Organisations already grappling to comply with the General Data Protection Regulation now face the prospect of ensuring compliance with two regulations. The European Commission has announced it aims to implement a new ePrivacy Regulation in line with GDPR on 25th May 2018.
The proposed ePrivacy Regulation will replace the 2002 ePrivacy Directive (amended 2009), which gave us the UK’s Privacy and Electronic Communications Regulations (PECR).
Robert Bond, Head of Data Protection and Cyber Security Group at Charles Russell Speechlys has cautiously welcomed the move; “it makes sense to have this as a Regulation and not a Directive and it is encouraging to see that it is intended to dovetail with GDPR. The devil is now in the detail and a need to ensure no ambiguity between the two Regulations.”
The official draft text of the ePrivacy Regulation is broadly similar with an earlier leaked version, but there are some significant changes. The text has yet to be approved and is subject to change. There are certainly areas where organisations will be hoping for more clarity.
OTTs and VoIPs
What is clear is so-called ‘Over the Top’ (OTTS), which include instant and social media messaging services (such as WhatsApp and ‘voice over internet protocol’ providers (VoIPs) such as Skype), will soon fall under the same EU laws as telephone calls, email communications and SMS messages.
In its press release the EC says the regulation aims to simplify the rules on cookies stating, “the cookie provision, which has resulted in an overload of consent requests for internet users will be streamlined. The new rules will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers.”
The leaked draft caused some alarm that Cookies would need to be blocked by default. However, the official text reveals a more lenient approach, requiring that users must be provided with cookie consent choices as part of their browser software set-up. This will move the requirement for consent away from websites, and could see the end of the cookie banner.
The proposal clarifies that Cookie consent wouldn’t be required for the purposes of analytics, for examples cookies for improving internet experience (e.g. remembering shopping cart history) or cookies which count visitor numbers. However, this exemption may only apply to first party analytics, not third party analytics (i.e. platforms like Google Analytics). This is an area where further clarification is being sought. It also looks likely that device fingerprinting will require prior consent.
It’s proposed that the so-called ‘soft opt-in’ will be retained in limited circumstances. Recital 33 of the draft text states, “it is reasonable to allow the use of e-mail contact details within the context of an existing customer relationship for the offering of similar products or services” and Article 16 (2) specifically refers to “in the context of the sale of a product or service.” This is significant as the text omits the current PECR wording allowing the soft opt-in to be used in the context of “negotiations of a sale,” which will limit its application.
The text proposes prior consent for ALL electronic communications including live marketing calls. However, there is a provision allowing Member States to adopt an opt-out consent regime at a national level for telemarketing. Article 16 (4) states, “Member States may provide by law that the placing of direct marketing voice-to-voice calls to end-users who are natural persons shall only be allowed in respect of end-users who are natural persons who have not expressed their objection to receiving those communications.”
This would mean the UK could keep its existing approach (with the requirement to screen against the Telephone Preference Service). There are specific additional requirements in the proposal for callers to display their phone number or to at least use a special prefix to indicate the call is for telemarketing purposes. User must also be able to block such prefixes if they choose.
B2B MARKETING COMMUNICATIONS
The text is ambiguous as to whether a distinction can be drawn between corporate email addresses and individual email addresses. For example, will it still be possible to use opt-out for the former? The text can be read that member states will be able to make a provision for this under national law. However, even if this exemption holds, named corporate B2B data (e.g. firstname.lastname@example.org) is personal data and would have to be processed in line with GDPR. B2B marketers would therefore need to make a choice between using Consent or Legitimate Interests for sending electronic communications. It is hoped that as the text goes through the committee process there will be more clarity on this.
The text proposes that promotional messages would need to carry an unsubscribe message and that end users may withdraw their consent at any time. In a new requirement, end users should also be given the possibility to withdraw their consent for cookies every 6 months.
PREPARING FOR TWO REGULATIONS
Sara Howers, Global Data Protection Officer for Haymarket Media Group says she is already incorporating ePrivacy proposals into her compliance planning; “I for one have opened up our GDPR Readiness Project to now incorporate everything we’re hearing about the new e-privacy law. Why? Because so much of it is inextricably linked: the fines will be aligned, e-privacy will be used as a gap-filler & confirmation tool, where possible, and I for one can’t face going back to the drawing board (or the board) to try to get sign-off for a 2nd project team. In many respects, bring it on – it’ll be great to have legislation that actually mentions social media. It will be much easier if both pieces of legislation are complimentary and aligned, so let’s hope for that. In our business “consent” plays a massive role across so much of our operational data use, so getting to the bottom of what’s permissible under Legitimate Interest is key and so any confirmation about consent across different data usage and different data types is something we need to build into our future plans, as soon as possible”.
In an interesting change to the leaked text seen in December an article devoted to Privacy by Design, has been removed from the official text.
The European Commission is urging the European Parliament and the Council to “work swiftly and to ensure the smooth adoption” of the e Privacy Regulation by 25 May 2018 in line with GDPR. With the aim of providing citizens and businesses with ‘a fully-fledged and complete legal framework for privacy and data protection in Europe by this date.”
Many organisations will be hoping the final text is agreed as soon as possible, so they can ensure they have time to comply. The EC’s Fact Sheet provides a useful overview of the key areas.
Philippa Donn, Opt-4 Associate and Editor of the Data Protection Network
Published January 2017
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.