(Jan. 30, 2017) On January 10, 2017, the European Commission published a proposal for a regulation on privacy and electronic communications (ePrivacy Regulation) with the aim of aligning current rules with technical developments and with the European Union General Data Protection Regulation (GDPR). The new regulation would particularize and complement the GDPR, meaning that all matters concerning the processing of personal data not specifically addressed in the ePrivacy Regulation would be covered by the GDPR. (Proposal for a Regulation of the European Parliament and of the Council Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (ePrivacy Regulation), COM(2017) 10 final (Jan. 10, 2017), EUROPA; Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1, available at EUR-LEX.)
The processing of electronic communications data by EU institutions, bodies, offices, and agencies will be addressed in a separate regulation. (ePrivacy Regulation, Explanatory Memorandum, ¶ 1.3.) The ePrivacy Regulation would apply from May 25, 2018. (ePrivacy Regulation art. 29(2).)
Overview
Current EU rules on ePrivacy only cover traditional telecom providers and the content of electronic communications. (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications), 2002 O.J. (L 201) 37, arts. 2, 3, & 5, available at EURLEX.) The proposed regulation would extend coverage to Internet-based voice and Internet-messaging services such as WhatsApp, Facebook Messenger, and Skype. (ePrivacy Regulation, art. 18.) In addition, the confidentiality of both content and metadata derived from electronic communications would be protected. (Id. art. 4, no. 3a, art 5.)
The proposal aims to simplify the rules on consent for the use of tracking cookies and other identifiers. It suggests that browser settings or other applications should offer an easy way for an end-user to allow or refuse cookies. No consent would be needed for non-privacy intrusive cookies such as those used to remember the content of an online shopping cart or to measure web traffic to a website. (Id. arts. 8 & 10.)
Furthermore, the ePrivacy Regulation would ban unsolicited spam marketing messages and calls. (Id. art. 16.) However, the use of email contact details within the context of an existing customer relationship for the offering of similar products or services would be allowed. The email from the marketing company would be required to contain clear information on how to object to such a use. (Id. art. 16(2)2.) The ePrivacy Regulation would also require marketing companies to either display their phone numbers or use a special code or prefix that indicates a marketing call. (Id. art. 16(3).) In addition, it would require end-users to be offered free-of-charge possible means to limit the reception of unwanted calls and to block calls from specific numbers or from anonymous sources. (Id. art. 14.)
In order to ensure uniform application in all Member States, the proposal provides that the regulation will be enforced by the independent national supervisory authorities already competent to enforce the GDPR. (Id. consideration 38 & art. 18.)
Next Procedural Steps
Ordinary legislative acts are proposed by the European Commission and adopted by the European Parliament and the Council in a “co-decision procedure.” (Consolidated Version of the Treaty on the Functioning of the European Union (TFEU), 2012 O.J. (C 326) 47, arts. 289 & 294, available at EUR-LEX.) Once the final text of the regulation is adopted by the European Parliament and the Council, it will be directly applicable in all EU Member States. No domestic implementing legislation is needed. (TFEU, art. 288 ¶ 2.)