Data protection laws are undergoing a significant transformation. In the UK, the key pieces of law governing data protection are the Data Protection Act (1998) and the EU ePrivacy Directive 2002 (amended 2009), which gave us the UK’s Privacy and Electronic Communications Regulations (PECR). But this is all set to change.
On 25 May 2018, the EU General Data Protection Regulation will come into force (regardless of Brexit, as the UK will still be a member of the EU at this time) and its proposed that a new ePrivacy Regulation will be implemented on the same date. (There is now some doubt as to whether the ambitious aim of implementing the ePrivacy Regulation in line with the GDPR will be feasible. Until such time as it is enforced, PECR will still apply in the UK.)
The ePrivacy Regulation will govern electronic communications and as a regulation not a directive it will apply directly across all member states. The overhaul of the rules is designed to ensure alignment with the stricter new privacy rules under the GDPR and to draw on key definitions and concepts used in that Regulation.
The Regulation will not only cover more traditional communications via telephone, phone and SMS; its scope will be broadened to cover instant and social media messaging services, for example WhatsApp and ‘voice over internet protocol providers’ (VoIPs) such as Skype. The European Commission also says the Regulation aims to ‘simplify’ the rules surrounding Cookies.
A draft text of the ePrivacy Regulation was published in January this year and a final text is anticipated in the Autumn.
Since the draft was published the following opinions have been published, both of which express concerns about certain aspects of the proposal and suggest key changes.
The Article 29 Working Party opinion (April 2017)
European Data Protection Supervisor opinion (April 2017)
The European Parliament and European Council are reviewing these recommendations and will be negotiating the final text over the forthcoming months.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.