By Janelle M. Lewis, Principal Attorney, The Law Office of Janelle M. Lewis

Do you use internet marketing in your business activities? Does your business offer Over-the-Top communication services? Is your client base European or residing in the EU? If the answer to any of these questions is yes, then you should be aware of the European Commission’s proposed privacy regulations.

————————————————————————————————

On January 10th, 2017, the European Commission (“EC”) released a draft proposal regulation of the ePrivacy Directive 2002/58/ED entitled, “Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy Electronic Communications) 

Background of Directive 2002/58/EC – “ePrivacy Directive”

The ePrivacy Directive was adopted in 2002 and established to ensure the “protection of fundamental rights and freedoms, in particular the respect for private life, confidentiality of communications and the protection of personal data in the electronic communications sector.” While the last revision of the ePrivacy Directive took place in 2009, the EC notes that many technological and economic developments have taken place since then and that, “consumers and businesses increasingly rely on new internet-based enabling interpersonal communications such as Voice over IP, instant messaging, and web-based email services, instead of traditional communications services.” Resultantly, the EC asserts that new proposed regulations are needed in order to continue to protect privacy rights in changing technological environment.

What are OTTs?

Over-the-Top communications services (OTTs) provide products or services over the internet, bypassing traditional distribution. Examples include: WhatsApp messaging, Skype, Netflix, and Gmail. Currently, OTTs are not subject to the current ePrivacy Directive.

Differences between GDPR and the ePrivacy Directive

The GDPR regulates the protection of personal data, while the ePrivacy Directive protects the confidentiality of communications. Further distinctions are legal in scope, where GDPR is a regulation, and thus immediately applicable to each member state of the EU without the creation of national laws, whereas, the ePrivacy Directive is implemented by the creation of national laws in each member state.

Current Requirements of ePrivacy Directive

The current ePrivacy Directive requires that electronic communications services providers: 1) take appropriate measures to safeguard the security of electronic communication services; 2) ensure confidentiality of communications and related traffic data in public networks; and 3) provide protection for users and subscribers of electronic communications agains unsolicited communications.

Problems with the Current the current ePrivacy Directive

A recent evaluation of the ePrivacy Directive found the following problems:

  • ePrivacy Directive protects users of electronic communication services, but not users of OTTs. The evaluation found that the ePrivacy Directive’s objective of confidentiality of communications of electronic communication services users were met, but that it fails to ensure that users who use OTTs are adequately protected because the current Directive does not apply to such services.
  • Effectiveness of the “cookie rule” is lacking. The evaluation found that the consent rules on confidentiality, known as the “cookie rule” have not been effective because users often accept cookie tracking requests without understanding their meaning; while others are exposed to cookies without their consent.

The New Proposed Regulation

The following proposed Regulation, with respect to OTTs and marketing activities, would replace the current ePrivacy Directive by:

  • Expanding the definition of electronic communications services to include online services, such as, Voice over IP, messaging services, web-based e-mail services, and interpersonal communications services that are ancillary to another service, such as, social or dating application services.
  • Establishing user-friendly methods for providing information and obtaining end-user’s consent, whereby, the consent is a clear, affirmative action from the user. This would be facilitated by browser settings that would provide users with an easy way to accept or refuse tracking cookies or other identifying information.
  • Guaranteeing the confidentiality of user privacy as it relates to the content of communications and the metadata (such as location and time) associated with the communication.
  • Banning unsolicited electronic communications by emails, SMS, and automated calling machines that are used for direct marketing purposes. In this case, user consent must be obtained before commercial electronic communications for direct marketing purposes are sent to users. Additionally, even if users provide consent, they should be able to easily withdraw their consent.
  • Creating more effective enforcement by data protection authorities, including the power to impose penalties, such as, administrative fines for any infringement of the proposed Regulation.

When is the propose Regulation set to take place?

The Regulation would be lex specialis to the GDPR, meaning that it would complement the GDPR by focusing specifically on electronic communications. Accordingly, the EC is seeking to have the proposed Regulation adopted May 25th, 2018, the same time as when the GDPR will go into effect.

The views expressed in this article do not constitute legal advice and legal information provided in this post should not be relied upon as legal advice. Please contact an Attorney for advice on your specific matter.