Following on from my previous post about the leaked draft of the new e-Privacy Regulation, the European Commission has now published its official draft (press release here; draft legislation here). So what’s changed since the leaked draft, and what are the key takeaway points to know?
What’s not changed?
The following elements have not materially changed from the Commission’s earlier leaked draft at the end of 2016:
1. Extra-territoriality and 4% fines: The proposed Regulation applies to entities anywhere in the world who provide publicly-available "electronic communications services" to, or gather data from the devices of, users in the European Union. Breaches of the new e-Privacy Regulation can attract fines of up to 4% of annual worldwide turnover, just like the GDPR.
2. Application to OTT, IOT, M2M and lots of other acronyms: The Regulation applies to traditional telcos and ISPs, but also to Over The Top (OTT) providers too - i.e. providers of messaging apps, e-mail platforms, VOIP services and the like. In addition, anyone using cookies or similar tracking technologies (like device fingerprinting) will also be caught by the new rules. IOT and machine-to-machine communications also fall within the scope of some of its rules.
3. New rules for communications data: The proposed Regulation introduces new rules for processing communications content (i.e. what was said) and communications metadata (i.e. who said it, when, where, and other related information about the communication). The term ‘metadata’ replaces the current definition of ‘traffic data’ under the current e-Privacy Directive. The Regulation allows slightly wider uses of content and metadata than is the case under current law. My simple graphic summarising the new communications data rules is available here.
4. E-marketing rules: The official draft, like the leaked version, does not materially change today’s e-marketing rules. E-marketing still requires opt-in, save where an individual’s contact details have been obtained in the context of a sale - in which case opt-out is possible. There are, however, slight new transparency requirements for direct marketing calls as compared with current law.
5. Exemption for analytics cookies: Like the leaked draft, the Commission’s proposal retains an exemption from the cookie consent requirement for analytics. However, the exemption applies only for first party analytics, not third party analytics - so websites and apps using third party analytics platforms like Google Analytics etc. will still need consent (even if, for the techies amongst you, the cookie is technically served from a first party domain - third party here refers to the provider of the analytics service, not the domain from which the cookie is served).
What has changed?
If the above points haven't materially changed from the leaked draft, then what has?
1. No blocking of cookies by default: Cookies generally still require consent under the Commission’s official draft, and the Commission still wants providers of browsers and similar software to provide their users with cookie and tracking controls. However, rather than insisting browser providers block cookies by default, the Commission has now struck a more moderated tone - instead requiring that, as part of the browser software set-up, users must be provided with cookie consent choices. The overall aim seems to be to move the consent requirement away from websites (and their cookie banners) to the browser providers - in a move that could spell the end for cookie banners.
2. Effective date: The leaked draft suggested that, once adopted, the Regulation would have a 6 month lead-in period. The Commission’s official draft instead says that it will apply from 25 May 2018 - the date that the GDPR also comes into effect.
The scope of the e-Privacy Regulation is very wide, and will broadly apply to any business that provides any form of online communication service, that utilises online tracking technologies, or that engages in electronic direct marketing - in today’s digital age, just about everyone.
The Commission’s ambitious deadline of getting this all done, dusted and in force by 25 May therefore seems very ambitious - remember that it took over four years to get the GDPR agreed. While the e-Privacy Regulation is a somewhat simpler document, many of its provisions (especially around communications data and tracking technologies) will be highly contentious for both industry and civil liberties groups, and a lot will inevitably evolve as the draft law passes through the legislative process.
Nevertheless, if the Commission does meet its aim, then May 2018 is set to be something of a regulatory “Big Bang” for data processing businesses - in a single month, they will need to ensure they have everything necessary in place to comply with the new GDPR, NIS Directive and e-Privacy Regulation! Best get planning now...