The changes to be introduced by the European Commission’s “Digital Single Market Strategy” of 2015, aims to increase trust in and enable the security of digital services; and provide a high level of privacy protection for users of electronic communications and a level playing field. The reform of European data protection law through the General Data Protection Regulation (GDPR) is well under way and few will have needed the reminder of this acronym, nor the rapidly diminishing timeframe within which to comply with its provisions. However, the 25 May 2018 date is significant for another reason, as it is also the proposed enforcement date for the new e-Privacy Regulation. Whilst this is clearly recognised by certain organisations and industry groups who are already affected by this area of the law (insofar as it relates to telecommunications and direct marketing), it may have been overlooked by others, who, going forward, will be caught by its extended reach and may not be aware, either of the changes or the deadline for compliance.
The pattern for reform of these laws is similar; both Regulations will replace existing Directives and, as a result, their laws will take direct effect in European Member States, without the need for national implementing legislation. In the UK, this means that (ignoring Brexit, for now) the e-Privacy Regulation will repeal the existing e-Privacy Directive, which is currently implemented under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Despite the proposed timing, (to coincide with and complement the GDPR), we have not had a 2-year lead in period; the Regulation is still in draft form. The European Commission’s draft was first leaked in January 2016. Since then, the Article 29 Working Party has produced an Opinion and in October this year, the European Parliament issued its own extensive Report on the draft. It is likely that there will be further clarification on the new law, including any lead-in period beyond 25 May 2018, but for now, it is important to note the following key facts.
The new e-Privacy Regulation will:
- apply to entities who provide publicly available “electronic communications services” to, or gather data from devices of, users in the EU, including:
- instant messaging apps and web-based e-mail, call and messaging service providers (for example, Facebook Messenger or Skype), as well as traditional telecoms and Internet Service Providers;
- machine to machine communications and the Internet of Things; and
- organisations engaged in geolocation or tracking of devices and users through cookies or other technology
- maintain e-marketing rules and the need for consent to direct marketing (including the potential to rely on a “soft opt-in” in certain cases), with some additional requirements and stricter rules for information to be provided and consent settings to be observed.
- have the same territorial scope as the GDPR;
- have the same level of potential fines as the GDPR (i.e. up to €20million or 4% of global annual turnover); and
- be enforced by the same Supervisory Authorities as the GDPR.
It is recognised that the law in this area needs updating, because of the continuing developments in technology and the privacy issues related to electronic communications – the content of which can reveal highly sensitive and personal information. The e-Privacy Regulation is designed to protect the confidentiality of communications, in terms of its content (what is said) and the metadata (by whom, when and where), which can be derived from the communications and can be used to build a profile of end users. Consent is key and the law actively encourages user-friendly privacy and consent settings on web browsers or apps. Cookies play a part in this and as the law changes we may see the removal of the Cookie banner from websites, as this aspect of the current Directive is no longer fit for purpose.
Regarding direct marketing, regulators, like the ICO, are keen to ensure that individuals are protected against unsolicited electronic marketing. The new e-Privacy Regulation will support these aims and we can expect further enforcement action where marketing campaigns have ignored customer preferences, or mistakenly sent marketing e-mails as a “service message”. The difference will be in the level of potential fines. In recent cases, Flybe and Honda faced fines of £70,000 and £13,000 respectively, for their breaches of PECR this year, but under the new law could have faced significantly higher penalties, as noted above.
It is therefore extremely important for any business aiming to benefit from these technologies, or conducting a direct marketing campaign, to be fully aware of the new law and address its requirements as soon as possible.
By Andrea Ward, Senior Associate, McGuireWoods London LLP
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/