UK: The New ePrivacy Regulation: How Will It Impact Your Business?

Last Updated: 18 April 2017
Article by Elle Todd

With the GDPR on the horizon, the EU is now overhauling and expanding the reach of the more specific privacy rules which relate to direct marketing, cookies and other forms of online monitoring. The ability of social media and messaging services to track users is one of many areas touched on in the European Commission's newly proposed ePrivacy Regulation, which was officially unveiled last week. We highlight some key impacts for the tech and media sectors, provided the proposed draft passes through the legislative process without dramatic changes. Businesses should incorporate these new requirements into their GDPR readiness planning.

Read this guide as a PDF here.

Why are the rules being updated?

  • The regime for electronic communications, based on the EU's Privacy and E-communications Directive (PECD), which dates back to 2002, is being overhauled as part of the Commission's Digital Single Market package.
  • Since the last review of the PECD in 2009, a new typology of players has emerged offering communication services that many end-users perceive as comparable to traditional electronic communications services such as telephone calls and SMS messaging.
  • These new players, so-called Over-the-Top communications services ('OTTs') (e.g. Skype, Gmail, WhatsApp), are generally not subject to the current EU electronic communications rules (although often voluntarily comply); the Regulation is proposing to change this.
  • The proposed new rules are designed to align with the stricter new general privacy rules under the GDPR (drawing on certain definitions and concepts used in that Regulation), which will come into force in 2018. Like the GDPR, the proposed new e-communications rules would take the form of a directly effective Regulation, to help iron out differences in different EU Member States.

When will the new e-privacy rules come into force?

  • The Commission's aim is for the Regulation to apply from 25 May 2018; purposely the same date as the GDPR comes into force. However, as the proposal is at the start of the Brussels legislative process this may be overly ambitious. Being narrower in scope, it is unlikely to take as long to adopt as the GDPR, but there may be some areas of contention. In particular, representatives from the European Parliament have already mentioned disappointment that the consent requirements are not stricter and could look to push back on this. We will be tracking the Regulation's progress.

Which current EU and UK rules will the Regulation replace?

  • In terms of EU law, the Regulation will repeal the PECD - its current relationship with the regulatory framework of electronic communications (likely to soon be replaced by the European Electronic Communications Code) will be maintained by the new Regulation.
  • In the UK, the Regulation will repeal the 2003 Privacy and Electronic Communications (EC Directive) Regulations. This assumes that the rules take effect before Brexit and, in the same way as the GDPR, that post-Brexit, the UK continues to adhere to EU style rules. See here for more analysis of the Brexit dimension for data regulation.

What is the risk factor? What are the increased sanctions for non-compliance?

The fines are in line with GDPR levels and are as follows.

  • Infringements of the following rules could result in administrative fines of, the higher of 10,000,000 EUR, or up to 2% of the total worldwide annual turnover:
    • "cookie" information and consent rules
    • privacy by design obligations
    • rules on unsolicited communications (i.e. failure to respect opt-in rules) and
    • provisions on publicly available directories
  • Infringements of the following would be subject to administrative fines of, the higher of 20,000,000 EUR, or up to 4% of the total worldwide annual turnover:
    • the principle of confidentiality of communications
    • unlawful processing of electronic communications data and
    • time limits for erasure

Is the scope of the regime changing?

  • The new Regulation, like the GDPR, will have extra-territorial effect. It applies to the processing of electronic communications data carried out in connection with the provision and use of electronic communications services in the Union, regardless of whether or not the processing takes place in the Union.
  • In addition to traditional voice, text and e-mail services, the provisions on confidentiality, the processing of electronic communications data, and storage and erasure of such data would apply to:
    • Over-the-top service providers ('OTT') such as unmanaged VoIP, instant messaging, web mail and social media messaging, and
    • Machine-to-machine communication (i.e. IoT technology), should the information or metadata exchanged between two devices be deemed to contain personal data.
  • The proposal's broad definition of "electronic communications services" is likely apply to all services that have a communications element - meaning dating apps, video game services, travel and e-commerce sites, even if they are just "ancillary" to another service.
  • As now, the rules on direct marketing and use of cookies and other tracking technologies would apply to all marketers and websites, regardless of whether they fall within the definition of electronic communications services.
  • Software providers and potentially retailers will also be impacted, as e-communications software placed on the market will be required to offer privacy settings which enable the blocking of third party cookies, and on installation, the software must inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting.

What are the proposed changes to the rules for cookies?

The current rules on cookie consent, introduced by the 2009 amendments to the PECD, have attracted much controversy and resulted in an overload of consent requirements for internet users. There are some important changes to the rules.

  • The new Regulation applies to cookies, spyware, web bugs, hidden identifiers and device fingerprinting. It prohibits the use of "processing and storage capabilities of terminal equipment and the collection of information from users' terminal equipment, including about its software and hardware", unless consent – or some other narrow conditions – are met.
  • "Consent" has the same meaning as under the GDPR, i.e. freely given, specific, informed, active and unambiguous consent expressed by a statement or clear affirmative action.
  • However, in the context of cookies, such consent may be expressed by browser settings and the Regulation places specific obligations on browser providers to ensure that appropriate consent settings and options are given to individuals.
  • There are some new exceptions to the cookie consent rules, meaning those awkward banners and pop-ups won't be needed where cookies are only used for:
    • web audience measuring – but this applies only to first party cookies,
  • Alongside the familiar exceptions i.e.:
    • if it is necessary for the sole purpose of carrying out the transmission; or
    • it is necessary for providing an information society service, e.g. to add items to a shopping cart.
  • Websites wanting to rely on cookies for marketing, tracking and behavioural purposes will therefore need to consider the browser consent users have given. In practice, we expect that websites will continue to want to get opt-in consent to override this and therefore pop-up consent boxes will remain a regular sight despite the European Commission's intentions.
  • The collection of device information e.g. for Wi-Fi log-ins is prohibited, other than for the purposes of establishing the connection, unless a "clear and prominent" notice is displayed "on the edge of the area of coverage" informing the user of:
    • how the data will be collected,
    • the purposes for which it will be used, and
    • the person responsible for collecting it and any other information required under the transparency requirement of the GDPR to make such processing fair.
  • Such notices may be provided by means of standardised icons – to be developed under the "delegated acts" provisions of the Regulation – to make this information user-friendly.
  • The Regulation proposes web browsers, and other applications that permit the retrieval and presentation of information on the internet, should provide users, at the moment of installation, with a clear and accessible choice on their privacy settings, which will be binding on third parties.
  • The 'choice' should be as user-friendly as possible, whereby users are offered a set of privacy setting options, ranging from higher (e.g. never accept cookies) to lower (e.g. always accept cookies).
  • Further, the information provided, should not dissuade users from selecting these higher privacy settings.
  • Software installed before 25 May 2018 (assuming the Commission's implementation target is met) would need to offer the option to block third party cookies on the first update of the software, and at the latest by 25 August 2018.

Can users still use ad blockers?

  • The proposal does not regulate the use of ad blockers specifically, but instead gives website providers the ability to check if an end-users device is able to receive their content, without obtaining the end-user's consent – this is a useful clarification.
  • Should the end-user's device be unable to receive the content requested, due to the user's own configuration, it is then up to the website provider to respond appropriately, for example by asking the user if they would be willing to switch off their ad blocker for the relevant website.

How would the rules on direct marketing differ?

The rules for opt-in and opt-out marketing consents are similar to the current position under the PECD (and there will have been a collective sigh of relief that 'soft opt-in' appears to have been retained), but there are some important changes to note.

  • The restrictions on unsolicited marketing communications apply to all direct marketing communications sent via the broadly defined "electronic communications services" (in contrast to the PECD). The recitals indicate that this is intended to cover instant messaging applications, MMS and Bluetooth.
  • The rules protect business recipients as well as individuals.
  • There is no change in that organisations would be required to obtain end-users' prior consent, before sending commercial electronic communications for direct marketing purposes.
  • Once given, the end-user's consent can then be withdrawn at any time.
  • A soft opt-in remains for the use of e-mail contact details within the context of an existing customer relationship for the offering of the marketer's own similar products or services. Note that the draft Regulation, like the PECD, restricts the use of the soft opt-in to the context of "a sale of a product or a service" whereas the current UK Regulations extend this to the "sale or negotiations for the sale".
  • Member States still have discretion to make live telemarketing calls opt-out (the current position in the UK).
  • There are similar requirements for marketers to be transparent, i.e. make it clear that communications are marketing, the identity of the marketer and to facilitate opt-outs.

What does it say about metadata vs content of communications?

  • Metadata is specifically mentioned in the Regulation. The basic rule is that both the content and metadata of e-communications are confidential and that all interference is prohibited.
  • Service providers will need users' consent to in order to use the metadata, such as location data, to provide services.
  • There are a few exceptions to this, such as transmission and / or security.
  • Certain high-risk processing of communications metadata may also require a Privacy Impact Assessment under the GDPR. In practice this is unlikely to mean much change.
  • For the use of communications content in order to provide services, the rules are stricter. Providers of electronic communications services may process electronic communications content only:
    • when providing a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of their electronic communications content and the provision of that service cannot be fulfilled without the processing of such content, unless
    • all end-users concerned have given their consent to the processing of their electronic communications content for a purpose that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority.
  • Consent for the use of both communication content and metadata for the provision of services can be withdrawn at any time, but in addition, service providers must remind end-users every six months that they have the right to opt-out.

What else does the new Regulation cover?

The new Regulation would also update the rules on calling line identification and call blocking, to combat nuisance calls, and the rules on public directories.

Comment and next steps

Given how far communications media and advertising techniques have evolved since 2002, or even 2009 when the PECD was last updated, the overhaul of the rules is overdue.

The current cookies rules in particular have been widely (and rightly) ridiculed, so reconsideration is welcome. However, it is not clear in practice that the proposals will actually mean an end to, or substantial decrease in, pop-up consent and banners unfortunately, and the high consent threshold (to align with GDPR) is likely to be unpopular in many circles. Whether or not the rules will achieve a truly "future-proof" state also remains to be seen.

The Commission's aim is for the new rules to come into force at the same time as the GDPR. Whether this is realistic or not depends on how much lobbying it attracts from the wider domain of digital businesses now in scope and the scrutiny of the other European institutions. We will be tracking the progress of the proposal through its next legislative stages – consideration by the European Parliament, initially through a Rapporteur and lead committee – and by the Member States in the form of the Council. Depending on the degree of consensus on the draft proposal, this process could take between months and years.

For more analysis, please join our webinar at 15:00 UK time on 19 January. You can register here.

We will provide regular progress updates on our Datonomy blog at www.datonomy.eu.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions