A Dummies Guide to the ePrivacy Regulation

October 1, 2018 3:58 pm Geraldine Strawbridge

It seems like the dust has barely settled since the GDPR was introduced in May and organisations are already having to brace themselves for a new EU Regulation waiting to make its debut.

The proposed ePrivacy Regulation is intended to complement the GDPR and provide internet users with more control over their online data and to ensure that organisations handle this data with care.

Our Dummies Guide to ePrivacy Regulation will provide you with everything you need to know about this new legislation and what the proposed changes will mean for your business.

What is the ePrivacy Regulation?

The European Commission published a proposal for a new ePrivacy law on the 10th January 2017. The new ePrivacy Regulation will replace the existing ePrivacy and Electronic Communications Directive 2002, which covers privacy rules across the EU.

The new regulation will address advancements in technology and focus specifically on individual privacy relating to electronic communications. This will include data on websites, SMS, email, social networks, blogs, apps, VoIP, video, social media messaging and IoT devices.

What areas does the ePrivacy Regulation cover?

The previous directive was often referred to as the ‘cookies law’, however, the new regulation has a much broader scope. The key areas covered by the regulation include:

  •  Cookies

Unlike the current directive which requires users to provide consent for cookies on each website they visit, the new regulation proposes that users provide consent through browser settings. This will mean the end of annoying cookie banners as users will be able to select their default privacy settings when they first set up their browser.

  •  Electronic Communications

The previous directive would have covered more traditional forms of communication such as email and SMS, whereas the new regulation has been expanded to include more modern forms of communication such as social messaging services (WhatsApp, Facebook Messenger) and VoIP providers.

  •  Metadata

The new rules also cover metadata which includes information such as:

– How many times a day a device is connecting and transmitting data

– The size of downloadable files

– Time, date and location of any data exchanges

  •  Spam

The new regulation includes a detailed protection against spam, which includes text messages, unsolicited emails and automated calling systems. Marketing callers must also display their phone number or other identifying codes to indicate when it’s a marketing call.

  •  Direct Mail

Users will need to provide full consent in order to receive any promotional marketing material from a company and have the option to opt-out through unsubscribe messages.

What are the main differences between the GDPR and ePrivacy Regulation?

The GDPR and ePrivacy Regulation both cover data protection practices across the EU but whilst the GDPR is solely concerned with people’s personal data, the ePrivacy Regulation specifically covers the confidentiality of data involved in electronic communications.

Whilst the GDPR and ePrivacy Regulation reflect similar aspects of privacy, they do so under different legal charters. The two regulations will work in tandem together and if a data protection issue is raised regarding electronic communications, then regulators will automatically default to the ePrivacy Regulation to deal with the matter.

Who does the ePrivacy Regulation apply to?

The ePrivacy Regulation applies to everyone and any country that provisions electronic communication services to the EU. Industries such as Marketing, Advertising and the Media will be impacted more heavily than others as they will be unable to send promotional material to customers without their prior consent.

Who does the ePrivacy Regulation not apply to?

The ePrivacy Regulation will not be applicable to:

–          Any activities that fall outside the scope of EU law

–          Member state activities relating to immigration and border checks

–          Electronic communications that are not publicly available

–          Activities relating to the prevention, investigation or prosecution of criminal offences

–          Radio equipment that complies with Directive 2014/53/EU

When will the ePrivacy Regulation come into force?

The ePrivacy Regulation was originally intended to come into force on the 25 May, the same day as the GDPR. However, due to delays in the approval process, the regulation has still not be finalised but is expected to be implemented within the next six to 12 months.

What are the ePrivacy Regulation fines and penalties for non-compliance?

The regulation carries the same penalties as the GDPR. The ePrivacy Regulation has a tiered penalty structure in place that will affect those companies that are non-compliant. Organisations in breach of the ePrivacy Regulation can be fined up to 4% of annual global turnover or 20 Million Euros (whichever is greater).

Will the ePrivacy Regulation just affect European companies?

No, although the ePrivacy Regulation is a European regulation, it has wider implications. It doesn’t matter where in the world you are located, if your company is based outside the EU but is involved in the provision of electronic communication services within the EU, then the ePrivacy Regulation will apply.

MetaPrivacy has been designed to provide the best practice approach to data privacy compliance. Contact us for further information on how we can help your organisation improve its compliance structure.

DISCLAIMER: The content and opinions within this blog are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances, the Data Protection Act, or any other current or future legislation. MetaCompliance shall accept no responsibility for any errors, omissions or misleading statements, or for any loss which may arise from reliance on materials contained within this blog.