In January 2017, the European Commission (the “EC”) published its proposal for a new ePrivacy Regulation (the “ePrivacy Proposal”), which will replace the ePrivacy Directive of 2002 (2002/58/EC) and the Cookie Directives of 2009 (2009/136/EC). Currently, the draft is pending in the European Parliament and the Council. The EC’s goal is to adopt the new ePrivacy Regulation by May 25, 2018, when the General Data Protection Regulation (the “GDPR”) will become effective.
Like the GDPR, the ePrivacy Proposal also provides for strict enforcement measures in cases of non-compliance, with administrative fines up to EUR 20 Million or, alternatively, 4 percent of the total worldwide annual turnover of the preceding financial year.
In a nutshell, the most relevant provisions can be summarized as follows:
With respect to confidentiality, the ePrivacy Proposal confirms that electronic communication data is confidential and prohibits any form of interference, surveillance, or processing by persons other than the end-user, except when permitted in the ePrivacy Proposal. Confidentiality is guaranteed for both communication content and meta data.
For direct marketing, informed consent will be key under the ePrivacy Proposal. The ePrivacy Proposal includes a uniform and clear choice for the “opt-in” model, rather the “opt-out” model. Therefore, the ePrivacy Proposal completely bans unsolicited electronic communications by emails, SMS, and automated calling machines. Certain opt-out exceptions might only apply in the context of an existing customer relationship.
The EC’s ePrivacy Proposal shows that companies should not only focus on the GDPR when making their European operations privacy-compliant, but also should keep the supplementary regulations in mind. In terms of risk management, obtaining and tracking of (opt-in) consent will be essential in the future. To limit their risk exposure, companies are advised to implement reliable procedures and mechanisms to obtain and track consent of potential recipients, users, and customers.
The full draft of the ePrivacy Proposal is available on the EC’s website here.