HomeInsightsFirst draft of European E-Privacy Regulation leaked

Article by

On 6 May 2015, the Commission adopted the Digital Single Market Strategy and announced that, following the adoption of the General Data Protection Regulation (GDPR), the e-privacy rules under the e-Privacy Directive (2002/58/EC) would also be reviewed. The Commission said that it committed to reviewing the EU’s e-privacy rules in order to “reinforce trust and security in digital services, to ensure a high level of protection for people and a level playing field for all market players”.

The Commission published a public consultation on the Directive, which closed in July 2016. The first part of the consultation was an evaluation of the current Directive and sought views on its effectiveness, relevance, coherence, efficiency and added value. The second part of the consultation looked at ways of possibly revising the current Directive.

The Commission said that it would use the responses to the consultation to develop a “new legislative proposal” on e-privacy, which it expected to publish by the end of 2016. Ahead of any official publication, a draft e-Privacy Regulation has been leaked.

Some of the key points of the “new legislative proposal” include:

  • Regulation not Directive: the legislation is in the form of a Regulation rather than a Directive meaning that, as with the GDPR, it would be directly applicable in all Member States and would not need to be transposed and implemented in each Member State separately;
  • Applicable to “over the top” (OTT) services: the current Directive applies to telecoms services, but the new Regulation would be extended to cover telecoms services provided over the internet by providers such as Skype and WhatsApp;
  • Changes to cookie rules: the Regulation would simplify rules on cookies so that, in some circumstances, consent would not be required;
  • Fines: the Regulation would adopt a fining regime similar to the GDPR fining regime, i.e. fines based on turnover;
  • Territorial scope: the new rules would apply to electronic communications data processed in connection with the provision of electronic communications services in the EU, regardless of whether the processing takes place in the EU or not;
  • Alignment with GDPR: various provisions are clearly intended to work in line with those in the GDPR and the intention is that it would come into force at the same time as the GDPR; and
  • Privacy by design: providers would have to configure both hardware and software to prevent third parties from storing or processing information already stored there by default. In other words, third party cookies could not be placed on a user’s device unless the user has actively permitted it.

Official publication of the new proposed legislation is expected in January 2017. It is by no means certain that it will be in the form described above as it is understood to be still under discussion. For a link to the draft Regulation, click here.