In January 2017, the European Commission (the “EC”) published its proposal for a new ePrivacy Regulation (the “ePrivacy Proposal”), which will replace the ePrivacy Directive of 2002 (2002/58/EC) and the Cookie Directives of 2009 (2009/136/EC).  Currently, the draft is pending in the European Parliament and the Council.  The EC’s goal is to adopt the new ePrivacy Regulation by May 25, 2018, when the General Data Protection Regulation (the “GDPR) will become effective.

The ePrivacy Proposal includes, inter alia, rules on the confidentiality of electronic communication data, on the use of cookies on websites, and on direct marketing practices.  The scope of the ePrivacy Proposal was extended and now also covers for the first time OTT providers, such as WhatsApp, Facebook Messenger and Skype.  As a European regulation, the ePrivacy Regulation will be directly applicable in all EU Member States once it enters into force.

Like the GDPR, the ePrivacy Proposal also provides for strict enforcement measures in cases of non-compliance, with administrative fines up to EUR 20 Million or, alternatively, 4 percent of the total worldwide annual turnover of the preceding financial year.

In a nutshell, the most relevant provisions can be summarized as follows:

  • With respect to confidentiality, the ePrivacy Proposal confirms that electronic communication data is confidential and prohibits any form of interference, surveillance, or processing by persons other than the end-user, except when permitted in the ePrivacy Proposal.  Confidentiality is guaranteed for both communication content and meta data.
  • Regarding the use of cookies, the EC wants to limit the current “consent overload” on websites by distinguishing in the future between non-privacy intrusive cookies, which are necessary and proportionate for a service requested by the end-user (e.g., temporary cookies helping the end-user to keep track with an input when filing in online forms over several pages), and other forms of more intrusive cookies (e.g., tracking cookies).  While the end-users’ explicit consent will no longer be required for the use of non-privacy intrusive cookies, end-users should be able to express their consent to the use of other forms of cookies by using appropriate settings of their web browsers.

The EC’s idea is to obtain consent to the use of cookies during the installation of web browsers rather than by clicking on a web banner while surfing the Internet.  In order to obtain such consent, web browsers should require a clear affirmative action from the end-user to signify his or her “freely given, specific informed, and unambiguous agreement to the storage and access of such cookies in and from the terminal equipment” (e.g., by requiring end-users to actively select “accept third party cookies” in the browser’s settings).

  • For direct marketing, informed consent will be key under the ePrivacy Proposal.  The ePrivacy Proposal includes a uniform and clear choice for the “opt-in” model, rather the “opt-out” model.  Therefore, the ePrivacy Proposal completely bans unsolicited electronic communications by emails, SMS, and automated calling machines.  Certain opt-out exceptions might only apply in the context of an existing customer relationship.

The EC’s ePrivacy Proposal shows that companies should not only focus on the GDPR when making their European operations privacy-compliant, but also should keep the supplementary regulations in mind.  In terms of risk management, obtaining and tracking of (opt-in) consent will be essential in the future.  To limit their risk exposure, companies are advised to implement reliable procedures and mechanisms to obtain and track consent of  potential recipients, users, and customers.

The full draft of the ePrivacy Proposal is available on the EC’s website here.