The EU ePrivacy Regulation (ePR)
What is the ePR?
In January 2017, the European Commission proposed the ePR (Regulation on Privacy and Electronic Communications) as part of its digital single market strategy.
This regulation will supersede the 2002 ePrivacy Directive (the ‘cookies law’) and all member state laws that enforce it – including the Finnish Tietoyhteiskuntakaari (Information Society Code).
The ePR’s scope is broader than the 2002 directive, aiming to ensure privacy in all electronic communications – including over-the-top service providers such as instant messaging apps and VoIP (Voice over Internet Protocol) platforms, and machine-to-machine communications such as the IoT (Internet of Things).
The proposed ePR has the same territorial scope as the EU’s GDPR (General Data Protection Regulation), carries an identical penalty regime for non-compliance and was intended to come into effect on 25 May 2018 alongside the GDPR. However, it is now tentatively scheduled to come into force in early 2019.
As the ePR is still in draft form, we don’t have any products or services for it yet.
Read more about the GDPR
Key points of the proposed regulation
- Material scope
The ePR will apply to:
- The processing of electronic communications content in transmission and of electronic communications metadata carried out in connection with the provision and the use of electronic communications services;
- Information related to/processed by/emitted by/stored in the terminal equipment of end users;
- The placing on the market of software permitting electronic communications, including the retrieval and presentation of information on the Internet;
- The offering of a publicly available directory of end users of electronic communications services; and
- The sending or presenting of direct marketing communications to end users.
- The ePR will not apply to:
- Activities that fall outside the scope of EU law;
- Member state activities relating to border checks, asylum and immigration;
- Electronic communications that are not publicly available (e.g. closed corporate networks);
- Activities of supervisory authorities that relate to the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties; or
- Radio equipment – that must comply with Directive 2014/53/EU.
- Territorial scope
The ePR will apply to:
- The provision of electronic communications services to end users located in the EU;
- The processing of electronic communications content in transmission or electronic communications metadata of end users located in the EU;
- The protection of information related to/processed by/emitted by/stored in the terminal equipment of end users located in the EU;
- The offering of publicly available directories of end users of electronic communications services located in the EU;
- The placing on the EU market of software permitting electronic communications; and
- The sending/presenting of direct marketing communications to end users located in the EU.
Providers of electronic communications services that are not established in the EU must designate a representative in an EU member state where their end users are located.
- Cookie consent
Under the ePR, many cookies will no longer require end-user consent. Instead, expanded browser settings should control the sharing of user information, which means that there should be fewer cookie banners.
- Direct marketing
Direct marketing communications – “any form of advertising, whether written or oral, sent to one or more identified or identifiable end-users of electronic communications services, including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, etc.” – will also require end-user consent.
Moreover, when end users have consented to receive direct marketing communications, they should be able to easily withdraw that consent at any time.
- Content and metadata
The ePR covers electronic communications metadata (“data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication”) as well as its content in transmission.
Providers of electronic communications services may process electronic communications content only:
- For the sole purpose of providing a specific service to an end user, if the end user has given their consent and the service cannot be provided without processing the content; or
- If all end users concerned have consented to the processing for specified purposes that cannot be fulfilled by processing anonymised information, and the provider has consulted the supervisory authority – for Finland, this is the Tietosuojavaltuutetun Toimisto (Office of the Data Protection Ombudsman).
Providers of electronic communications services must erase or anonymise electronic communications content after the intended recipients receive it.
Providers of electronic communications services may process electronic communications metadata if:
- It is necessary to meet “mandatory quality of service requirements”;
- It is “necessary for billing calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communications services”; or
- The end user has given their consent to the processing, provided that the purpose(s) of the processing could not be fulfilled by processing anonymised data.
Providers of electronic communications services must erase or anonymise electronic communications metadata when it is no longer needed for transmitting a communication.
When the processing of metadata is necessary for billing purposes, the relevant metadata can be retained until the end of the period during which the bill may lawfully be challenged, or a payment pursued.
Fines for non-compliance
As with the GDPR, there is a two-tier regime of fines, with the higher tier set at a maximum of €20 million or 4% of global annual turnover, whichever is greater.
End users who suffer “material or non-material damage” as a result of infringement of the ePR also have the right to receive compensation from the infringer.
The ePR and the GDPR
The GDPR applies to the processing of personal information. The ePR has been designed to complement the GDPR by providing specific rules “regarding the protection of fundamental rights and freedoms of natural and legal persons in the provision and use of electronic communications services”.
The security obligations in the GDPR and the proposed EECC (European Electronic Communications Code) will apply to the providers of electronic communications services.
Click here for more information about the GDPR >>