Following a leak in early December, the European Commission has
officially published the finalised proposed new legislation which
aims to strengthen privacy in electronic communications. The
Regulation on Privacy and Electronic Communications
("Proposal") aims to repeal the ePrivacy Directive. These
rules will be updating existing laws and bringing them in line with
the new General
Data Protection Regulation ("GDPR"), forming part of
the Digital Single Market Strategy.
The Commission also put forward another proposal for a new set
of rules which will ensure that personal data processed by EU
institutions and bodies is regulated in the same way as under the
GDPR in Member States.
The Commissioner for Justice, Consumers and Gender Equality,
Věra Jourová, said: "The European
data protection legislation adopted last year sets high
standards for the benefit of both EU citizens and companies. Today
we are also setting out our strategy to facilitate international
data exchanges in the global digital economy and promote high data
protection standards worldwide."
The salient features of the Proposal are the following:
Whereas the ePrivacy Directive is only applicable to telecoms
operators, the new rules will also apply to other providers of
electronic communications services which have become increasingly
important in recent years, e.g. Facebook Messenger, WhatsApp,
Skype, Gmail, iMessage and Viber.
Since the Directive will be replaced with a Regulation, the
upshot is that a single body of laws will become applicable across
the board. This will help smooth the compliance process for
businesses whilst also ensuring that EU citizens will enjoy the
same rights in all Member States.
Both content and metadata (i.e. recipient, time, location or
duration of the communication) will need to be anonymised or
deleted if there is no consent given by the user.
If consent is given for the data to be used, telecoms operators
will be able to use this data to provide additional services.
Requirement for cookie consent will be streamlined. Users will
have more control of their settings, and there will be no need to
require consent for cookies that are not privacy intrusive.
Unsolicited electronic communication (spam) will be banned if
sent without user consent.
Enforcement of these rules will be under the responsibility of
the national Data Protection Authorities.
As in the GDPR, failure to comply may lead to fines of up to
€20,000,000, or 4% of a company's annual GDP.
The European Consumer Organization (BEUC), pointed out two key
elements that are found within the GDPR, but are lacking in the
Proposal: privacy by design rules and a possibility for consumers
to institute a group action. Although privacy by design was
included in the leaked draft, it is now no longer part of the
proposed legislation. It remains to be seen whether the Proposal
will be amended to include a right for group action, as in the
The Commission aims to have these rules adopted on the 25th May
2018, the very day on which the GDPR will be coming into force.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On 9 and 14 September 2015, Hong Kong Broadband Network Limited and Links International Relocation Limited respectively were convicted for breaching the direct marketing provisions under the Personal Data (Privacy) Ordinance.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).