. This will be a relief for the large number of businesses which rely on soft opt-in to send email marketing communications to their existing customers. As with the current position under the e-Privacy Directive, businesses must ensure that:
- such email communications relate to the offering of similar products or services to those which the customer originally obtained from the business;
- the customers’ email addresses were obtained in accordance with applicable data protection laws (which will be the GDPR); and
the customer is given the opportunity to object to receiving such email communications both at the time at which their email addresses are first obtained and each time a communication is sent. The A29WP has called for a time limit, for example of 1 or 2 years, to be imposed with respect to who can be considered to be an “existing customer”.
What about voice-to-voice direct marketing calls?
The current position is unlikely to change significantly. As with the e-Privacy Directive, Member States will have the flexibility to allow such calls on an opt-out basis. In the UK, it is likely that the Telephone Preference Service will continue to be used for this purpose.
What is the relationship with the GDPR?
As the e-Privacy Regulation sits alongside the GDPR, companies which fall within its scope will need to comply with both sets of rules. To ensure alignment, many of the key features of the e-Privacy Regulation are borrowed from the GDPR, namely:
- Definitions: The definitions of the GDPR apply to the relevant provisions of the e-Privacy Regulation including the core concepts of “personal data”, “consent” and “processing”.
- Consent: The definition and provisions relating to obtaining valid consent, and allowing it to be withdrawn, under the GDPR apply equally to providers required to obtain end-users’ consent under the e-Privacy Regulation.
- Data protection by design and by default: These core principles of the GDPR apply equally to the privacy setting options for accepting/rejecting cookies offered by web-browsers and for software which permits electronic communications.
- Security: The security provisions of the e-Privacy Directive will be repealed and replaced with the relevant security provisions of the GDPR to eliminate regulatory duplication.
- Enforcement: The e-Privacy Regulation will be enforced by the same national supervisory authorities as are responsible for enforcing the GDPR (namely, the ICO in the UK) and the same GDPR mechanism for ensuring consistent enforcement across the EU. The European Data Protection Board will also have competence for advising on the application of the e-Privacy Regulation.
Impact Assessments: Where the processing of electronic communications metadata, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons then a data protection impact assessment and, if required, a consultation of the supervisory authority should take place prior to the processing, in accordance with the GDPR.
What about Brexit?
If the e-Privacy Regulation is implemented at the same time as the GDPR then it will come into effect in the UK before Brexit takes place. Given the UK Government’s proposals to maintain equivalent data protection standards to the GDPR post-Brexit (see our update on the Data Protection Bill proposal), it is likely that the UK will continue to have e-Privacy laws which offer equivalent standards to the e-Privacy Regulation post-Brexit as well.
What is the timetable for implementation?
The original timetable was to agree the e-Privacy Regulation in time to implement it on 25 May 2018 when the GDPR comes into force. From the outset, this was an ambitious timetable and seems even more challenging as a result of the extensive and material amendments to the draft text which have been proposed by the A29WP and the European Data Protection Supervisor (EDPS) in April 2017 and the LIBE committee in June 2017. Broadly, these amendments seek to make certain aspects of the e-Privacy Regulation even stricter, especially with respect to content and metadata. The LIBE committee is scheduled to vote on its proposed amendments in October 2017, following which there will be formal negotiations with the European Parliament and European Council.
Few people would dispute that modernising the e-Privacy Directive and aligning it with the GDPR are natural next steps in the process of bringing existing EU privacy legislation up to date. That said, the extent of the amendments proposed by the A29WP, EDPS and LIBE committee indicate that the process is likely to be protracted, making the May 2018 deadline seem optimistic at least.
From a compliance perspective, aligning the e-Privacy Regulation with the GDPR should, over time, help organisations to adopt a common approach to complying with the new higher standards. From a practical perspective, however, it will challenging for affected businesses to prepare for both new laws when the e-Privacy Regulation is unlikely to be finalised until immediately before May 2018 at the earliest. This will be especially challenging for businesses which are developing products and software which need to comply with the technical requirements of the e-Privacy Regulation. ICO guidance on the new e-Privacy rules is scheduled to be published later this year, which will hopefully provide welcome clarification for businesses seeking to plan ahead.
Whilst the e-Privacy Regulation seeks to harmonise the e-Privacy regime across the EU, the fact that it allows Member States to legislate nationally for certain aspects will inevitably require multinational organisations to exercise caution in rolling out services across multiple EU jurisdictions. Looking at historic enforcement action, organisations engaging in direct marketing would appear to be presented with a particularly high compliance risk as a result of aligning the e-Privacy Regulation sanctions regime with the GDPR and would be wise to review their practices now to avoid any sharp shocks once the new law comes into effect.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.