Update Data Protection 17
The new e-Privacy Regulation
On January 10, 2017, the EU Commission published its latest draft of the new e-Privacy Regulation on Privacy and Electronic Communications (the document is available here). The following shall give a brief overview of the most important aspects in the new proposal.
Background
The new Regulation is intended to replace the existing rulings of the e-Privacy Directive 2002/58 (e-Privacy Directive), in part also known as "Cookie Directive". In this respect, the current provisions of the e-Privacy Directive are classified by the EU Commission as no longer fit for purpose, due to continuous technical and economic progress, in particular the spread of new Internet-based services. Besides, the new provisions of the e-Privacy Regulation are intended to supplement the new General Data Protection Regulation (GDPR). The draft of the e-Privacy Regulation is currently the subject of detailed discussion by the European Parliament and the Council of the European Union. The aim is to adopt the draft soon and for it to come into effect on May 25, 2018, parallel to the GDPR.
Extended area of application
The first significant change under the new proposal concerns the area of application of the e-Privacy Regulation. It now covers all electronic communication services, irrespective of whether the user is required to pay a fee or not. Pursuant to the recitals, in particular new Internet-based communication services are also to be covered. Examples explicitly named in the e-Privacy Regulation include voice-over IP, Internet messaging and web-email services. In this regard, the draft of the e-Privacy Regulation also explicitly mentions communication services offered as an addition to an existing (main) service, for example messenger services offered by social networks (see Recital 2). As a result, the area of application of the new e-Privacy Regulation will be significantly extended compared to the existing rulings. Services such as Gmail, Skype, iMessage or Whatsapp - but also Facebook Messenger - will therefore fall under the new e-Privacy Regulation in future in the same way as traditional communication services, and thus, will be obliged to comply with the special requirements of the e-Privacy Regulation.
Relationship to the GDPR
From a content perspective, the new e-Privacy Regulation will protect on the one hand electronic communications data, processed in the context of the provision and use of electronic communication services. This will include both electronic communications content (such as pictures, texts and videos) as well as electronic communications metadata, arising in the context of the use of electronic communication services. At the same time, information related to the users' end-devices, so-called terminal equipment (e.g. smartphones, tablets), will also be covered (for example location data and identification features of a device). It should be noted that the current draft of the e-Privacy Regulation covers all communication data and information of users' terminal equipment, irrespective of whether these information constitute personal data or not. The area of application of the e-Privacy Regulation thus covers a more extensive scope of application than the GDPR. Where personal data is collected, the planned e-Privacy Regulation shall take express priority over the GDPR. Nevertheless, the provisions of the GDPR shall apply in extension.
Increased requirement for consent and interrelationship with the rulings of the GDPR
With regard to the processing and use of electronic communications data and users' terminal equipment information, the current draft of the e-Privacy Regulation lays down a general prohibition of such processing and use, however, it also includes several statutory permissions. Most often, such permission requires under the new e-Privacy Regulation the consent of the respective user. In addition however, the current draft of the Regulation also includes further statutory permissions, depending on the form of data covered by the processing. With regard to the definition and conditions for consent as well as revocation thereof the e-Privacy Regulation refers to the provisions of the GDPR. This will create a harmonizing regulatory framework between both Regulations. Leading on from this, other provisions of the draft of the e-Privacy Regulation also refer to several provisions of the GDPR, for example the obligation to provide appropriate technical and organizational measures to ensure a level of data security pursuant to Art. 32 GDPR when collecting terminal equipment information for the purpose of establishing a connection, see Art. 8 Subsection 2 (b) of the e-Privacy Regulation.
Use of cookies and other methods of identification and tracking
With regard to users' terminal equipment information, i.e. information related to the use of the end devices by the users, the draft of the e-Privacy Regulation also provides for various new rulings. In general, the collecting and use of such information of users' terminal equipment through cookies and other identification and tracking methods (e.g. "device fingerprinting") is subject to the consent of the users. Nevertheless, an exception of the consent requirement applies for example if the respective cookie is necessary for the provision of the service. This includes for example cookies in online shops that save the products placed in the shopping basket by the users. Although this ruling was already included in the previous e-Privacy Directive, it was not explicitly implemented into German law. Under the new e-Privacy Regulation - which in contrast to the previous e-Privacy Directive will have a direct effect – this exception will then explicitly apply in Germany. A further exception from the general prohibition of using users' terminal equipment information now applies if this information is required for web audience measurement, for example of the recording of user numbers. However, the arguably most important change in connection with the collection and use of users' terminal equipment information concerns the obtaining of consent. In such cases, the current draft of the e-Privacy Regulation expressly states that effective consent can now also be declared through the selection of appropriate privacy settings in the respective browser of the end device - irrespective of the requirements of the GDPR. A prerequisite for this is that the browser must contain various, graduated options available to the user that he/she can select. It is therefore conceivable that users can give their consent to the use of cookies solely through the selection of cookie settings - provided the browser includes a set of privacy setting options and such privacy settings are presented in an easily visible and intelligible manner. To date, the extent to which the user could also issue consent through the making of such settings has always been disputed in the individual member states. The e-Privacy Regulation now clarifies this question. At the same time however, a number of follow-on questions arise here, both concerning the service providers as well as the affected users. These questions will be subject to further discussions. For example, the question will be relevant whether the service provider is obliged to always check whether a user is using an up-to-date browser with corresponding privacy options or whether, in the event of this not being the case, the provider must provide an additional "classical" consent mechanism, for example in the form of a check box. In this respect, it remains to be seen how the supervisory authorities and the Article 29 Working Group will position themselves in future.
Direct Marketing
The draft of the e-Privacy Regulation also contains rulings on unsolicited communications for the purpose of direct marketing. In general, direct marketing is still subject to consent as in the current e-Privacy Direction, unless the service provider has obtained the user's respective electronic contact data in the context of a sale or service. In this case, there is a mechanism in favor of the users to opt-out such direct marketing communications. In this respect, the provisions of the new e-Privacy Regulation correlate with the previous provisions of the e-Privacy Directive that have been implemented through Section 7 Subsection 3 UWG (German Law on Unfair Competition). A new aspect however is that the regulations on direct marketing now covers all forms of advertising communications, and are no longer restricted to communications with the help of automated calling devices, fax machines or electronic post, as this was the case under the previous regulations of the e-Privacy Directive. It is therefore clear that new forms of communication, such as push notifications, etc. will also require consent if they are used for the purpose of direct marketing. By contrast, under the current draft of the e-Privacy Regulation, telephone calls for direct marketing purposes no longer require consent, but rather are the subject of an opt-out mechanism by the users. These must therefore object to direct marketing by telephone.
Sanctions and possibility of legal protection
The current proposal of the e-Privacy Regulation provides for various possibilities of legal protection and sanctions in the event of violating the rulings of the e-Privacy Regulation. For example, users are entitled to lodge a complaint with the responsible supervisory authority and to take judicial action. Furthermore, users have the power to assert claims for compensation against the service provider. In this respect, the e-Privacy Regulation refers explicitly to Articles 77, 78, 79 and 82 of the GDPR. The supervisory authorities are entitled to impose administrative fines. The level of these fines correlates to the regulations in the GDPR. Depending on the form of violation, fines of up to 10,000,000 or 20,000,000 EUR are conceivable – in case of an undertaking also up to 2% or 4% of the total worldwide annual turnover of the preceding financial year.
Summary
The latest draft of the new e-Privacy Regulation includes a number of new significant provisions. If the new Regulation is adopted by the European Parliament and the Council as intended, this will create new challenges not only for the German lawmakers who, in similar manner to the situation with the GDPR, will have to check the effects of the rulings of the e-Privacy Regulation on existing national laws and make amendments if necessary, but also for the service providers who will then also have to implement the new provisions and requirements stipulated by the e-Privacy Regulation in their business processes, in addition to implementing the requirements of the GDPR. This applies in particular to providers of Internet-based communication services that will now fall within the area of application of the new Regulation.