ePrivacy Regulation (European Union)

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

The ePrivacy Regulation (ePR) is a proposal for greater regulation of electronic communications within the European Union, in order to increase privacy for individuals and entities. Its full name is "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)." It would repeal the Privacy and Electronic Communications Directive 2002 (ePrivacy Directive) and is lex specialis to the General Data Protection Regulation. It would particularise and complement the latter on the electronic communications data that qualify as personal data like the requirements for consent to the use of cookies and opt-outs.

The scope of the ePrivacy Regulation would apply to any business that provides any form of online communication service, uses online tracking technologies, or engages in electronic direct marketing.[1]

The penalties for noncompliance are up to €20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover, whichever is higher. It was intended to come in effect on 25 May 2018, but now somewhere in 2019.[2]

Difference between regulation and directive[edit]

The (new) ePrivacy Regulation will repeal the (current) ePrivacy Directive.

The EU Regulation is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously.

The current EU Directive is a legal act of the European Union that requires member states to achieve a particular result without dictating the means of achieving that result. It can be distinguished from regulations that are self-executing and do not require any implementing measures. The directive leaves member states with a certain amount of leeway as to the exact rules to be adopted.

Key points of Commission's proposal[edit]

According to the EU, the proposal for a regulation on high level of privacy rules for all electronic communications includes[1]:

  • New players: Privacy rules will also apply to new players providing electronic communications services such as WhatsApp, Facebook Messenger, and Skype. That will ensure that the popular services guarantee the same level of confidentiality of communications as traditional telecoms operators.
  • Stronger rules: All people and businesses in the EU will enjoy the same level of protection of their electronic communications through this directly applicable regulation. Businesses will also benefit from one single set of rules across the EU.
  • Communications content and metadata: Privacy is guaranteed for communications like the time and the location of a call. Metadata have a high privacy component and must be anonymised or deleted if users did not give their consent unless the data is needed for billing.
  • New business opportunities: Once consent is given for communications data (content and/or metadata) to be processed, traditional telecoms operators will have more opportunities to provide additional services and to develop their businesses. For example, they could produce heat maps indicating the presence of individuals, which could help public authorities and transport companies when developing new infrastructure projects.
  • Simpler rules on cookies: The cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly, as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy-intrusive cookies improving internet experience (like to remember shopping cart history) or cookies used by a website to count the number of visitors.
  • Protection against spam: The proposal bans unsolicited electronic communications by emails, SMS, and automated calling machines. Depending on national law, people will either be protected by default or be able to use a do-not-call list to avoid receiving marketing phone calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
  • More effective enforcement: The enforcement of the confidentiality rules in the regulation will be the responsibility of data protection authorities, already in charge of the rules under the General Data Protection Regulation.

Digital Single Market[edit]

The EU digital single market and the facilitation of public services across borders.

The EU Digital Single Market strategy aims to open up digital opportunities for people and business and enhance Europe's position as a world leader in the digital economy.[3]

As part of the strategy, the General Data Protection Regulation and the Directive on Security of Network and Information Systems will apply from 25 May 2018. The proposed ePrivacy Regulation was also planned to be applicable from 25 May 2018, but it is currently not expected to take effect until 2019. The eIDAS Regulation is also part of the strategy.


External links[edit]