The EU ePrivacy Regulation (ePR)
What is the ePR?
In January 2017, the European Commission proposed a new Regulation on Privacy and Electronic Communications (ePR) as part of its digital single market strategy.
The ePR will replace the 2002 ePrivacy Directive (the ‘cookies law’) and all member state laws that implemented it – including Ireland’s ePrivacy Regulations 2011.
How is the ePR different from the ePrivacy Regulations 2011?
While the ePrivacy Regulations only apply to traditional telecoms providers, the ePR is broader in scope, and aims to ensure stronger privacy in all electronic communications – including over-the-top (OTT) service providers such as instant messaging apps and Voice over Internet Protocol (VoIP) platforms, and machine-to-machine communications such as the Internet of Things (IoT). The ePR also extends to inter personal communication services that are ancillary to another service.
The ePR has the same territorial scope as the EU’s General Data Protection Regulation (GDPR), carries an identical penalty regime for non-compliance and it was intended to come into effect on 25 May 2018. However, it is still at draft stage. As of July 2018, the process has involved a number of drafts, the most recent of which was published on 10 July 2018. The summary below is based on the July 2018 draft.
The difference between EU regulations and directives
The EU has two main types of legislative act: directives and regulations.
- Directives set out common goals that EU member states must achieve. Member states must devise their own national laws on how to reach those goals.
- Regulations, on the other hand, are binding legislative acts that apply directly in member states and require no domestic law to enact them. The ePR and the GDPR fall under this category.
Key points of the proposed regulation
The ePR will apply to:
- The processing of electronic communications content in transmission and of electronic communications metadata carried out in connection with the provision and the use of electronic communications services;
- Information related to/processed by/emitted by/stored in the terminal equipment of end users;
- The placing on the market of software permitting electronic communications, including the retrieval and presentation of information on the Internet;
- The offering of a publicly available directory of end users of electronic communications services; and
- The sending or presenting of direct marketing communications to end users.
The ePR will not apply to:
- Activities that fall outside the scope of EU law;
- Member state activities relating to border checks, asylum and immigration;
- Electronic communications that are not publicly available (e.g. closed corporate networks);
- Activities of competent authorities that relate to the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties; or
- Radio equipment – that must comply with Directive 2014/53/EU.
The ePR will apply to:
- The provision of electronic communications services to end users located in the EU;
- The processing of electronic communications content in transmission or electronic communications metadata of end users located in the EU;
- The protection of information related to/processed by/emitted by/stored in the terminal equipment of end users located in the EU;
- The offering of publicly available directories of end users of electronic communications services located in the EU;
- The placing on the EU market of software permitting electronic communications; and
- The sending/presenting of direct marketing communications to end users located in the EU.
Similar to the GDPR, the ePR will have an extraterritorial effect where services (including advertising) are provided to or target end-users located within the EU by providers located outside the EU, regardless of where the processing takes place.
Providers of electronic communications services that are not established in the EU must designate a representative in an EU member state where end users of its services are located.
Date of enforcement
The ePR was due to be enforced from May 2018 – coinciding with enforcing of the GDPR and the EU Directive on Security of Network and Information Systems (NIS Directive) - however, the ePR is still at draft stage. The May draft advised that the ePR will come into force one year following its publication in the Official Journal of the European Union. It’s likely that ePR will be finalised in late 2018 and published in late 2018 or early 2019.
The ePR is expected to bring changes that will make rules around cookies clearer and simpler and make consent more user-friendly and streamlined. The responsibility for obtaining consent for the storage of a cookie and penalties for breaches of duty will be placed on the information society service provider.
Direct marketing communications – i.e. any form of advertising, whether written or oral, sent to one or more identified or identifiable end-users of electronic communications services, including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, etc – will also require end-user consent. This provision may have implications for online behavioural advertising given that prior consent is required to send or present direct marketing communications.
Moreover, when end users have consented to receive direct marketing communications, they should be able to easily withdraw that consent at any time.
Content and metadata
The ePR covers electronic communications metadata (i.e. data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication) as well as their content in transmission.
Providers of electronic communications services may process electronic communications content only:
- For the sole purpose of providing a specific service to an end user, if the end user has given their consent and the service cannot be provided without processing the content; or
- If all end users concerned have consented to the processing for specified purposes that cannot be fulfilled by processing anonymised information, and the provider has consulted the supervisory authority – the Data Protection Commission (DPC) in Ireland.
Providers of electronic communications services must erase or anonymise electronic communications content after the intended recipients receive it.
Providers of electronic communications services may process electronic communications metadata if:
- It is necessary for the purposes of network management or network optimisation, provided that the purpose or purposes concerned could not be fulfilled by processing information that is made anonymous;
- It is necessary for calculating and billing interconnection payments or for the performance of the contract to which the end-user is party;
- It is necessary to protect the vital interest of a natural person, in the case of emergency, upon request of a competent authority, in accordance with Union or Member State law;
- The end user has given their consent to the processing, provided that the purpose(s) of the processing could not be fulfilled by processing anonymised data; or
- The processing of electronic communication metadata is for scientific research or statistical counting purposes and providing that suitable safeguards are in place.
Further processing for such purposes of statistical counting other than for which the metadata where initially collected may take place without the consent of the end-users concerned, provided that such processing is compatible with the purpose for which the metadata are initially collected, certain additional conditions are met and safeguards are in place, including the consultation of the supervisory authority (DPC) and the requirement to anonymise the result before sharing the analysis with third parties.
The GDPR level of consent will apply under the ePR - this means that consent must be freely given, specific, informed and capable of withdrawal at any time.
Providers of electronic communications services must erase or anonymise electronic communications metadata when it is no longer needed for the purpose of transmitting a communication.
When the processing of metadata is necessary for billing purposes, the relevant metadata can be retained until the end of the period during which the bill may lawfully be challenged or a payment pursued.
Fines for non-compliance
As with the GDPR, there is a two-tier regime of fines set at a maximum of €20 million or 4% of annual global turnover – whichever is greater.
End users who suffer material or non-material damage as a result of infringement of the ePR also have the right to receive compensation from the infringer.
In Ireland, the Data Protection Commission (DPC) will be responsible for enforcing the ePR. Because the Regulation is still in draft form, the DPC is yet to issue any guidance on compliance. We will update this page when that guidance is released.
The ePR and the GDPR
The GDPR – and the new Irish Data Protection Act 2018 – apply to the processing of personal information. The ePR has been designed to complement it by providing specific rules regarding the protection of fundamental rights and freedoms of natural and legal persons in the provision and use of electronic communications services.
The security obligations in the GDPR and in the recently approved European Electronic Communications Code (EECC) will apply to the providers of electronic communications services.
Click here for more information about the GDPR >>
Speak to a GDPR expert
Please contact our GDPR team for advice and guidance on our products and services.