A first draft of a new ePrivacy Regulation was published back in January 2017 when it had been hoped it would be implemented alongside GDPR. This clearly became far too ambitious an aim, with agreement among EU member states on such a complex piece of legislation proving too challenging. After months of deadlock, there now appears to be a renewed drive to push forward and fast. Austria, which has just taken over the six-month rotating Presidency on the EU Council, is trying to broker a compromise deal.
What is the aim of the ePrivacy Regulation?
The purpose of the ePrivacy Regulation is to modernise the ePrivacy Directive 2002/58/EC (amended 2009/2011) which gave us the UK’s Privacy and Electronic Communications Regulations (known as PECR). It will update the rules to reflect significant technological developments and ensure alignment with GDPR. The broad aim is to enhance communications security, confidentiality and privacy, to define clearer rules on tracking technologies and to achieve great harmonisation among Member States. As well as regulating electronic marketing communications.
To bring rules up-to-date, the Regulation will be broadened out to cover instant and social media messaging services such as WhatsApp and ‘voice over internet protocol providers’ (VoIPs) such as Skype.
A Regulation not a Directive
The ePrivacy Directive was open to different interpretations by EU member states. As a Regulation (like GDPR) however, ePrivacy will apply as a single Regulation across all EU territories.
What key amendments are being debated?
The latest revisions focus on amending the provisions surrounding permission to process electronic communications data (Article 6), as well as clarifying the processing and collection of information from a user’s device (Article 8).
Most significantly it has been proposed that Article 10 should be deleted entirely. This would have placed the onus on software providers to inform end-users upon installation or first usage about privacy setting options and require the end-user to consent to a setting. The Austrian Presidency says it accepts that this has raised widespread concerns about the burden it would place on browsers and apps, it could adversely affect competition and there have been objections to its impact on end-users. Many have questioned from the outset how this method could be effective.
Recital 21 of the draft does make it clear that consent would not be required for “technical storage or access which is strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service requested by the end user”. This may include cookies used to keep track of a user’s input when filling in online forms, authentication session cookies used to verify the identity of a user during an online transaction or to remember products stored in a user’s shopping basket. Up for debate also are cookies used to “measure the numbers of end-users visiting a website, certain pages of a website or the number of end-users of an application”. These may be considered to be legitimate and useful tools.
The impact on direct marketing?
Article 16, which covers Direct Marketing Communications, is currently not the focus of attention. Fears that a broadened definition of direct marketing would mean it applied all advertising, have been perhaps allayed with the inclusion of the wording: ‘Advertisements on a website that are displayed to the general public and do not require any contact details of end-users should not be subject to this article.’
A key principle within the Regulation is that electronic direct marketing will require consent. The ‘soft opt-in’ exemption for existing customers, whose details are collected in the ‘context of a sale’ for contact by email/SMS about similar products or services will continue to apply provided an opt-out is present. However, the UK’s PECR has always featured a broader interpretation of the use of soft opt-in, by including the words ‘negotiations of a sale’. It looks very likely the new Regulation will not permit such broad usage of soft opt-in as the UK has enjoyed to date.
There are still concerns surrounding the impact on B2B email marketing, as there is no distinction between an individual at their corporate email address and their personal one. So ePrivacy could have a big impact on electronic marketing to business customers & prospects.
There is a clear drive to reach an agreement and finalise the text. Time is of the essence, as the upcoming European elections in 2019 could put the whole adoption process on hold.
Philippa Donn, July 2017
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.