To keep up with the fast pace at which technology is developing, the EU has begun amending its regulations to reflect these technological advances.
In January 2017, less than nine months after the European Union (EU) adopted the General Data Protection Regulation (GDPR), the European Commission drafted a proposal, known as the ePrivacy Regulation (“Proposal”), as part of an initiative to replace the current ePrivacy Directive. Together with the GDPR, the Proposal will aim to provide the strongest protection to users’ data across the EU.
What’s the EU ePrivacy Directive?
The ePrivacy Directive (2002/58/EC), colloquially known as the EU “Cookie Law”, was issued in 2002 to be complementary to the Data Protection Directive (95/46/EC). It regulated privacy in the electronic communications sectors similar to how sector-specific privacy legislation in the United States functions. The Directive was amended in 2009 (2009/136/EC) to specifically address the use of cookies in the e-marketing context, providing that informed consent had to be obtained prior to installing a cookie on a device.
In 2015, the European Commission’s commissioned study results indicated some flaws in the transposition of the ePrivacy Directive into national European Union Member State law. This led to a public consultation and review of the ePrivacy Directive in 2016, resulting in the Proposal.
What’s the ePrivacy Regulation?
The Proposal is part of the European Commission’s Digital Single Market strategy, which is expected to yield positive effects on the individual lives of citizens, society, and the economy. The European Commission hopes that the Proposal will make “protection of privacy and personal data a reality in the internet.”
The Proposal encompasses a much broader scope than the current Directive in that it takes the definitions of privacy and data introduced in the GDPR and further enhances them. Within its scope are companies processing personal data in the context of delivering electronic communications and files, including providers like Gmail, WhatsApp, and Netflix.
Some of the areas the Proposal addresses include:
- Territorial Scope: The Proposal would apply when electronic communications services are provided to and used by end-users in the European Union. Whether the service provider has an establishment in the EU does not matter for the purposes of the Proposal’s reach. Thus, the territorial scope of the Proposal is worldwide so long as the end-users of electronic communications services are in the EU.
- Cookies: The “’cookie provision’ will be streamlined. New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other privacy risk identifiers.” Part of this streamlining can be attributed to Article 8 of the Proposal, which prohibits the use of terminal equipment processing and storage capabilities and collecting information from end-user terminal equipment without end-user consent, with only some exceptions. Cookies will now be tracked within software and browser settings that the user elects, and an option must be available to users to prevent third parties from storing information on the end-user’s terminal equipment, or processing such information. This amended provision functions to eliminate the banner pop-ups that appear requesting consent for cookies usage on each individual website. The basis of this is to give users more choice on how cookies are used to track their information and activity.
- Confidentiality: The Proposal will broaden its scope to include online communications providers, such as Gmail, Skype and Facebook Messenger, to guarantee their confidentiality measures. “Listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing” of such data is prohibited by anyone other than the end-user. These communications providers will be required to provide the best available techniques to secure all communications. By mandating the highest level of security, all websites will ensure the best safety features for its users.
- Consent: Consent as defined in the GDPR is the standard by which consent must be obtained for the purposes of the Proposal. Article 4(11) of the GDPR articulates consent as “any freely given, specific, informed and unambiguous indication of the [end-user’s] wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing.” Adding increased flexibility to the law is the Proposal’s allowance of consent obtained by using technical settings of a software application enabling access to the internet. For example, if an end-user sets their web browser options to accept cookies, consent may be presumed.
- Unsolicited Marketing: The consent obtained above is the basis for sending direct marketing communications to end-users. Direct marketing messages must indicate the marketing nature of the communications and indicate the entity on whose behalf the message is sent. End-users must also be informed about how to exercise their right to withdraw consent to receiving such messages.
The points highlighted provide a snapshot of the Proposal’s significant modifications to the current Directive and must be reviewed holistically to ensure compliance with GDPR.
What’s the Status of the ePrivacy Regulation?
In January 2017, the European Commission issued its proposal to the Council of the European Union and the European Parliament. The Council published its first revisions to the Proposal in September 2017. In the following month, the European Parliament adopted a report, including its draft resolution on the Proposal. On December 5, 2017, the Council of the European Union released a consolidated version of the Proposal, summarizing the progress the Council has made.
The Commission now has to determine its final revisions/amendments to the Proposal. Trilogue discussions will then take place between the Parliament, Council, and Commission. Any agreement made at the Trilogue meetings is non-binding and must then be approved by the formal procedures applicable within each of the three institutions.
Given the extensive process required by the EU and the Proposal’s current status, it is unknown whether the ePrivacy Regulation will come into effect in the coming year.
What’s the Difference Between the ePrivacy Directive and the ePrivacy Regulation?
Knowing the difference between an EU Regulation and an EU Directive is an important distinction for practitioners to understand.
An EU Regulation is a binding legislative act that must be applied in its entirety across the EU. It is distinguishable from a Directive on the basis that a Regulation is self-executing and does not require any implementing measures. An example of a Regulation is the adoption of a Regulation to ensure common safeguards on goods imported from outside the EU. Member States must then ensure common safeguards in the exact manner as outlined in the Regulation.
In contrast, an EU Directive, such as the ePrivacy Directive, is applicable to all Member States. It sets out certain aims, requirements and concrete results that each Member State must achieve. National authorities then can create or adapt their legislation to meet the minimum standard required by a Directive. Compared to a Regulation, a Directive is a bit more accommodating in that “…it leave[s] to the national authorities the choice of form and methods” to achieve the process, goals, and results dictated in the Directive. An example of a Directive would be the EU Consumer Rights Directive, which aims to strengthen consumer rights across the EU. To achieve this end goal of stronger consumer protections, the Directive provides a minimum standard from which Member States can ensure greater consumer rights protection.
This distinction is important in considering the Proposal. The ePrivacy Directive is a Directive that has given Member States the discretion to implement privacy laws as necessary, with the ePrivacy Directive providing a minimum threshold that must be met. If the Proposal is enacted as the ePrivacy Regulation, Member States will no longer have the same flexibility they had under the ePrivacy Directive. Instead, the ePrivacy Regulation will provide one law that will be applicable across the EU and dictate the exact processes, goals and results that must be achieved.
How Will the ePrivacy Regulation Interface with the GDPR? Which One Do Companies Follow?
While the GDPR and the Proposal are meant to complement each other, they are different in important respects. The GDPR is focused on defining and protecting personal data of EU residents in whatever form. The Proposal, on the other hand, is focused on a person’s right to a private life. It particularizes GDPR for electronic communications and focuses on areas such as processing techniques, data storage, and browser activity. Reading through the Proposal, many of its provisions particularize the GDPR by establishing specific rules for the purposes of “protecting fundamental rights and freedoms in the provision of electronic communications services, and ensuring free movement of electronic communications data and electronic communications services within the EU.”
Because the ePrivacy Regulation has not yet been enacted and adopted, companies are to comply with current law, including the current ePrivacy Directive and the upcoming GDPR. Until the ePrivacy Directive is made into a regulation, companies should conform to the GDPR and ePrivacy Directive as the ePrivacy Regulation is still up in the air. Once it is finalized, companies will need to adhere to the ePrivacy Regulation. Despite the status of the ePrivacy Regulation as only a proposal, companies are advised to review it closely as it is lex specialis to the GDPR and likely to become a regulation soon.
In light of the GDPR and other privacy-related developments, we will ensure that serving ads to your app and mobile website end-users through the Smaato platform continues. We strive to provide ongoing GDPR and privacy suggestions and best practices that can enable the highest quality service, and we are committed to assisting our partners with their GDPR and privacy compliance efforts.
For further information, please visit our GDPR webpage or contact us at privacy@smaato.com.
Disclaimer: The information on this webpage is for general information only and does not constitute legal advice. Please consult your own legal professionals if you seek advice on specific interpretations and requirements of any law.
