The Commission recently published a proposal for a new
ePrivacy Regulation. If adopted, this will replace the current
Privacy and Electronic Communications (EC Directive) Regulations
The European Commission's research found that 92% of
respondents to their survey care about their online privacy,
the information on their devices
the content of their emails and
the trace of their activities online,
information stored on their physical
Therefore, the default position in the proposed Regulation is
that content, metadata and information stored on users' devices
is confidential, regardless of whether or not it is personal
The thrust of the proposed Regulation is to increase
transparency to consumers and protect them from
"surreptitious" monitoring and data gathering (a terms
used repeatedly in the proposal). This is in line with the
Commission's approach in General Data Protection Regulation
(GDPR) so comes as no surprise.
So what's new in the proposed ePrivacy Regulation?
Content in electronic communications,
metadata related to electronic communications and information on
users' devices cannot be accessed without consent, unless it is
necessary to provide a service/transmit the data or necessary for
Consent will no longer be required
for non-privacy intrusive cookies. The UK regulator already takes
this approach, but that was more lenient than his European
counterparts. So consumers will no longer be faced with a pop-up if
the only cookies on a website are strictly necessary or anonymous
Browser settings can be used as
consent for cookies. The Commission has rowed back on its preferred
approach to where users set their cookie preferences. Rather than
requiring every website operator to have its own set of cookie
controls, browsers and software which enables electronic
communications should enable users to set cookie preferences, but
in a more granular way than is currently possible.
The Regulation will apply to
'over the top' providers (for example, Facebook Messenger,
Skype, Gmail, iMessage, Viber and WhatsApp).
The Regulation takes into account the
Internet of Things as it also ensures the privacy of
How does the proposed Regulation fit with GDPR?
The Regulation is a separate piece of legislation to the GDPR
but there are various parallels between the two:
It is a Regulation not a Directive to
There are huge fines, at the same
levels as in the GDPR.
The same regulator will be used in
the UK - the Information Commissioner's Office.
Extra-territorial effect - non-EU
companies providing electronic communications services to EU
citizens will be subject to the Regulation.
It is born from the need to increase
transparency for consumers.
Includes specific reference to use of
standardised icons to allow users to quickly and easily understand
uses of their data.
Same definition of consent (and all
definitions in the GDPR govern the proposed Regulation).
Aim of adoption by May 2018 so that
there is a simultaneous comprehensive overhaul of the legal
framework for privacy and data protection.
Is anything staying the same?
As with GDPR, this proposal is not a
sea-change from the current Regulation. It builds on the current
foundations, with the rules about marketing consents remaining the
same (although the drafting is not entirely clear on the existence
of the soft opt-in). Any type of electronic marketing is clearly
brought into scope and there are stricter requirements about caller
Consent must still be obtained for
any privacy-intrusive cookies.
The lower level of damage suffered
for compensation to be granted or the regulator to investigate is
What do I need to do?
Nothing yet as this is just a proposal for Regulation. The
Commission are pushing for it to be adopted and come into force at
the same time as GDPR though.
If adopted in its current form, it will apply to new operators
who have not previously been caught by electronic communications
requirements. For those who have been caught previously, it will
require changes to cookie notices, changes to software used for
electronic communications and new consents for use of content and
metadata linked to electronic communications.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).