News and developments

Leaked Eprivacy Draft: What To Expect

Following the introduction of the General Data Protection Regulation, the European Commission has been working on reforming the E-Privacy Directive. The draft law was leaked on the 13th of December 2016. Although this is not the final version, we now have a clearer idea of what to expect in the coming months. The Privacy and Electronic Communications Regulation is expected to be finalized by January 2017. Since this is no longer a directive but is now a regulation, there is no need for it to be transposed. It will become effective within 6 months as opposed to the normal 2 year period, which means that companies will have a much shorter time period within which to bring themselves in line with the Regulation.

The most important changes found within the draft Regulation are the following:

  • Prior consent must be obtained for cookies and any other kind of online tracking techniques (first party analytics are exempted). Nevertheless, when cookies are necessary for technical reasons, there is no need for consent. This means that pop-ups requiring consent for cookies will no longer be necessary.
  • Privacy by design – device and software manufacturers must set default settings to block cookies by third parties.
  • New opt-in requirement for direct marketing phone calls. However, Member States may choose to allow such calls on an opt out basis instead. There must be a specific marketing prefix number making these calls easily identifiable.
  • Direct marketing by electronic communications is only allowed with respect to end users who have given their prior consent.
  • Information related to the end user’s device is now protected.
  • Publicly available directories must obtain consent from end users (if natural persons) prior to including their personal data in the directory.
  • Consent may be withdrawn but only at periodic intervals every six months
  • Fines which may be imposed in the case of a breach of the provisions of this Regulation are the following, depending on the offence in question:
    • 4% of global revenues or €20 million, whichever is higher; or
    • 2% of global revenues or €10 million, whichever is higher, for providers of devices and software who fail in their privacy by default obligations.

Although a revamped privacy regulation is welcome, it is certainly lacking in two important areas: it makes no mention of data retention or encryption. Local Data Protection Authorities will be responsible for the implementation of this Regulation. “OTT” (over the top) services such as Skype, Whatsapp, Facebook and Messenger will be expected to comply, together with traditional telecommunication services providers. The Regulation will have extra territorial effects as even third country websites will be required to conform in order to ensure that website visitors hailing from the European Union will have their rights protected.