The EU ePrivacy Regulation (ePR)
What is the ePR?
In January 2017, the European Commission proposed a new Regulation on Privacy and Electronic Communications (ePR) as part of its digital single market strategy.
The ePR will replace the 2002 ePrivacy Directive (the ‘cookies law’ ) and all member state laws that implement it – including the UK’s Privacy and Electronic Communications (EU Directive) Regulations 2003 (PECR).
How is the ePR different from the PECR?
The ePR is broader in scope, and aims to ensure stronger privacy in all electronic communications – including over-the-top (OTT) service providers such as instant messaging apps and Voice over Internet Protocol (VoIP) platforms, and machine-to-machine communications such as the Internet of Things (IoT).
The ePR has the same territorial scope as the EU’s General Data Protection Regulation (GDPR), carries an identical penalty regime for non-compliance and is also intended to come into effect on 25 May 2018.
However, many commentators have observed that there is too little time for the ePR to go through the EU’s ordinary legislative procedure in time, so it remains to be seen whether the deadline is realistic.
As of November 2017, six months before the ePR is due to come into effect, the process has only reached the first revised draft, which was published on 8 September 2017. The summary below is based on that draft.
The difference between EU regulations and directives
The EU has two main types of legislative act: directives and regulations.
- Directives set out common goals that EU member states must achieve. Member states must devise their own national laws on how to reach those goals.
- Regulations, on the other hand, are binding legislative acts that apply directly in member states and require no domestic law to enact them. The ePR and the GDPR fall under this category.
Summary of the draft ePR
Key points of the proposed regulation:
- Material scope
The ePR will apply to:
- The processing of electronic communications content in transmission and of electronic communications metadata carried out in connection with the provision and the use of electronic communications services;
- Information related to/processed by/emitted by/stored in the terminal equipment of end users;
- The placing on the market of software permitting electronic communications, including the retrieval and presentation of information on the Internet;
- The offering of a publicly available directory of end users of electronic communications services; and
- The sending or presenting of direct marketing communications to end users.
- The ePR will not apply to:
- Activities that fall outside the scope of EU law;
- Member state activities relating to border checks, asylum and immigration;
- Electronic communications that are not publicly available (e.g. closed corporate networks);
- Activities of competent authorities that relate to the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties; or
- Radio equipment – that must comply with Directive 2014/53/EU.
- Territorial scope
The ePR will apply to:
- The provision of electronic communications services to end users located in the EU;
- The processing of electronic communications content in transmission or electronic communications metadata of end users located in the EU;
- The protection of information related to/processed by/emitted by/stored in the terminal equipment of end users located in the EU;
- The offering of publicly available directories of end users of electronic communications services located in the EU;
- The placing on the EU market of software permitting electronic communications; and
- The sending/presenting of direct marketing communications to end users located in the EU.
Providers of electronic communications services that are not established in the EU must designate a representative in an EU member state where end users of its services are located.
Date of enforcement
The ePR is due to be enforced from 25 May 2018 – the same day as the GDPR and the EU Directive on Security of Network and Information Systems (NIS Directive).
Under the ePR, many cookies will no longer require end-user consent. Instead, expanded browser settings should control the sharing of user information, meaning there should be fewer cookie banners.
Direct marketing communications – i.e. “any form of advertising, whether written or oral, sent to one or more identified or identifiable end-users of electronic communications services, including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, etc.” – will also require end-user consent.
Moreover, when end users have consented to receive direct marketing communications, they should be able to easily withdraw that consent at any time.
Content and metadata
The ePR covers electronic communications metadata (“data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication”) as well as their content in transmission.
Providers of electronic communications services may process electronic communications content only:
- For the sole purpose of providing a specific service to an end user, if the end user has given their consent and the service cannot be provided without processing the content; or
- If all end users concerned have consented to the processing for specified purposes that cannot be fulfilled by processing anonymised information, and the provider has consulted the supervisory authority – the Information Commissioner’s Office (ICO) in the UK.
Providers of electronic communications services must erase or anonymise electronic communications content after the intended recipients receive it.
Providers of electronic communications services may process electronic communications metadata if:
- It is necessary to meet “mandatory quality of service requirements”;
- It is “necessary for billing calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communications services”; or
- The end user has given their consent to the processing, provided that the purpose(s) of the processing could not be fulfilled by processing anonymised data.
Providers of electronic communications services must erase or anonymise electronic communications metadata when it is no longer needed for the purpose of transmitting a communication.
When the processing of metadata is necessary for billing purposes, the relevant metadata can be retained until the end of the period during which the bill may lawfully be challenged or a payment pursued.
Fines for non-compliance
As with the GDPR, there is a two-tier regime of fines set at a maximum of €20 million or 4% of annual global turnover – whichever is greater.
End users who suffer “material or non-material damage” as a result of infringement of the ePR also have the right to receive compensation from the infringer.
In the UK, the ICO will be responsible for enforcing the ePR. Because the Regulation is still in draft form, the ICO is yet to issue any guidance on compliance. We will update this page when that guidance is released.
The ePR and the GDPR
The GDPR – and the new Data Protection Bill that will enact it in the UK – applies to the processing of personal information. The ePR has been designed to complement it by providing specific rules “regarding the protection of fundamental rights and freedoms of natural and legal persons in the provision and use of electronic communications services”.
The security obligations in the GDPR and the proposed European Electronic Communications Code (EECC) will apply to the providers of electronic communications services.
Click here for more information about the GDPR >>
Contact us today to discuss your compliance requirements by emailing email@example.com or calling 00 800 48 484 484.