European Council Presidency gets closer to finalising the ePrivacy Regulation

On the 18th September, the Presidency of the European Council published its proposed amendments to the draft ePrivacy Regulation which will replace the current ePrivacy Directive framework. With the new regulation in place, the EU’s framework for data protection and confidentiality of electronic communications will be complete.

ePrivacy and GDPR

How is the ePrivacy Directive and its forthcoming replacement separate to the General Data Protection Regulation (GDPR) and any other privacy regulations? Well, the Directive uses the same legal definitions of privacy and data that were brought in by the GDPR, but it attempts to make coherent legal protocols across Member States for phenomena such as unsolicited marketing and confidentiality breaches or other forms of potentially harmful electronic communication outside the personal information purview of the GDPR. In the UK, the ePrivacy Directive is implemented by the Privacy and Electronic Communications Regulations (PECR), which operates alongside the Data Protection Act 2018 (which is itself derived from the GDPR).

Draft ePrivacy Regulation

Currently provides:

  • Rules for ‘spam’ or unsolicited marketing

Unsolicited commercial communications via electronic media are prohibited under the ePrivacy Directive, unless the recipient has prior informed consent. Consent is not required, however, to send commercial emails to existing customers to advertise similar services or products (although each communication must include an opt-out option).

  • Tougher rules for the use of cookies and tags

The new rules for cookies and online identifiers in the Regulation will be tougher than the incumbent ePrivacy Directive. The Regulation now recognises the ‘storing or processing capabilities of the device,’ not just the storage and retrieval of data. This means that specific scripts and tags, currently unrecognised by the Directive’s cookie rules, will be referred to in the Regulation. Cookies usually require consent but there some exemptions, for instance in (certain forms of) analytics, essential software updates and security.

  • Secrecy requirements for ‘machine-to-machine’ and ‘Internet of Things’ communications

The Regulation attempts to differentiate between secrecy requirements on:

  • electronic communications content;
  • electronic communications metadata (data that provides information about other data); and
  • electronic communications data (common rules for both content and metadata).

Peoples’ electronic communications are generally protected by a right to secrecy, although rules may differ slightly between these categories. For instance, the Regulation finds that processing metadata is permissible for the purposes of:

  • network management,
  • network optimisation,
  • or statistics.

These rules don’t just apply to human interaction, they also apply to M2M (machine-to-machine) communication processing. The European Council Presidency’s recent amendments to the draft legislation particularly concerned the secrecy requirements for the metadata communications.

On the 24th September, the amended draft will be further discussed by the Council’s Working Party on Telecommunications and Information Society.

If you have any questions about ePrivacy and GDPR regulations, please contact us via email or call 01787 277742

Harry Smithson, 22nd September 2019