10 things that happened whilst I was on maternity leave (and two that didn’t)
Number 12: The new EU ePrivacy Regulation hasn’t been finalised.

The second thing which didn’t happen whilst I was on maternity leave: the new EU ePrivacy Regulation wasn’t finalised. The new Regulation is due to replace the EU ePrivacy Directive1 and the UK’s current ePrivacy Regulations (commonly referred to as ‘PECR’)2.

The full title of the proposed new law is: Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications). It was originally due to apply as from 25 May 2018, the same day from which the GDPR applied, but the text was not finalised by then, and has still not been.

The proposed ePrivacy Regulation contains rules on electronic communications services and the use of communications data. Many of the provisions apply specifically to organisations in the communications sector: providers of communications services, providers of publicly available directories, and providers of software permitting electronic communications. Importantly this includes providers of services such as WhatsApp, Facebook Messenger and Skype, in addition to traditional telecommunications providers.

Provisions which will be of interest to all sectors include those relating to direct marketing and cookies. Some key aspects of the proposed new Regulation which add to or amend current law in these areas are as follows.

  • Meaning of direct marketing communications: There is a new definition of direct marketing communications as follows (from the 19 October 2018 version) (bold added): "any form of advertising, whether written or oral, sent to one or more identified or identifiable end-users of electronic communications services, including the placing of voice-to-voice calls, the use of automated calling and communication systems with or without human interaction, electronic message, etc.".
  • Clear provisions on territorial scope: The rules apply to direct marketing communications to end-users in the EU (even if the sender is outside the EU), and to the protection of terminal equipment information (collected using cookies, for example) for end-users in the EU.
  • Unsolicited direct marketing communications to end-users: the requirements for marketing communications (such as seeking consent to send them) refer to the end-user rather than (under current law) to the ‘subscriber’ to the relevant communications service. End-user is defined by reference to a separate EU Directive, and means the individual or company using or requesting the service. Query, therefore, whether the end-user relevant to an email sent to a company employee would include both a company and the individual employee?
  • Consent: The consent rules within the GDPR will also apply to consents required under the ePrivacy Regulation.
  • The ‘soft opt-in’ rules: Under PECR (current UK law), provided specific rules are followed (often referred to as the ‘soft opt-in’ rules), direct marketing communications may be made by electronic mail without prior consent to some individuals. Their contact details must have been obtained in the course of the sale or negotiations for a sale (i.e. no actual sale is required). Under the proposed ePrivacy Regulation, though the precise wording has been subject to change throughout the versions, an actual sale may be required.
  • Identity and contact details: There are requirements for those sending direct marketing communications to provide their identity, contact details and a means to object or withdraw consent.
  • New (simpler?) rules on cookies: The EU Commission introduced its ePrivacy Regulation proposal with a statement that it included "simpler rules on cookies". However, I am finding them quite confusing to read! The wording has been regularly changing at each stage of the legislative process, including the circumstances in which consent is not required for cookies (such as where necessary for audience measuring or service security), the use of browser settings to indicate consent (which may now have been removed due to practical concerns), and the information to be provided to users about cookies. The final version (when agreement is reached) may therefore look substantially different to the early proposals.

See also article number 9 in my series discussing the recent changes to ePrivacy law in relation to the liability of company directors for ICO monetary penalties for unlawful direct marketing activities. Brexit will also necessitate amendments to ePrivacy laws – see the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

Olivia Whitcroft, principal of OBEP, 20 June 2019

1 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

2 The Privacy and Electronic Communications (EC Directive) Regulations 2003

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details