EU e-Privacy Regulation Raises Stakes for Compliance

Edward McAndrew, Philip Yannella
Ballard Spahr LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Ballard Spahr LLP

The European Commission's proposed e-privacy regulation sets forth obligations on handling electronic communications and clarifies obligations for seeking consent for the use of cookies. Meant to bring the e-privacy directive in line with the General Data Protection Regulation (GDPR), the regulation imposes steep penalties for failure to comply for companies worldwide, including in the United States.

What is the significance of the regulation?

  • Greater harmonization and certainty: The regulation is directly binding on member states, but does not require all 28 implementing national laws. Similar to the GDPR, the regulation is meant to harmonize the privacy regime relating to electronic communications, providing the same level of protections to all individuals and businesses throughout the EU. It is also meant to provide greater certainty regarding enforcement.

  • Applies to more companies: Intended to bring the 2002 e-privacy directive, up to the present day, the regulation will apply not only to traditional telecommunications providers but to a wide variety of providers, including "over the top" communications service providers such as Facebook Messenger, WhatsApp, Gmail, and others. It also applies to individuals who use electronic communications services to send direct marketing commercial communications or collect information related to or stored in end-users’ terminal equipment. This significantly increases the number of companies who will need to comply.

  • Greater fines: The fines for violation of key provisions in the regulation are subject to two-tier fines similar to those in GDPR, raising the stakes for the companies subject to its jurisdiction. The national data protection authorities of each member state will be in charge of enforcement.

    • Breaches of the rules regarding notice and consent, default privacy settings, publicly available directories, and unsolicited communications will be punishable by fines of up to the greater of 10 million euros or 2 percent of worldwide turnover.

    • Breaches regarding the confidentiality of communications, permitted processing of electronic communications data, and the time limits for erasure of data may be punished with fines of up to the greater of 20 million euros or 4 percent of worldwide turnover.

  • Greater clarity regarding cookies: The regulation sets forth clearer rules regarding when consent and disclosure may be needed in connection with cookies stored on users' devices. For example, no consent would be needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or for cookies set by a visited website counting the number of visitors to that website.

  • Applies to more information: The regulation applies to all "electronic communications content" and "electronic communications metadata." This is a much broader set of information than "Personal Data," which is covered by the GDPR.

  • Enhanced consent and disclosure requirements: The regulation requires consent or the right to object for unsolicited electronic communications by any means (email, text, etc.). It also requires prominent disclosure for certain collection of information including metadata and location data. Once consent is provided, however, companies would be able to use the information for additional broader purposes. 

 
What to do now?

The regulations are still subject to review and approval by the European Parliament and the European Council and are expected to go into effect concurrently with the GDPR on May 25, 2018. Companies that fall under the scope of the regulation can get started on preparing for compliance by:

  • Assessing the information they collect and adapting their disclosures and practices as necessary: Collection and use of metadata will need to be incorporated into the consents. Prominent notice may need to be added when monitoring or using location data emitted by a mobile device.

  • Reviewing and revising cookie policies: Corporations should assess what cookies they use and to what end and determine whether those require consent. Some disclosures regarding information stored on the user device may need to be amended. Users of software used for electronic communications would need to be provided information about the privacy setting options at installation as well as the opportunity to prevent third parties from storing information on their device.

  • Appoint an EU representative: Companies subject to the regulation that do not have a physical presence in the EU will need to designate in writing a local representative in one of the member states.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide