Following the introduction of the General Data Protection
Regulation, the European Commission has been working on reforming
the E-Privacy Directive. The draft law was leaked on the 13th of
December 2016. Although this is not the final version, we now have
a clearer idea of what to expect in the coming months. The Privacy
and Electronic Communications Regulation is expected to be
finalized by January 2017. Since this is no longer a directive but
is now a regulation, there is no need for it to be transposed. It
will become effective within 6 months as opposed to the normal 2
year period, which means that companies will have a much shorter
time period within which to bring themselves in line with the
The most important changes found within the draft Regulation are
Prior consent must be obtained for
cookies and any other kind of online tracking techniques (first
party analytics are exempted). Nevertheless, when cookies are
necessary for technical reasons, there is no need for consent. This
means that pop-ups requiring consent for cookies will no longer be
Privacy by design – device and
software manufacturers must set default settings to block cookies
by third parties.
New opt-in requirement for direct
marketing phone calls. However, Member States may choose to allow
such calls on an opt out basis instead. There must be a specific
marketing prefix number making these calls easily
Direct marketing by electronic
communications is only allowed with respect to end users who have
given their prior consent.
Information related to the end
user's device is now protected.
Publicly available directories must
obtain consent from end users (if natural persons) prior to
including their personal data in the directory.
Consent may be withdrawn but only at
periodic intervals every six months
Fines which may be imposed in the
case of a breach of the provisions of this Regulation are the
following, depending on the offence in question:
4% of global revenues or €20
million, whichever is higher; or
2% of global revenues or €10
million, whichever is higher, for providers of devices and software
who fail in their privacy by default obligations.
Although a revamped privacy regulation is welcome, it is
certainly lacking in two important areas: it makes no mention of
data retention or encryption. Local Data Protection Authorities
will be responsible for the implementation of this Regulation.
"OTT" (over the top) services such as Skype, Whatsapp,
Facebook and Messenger will be expected to comply, together with
traditional telecommunication services providers. The Regulation
will have extra territorial effects as even third country websites
will be required to conform in order to ensure that website
visitors hailing from the European Union will have their rights
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On 9 and 14 September 2015, Hong Kong Broadband Network Limited and Links International Relocation Limited respectively were convicted for breaching the direct marketing provisions under the Personal Data (Privacy) Ordinance.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).