New proposed regulations in respect of all electronic communications (websites, emails, voice over IP, instant messaging services and other Apps and software using communications data) have been published by the European Commission. It is expected that they will come into force in May 2018.
The effect on most businesses (who perhaps only utilise a website as a marketing and sales channel and use email to market to their customers) will be minimal. They should review their privacy policies and marketing strategies and procedures. This could form part of an existing compliance plan for the new General Data Protection Regulations that also comes into force in 2018.
However, businesses in the digital advertising industry or those who operate an electronic communications service or ‘big data’ or “analytics” App are more significantly affected. They will need to undertake a careful analysis of how their technology operates, how they collect and use data and how they communicate to their marketing and user base in order to ensure that they comply with the new Regulation.
Fines for failing to comply are now significant (4% of global annual turnover).
One week ago, on the 10 January 2017, the European Commission presented a proposal for a Regulation to replace the current rules on electronic communications, known as the ePrivacy Directive. The current Directive came into force in the UK by a 2003 Regulation. It was amended and extended by a 2009 Directive, known as the Cookie Directive, that was implemented in the UK in a 2011 Regulation. The new Regulation will be directly applicable and, Brexit issues aside, will not require implementation in the UK.
What was the scope of the old ePrivacy Directive (and the Cookie Directive) ?
Why another new European privacy Regulation ?
The rationale behind the new Regulation is that the original ePrivacy Directive (as amended in 2009 by the Cookie Directive) is out of date in two respects. First, it doesn’t reflect changes in technology and its use since 2009. Second, it is not consistent with the General Data Protection Regulation or “GDPR” that will come into force in 2018. The GDPR having a much broader scope than the regulation of privacy in electronic communications.
Additionally, the European Commission recognises that the old ePrivacy Directive has not achieved its objectives. They say that it was “unclear” and, in particular, the rules in relation to consent for cookies “have created an unnecessary burden on businesses and consumers”.
The European Commission also reported that public consultations identified a need for:
- the confidentiality of personal information on computers and smartphones;
- the need for confidentiality of emails and online messaging; and
- the need for software to prevent sharing of personal information by default.
What are the main changes in the new Regulation ?
The new Regulation now applies to all forms of “Over the Top” electronic communications, not just emails and web sites. This includes Voice over IP (Skype, Facetime, Webex etc.), instant messaging (WhatsApp, SnapChat, iMessage etc.) and web based email services (GoogleMail, Outlook365 etc.).
Also included are machine to machine communications (Internet of Things, Beacons etc) and publicly accessible local area networks and “hotspots” (via wi-fi and bluetooth). Principles in respect of the retention and use of traffic data under the old ePrivacy Directive are now extended to all metadata generated during the use of such services.
There are stricter and more prescriptive rules and controls on the collection and use of data from all “terminal equipment” which now includes smart phones, tablets, IoT devices as well as desktop computers. The key principle is still opt in consent. There are new requirements to ensure that users are notified about the collection of technical data from devices (IMEI, MAC addresses, IMSI data), for so called “device fingerprinting”.
Electronic Communications software (whether it be a web browser or an instant messaging App on a smartphone) now needs to notify users of its privacy settings on installation and require users to consent to those settings before proceeding with the installation.
New regulations apply to all providers of electronic communications directory services. Opt in consent is required and rights to verify, correct and delete data in directories are provided.
There are clearer rules on direct marketing and unsolicited communication by email and by telephone. However, the opt in consent rules on direct marketing clearly apply to all forms of electronic communications whether that be SMS messages or pop-up notifications in an App over Bluetooth.
There are stricter rules on notifications of breaches of the new regulations and the level of fines that can be levied has been increased to a maximum of 4% of total worldwide annual revenues.
What is our view on the practical effect of the new Regulations ?
Our view is that the effect of the new Regulation on most businesses (that only utilise a website as a marketing and sales channel and use email to market to their customers) will be minimal. Changes will need to be made to privacy policies and marketing strategies and, perhaps, the way that marketing data is collected. However, these can easily be incorporated into a strategy for ensuring compliance with the General Data Protection Regulations (which come into force in 2018). Most website managers will be pleased to see that the end of the cumbersome “Opt in Cookie Banner”.
The new Regulation is more problematic for the following businesses:
- Any business in the digital advertising industry or deriving revenue from digital adverts (on publication of the proposed new Regulation the Interactive Advertising Bureau (IAB Europe) issued a statement saying that it was “dismayed” by “a law that as a practical matter would undeniably damage the advertising business model”;
- any business operating an electronic communications service such a service is now widely defined (messaging, email, voice etc); and
- any business operating an App on a smart phone or an application on a computer that utilises “big data” as a non-core part of that service (for example, the collection of location data that is not related to the functionality of the App). This is likely to significantly impact the collection of “big data” for “analytics”.
For businesses in these categories, a very careful analysis of how their technology operates, how they collect and use data and how they communicate (and, in so doing, seek consent of end users) will be needed to ensure ongoing compliance. Fines are now significant and the new UK Information Commission has made it clear that she intends to “get tough” with those who do not comply.
When will the new Regulation take effect ?
It’s clear that the European Commission wants the new Regulation to come into effect at the same time as the General Data Protection Regulation, 25 May 2018. Our view is that this will be challenging in the time available. It still needs to be approved by the European Parliament and the Council of Ministers. It is also likely to face significant opposition from a number of large and powerful US technology companies.
Complying with the new Regulation.
We are currently advising a number of clients in the Uk and in the US on how they can comply with the new Regulation. This work complements our existing programme of advice to organisations in respect of the forthcoming General Data Protection Regulation. If you would like specific legal advice on the scope of the new Regulation or, indeed, help with compliance generally, please don’t hesitate to get in touch at firstname.lastname@example.org.