ePrivacy Regulation Explained

The Council of the European Union announced on February 10, 2021, that the Member States had agreed on a final negotiating mandate for the revised rules that will become the ePrivacy Regulation (ePR). The final text of the ePrivacy Regulation is still subject to further negotiations, but the mandate lays a road map for what will come.

The ePrivacy Regulation will replace the ePrivacy Directive. The ePrivacy Directive entered force nearly 20 years ago in 2002. For reference, the first-generation iPhone would not be announced for another 5 years. The Directive was aimed at regulating electronic communication and this medium has exploded in the intervening years.

The ePrivacy Regulation is intended to work in complement with the provisions of the General Data Protection Regulation (GDPR). The new regulations main intention is to lay down specific rules to govern electronic communications. If the GDPR comes into contradiction with the ePrivacy Regulation, the ePrivacy Regulation will take precedence.

GDPR and ePrivacy Regulation

Although there is some overlap between the GDPR and the ePrivacy Regulation, the regulations are intended to complement each other. In instances where the regulations overlap, the ePR is lex specialis with respect to the GDPR. This means with regards to those areas that fall within the scope of both regulations, the ePR, as narrower, takes precedence.

The GDPR has a broad scope concerning the processing of personal data while the ePR is intended to safeguard the privacy of individuals in the context of electronic communications. However, electronic communications often contain personal data and processing this data is only permitted in accordance with the GDPR.

There are similarities between the two regulations. For example, the definition of consent and the amount for fines is taken from the GDPR. ePR also refers directly to the GDPR on the criteria that constitute consent. The GDPR requirements for consent require that it be freely given, informed, specific, unambiguous, and given by a clear, affirmative action. Passive consent like pre-ticked consent boxes is no longer sufficient, and the end user must be able to withdraw their consent at any time. In addition, end-users have the right to request what personal data is kept on them (for example name, email address, home address, and phone number).

The enforcement of the ePR will also be entrusted to the Supervisory Authority in the member state.

What about the other legal bases for processing?

Complexity around the regulation remains. For example, there is needed clarification around the temporary storage of data in transit. Another important question to address will be whether the next and later versions of the regulation include or leave out the legal basis of “legitimate interest” to process electronic communications data. In the current version legitimate interest as legal basis was removed.

ePrivacy Regulation updates the ePrivacy Directive

The ePrivacy Regulation will replace the current ePrivacy Directive. The difference between a regulation and a directive is that a regulation is directly applicable to all member states. One of the main criticisms of the directive is that, by being only a framework for the protection of communications, created challenges for businesses operating across borders. When the ePrivacy Regulation goes into enforcement it will do so uniformly in each member state.

Prefer a visual representation of the ePrivacy: Directive vs Regulation? Download this infographic

The principle of ePR is Article 7 of the Charter of Fundamental Rights of the European Union, which is the right to respect for private and family life. Respect for the principle of confidentiality in electronic communications requires that “information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in the communication.” The regulation takes this principle and applies it to “calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media.” Any interference, including listening to, monitoring or other processing of data by anyone other than the parties involved in the communication is prohibited with exceptions.

One major difference will be the regulation’s extension of rules that currently apply only to internet access and telecommunications providers and expands to email and messaging services like WhatsApp and Signal. The rules will apply when end-users are in the EU. This also covers cases where the processing takes place outside of the EU or the service provider is established or located outside the EU. The ePR is intended to regulate organisations and individual providers that deal with publicly available electronic communications. Some examples include:

  • Website owners
  • Users of online tracking tools
  • Telephone/internet marketers
  • Communication service providers
  • Owners of publicly available directories
  • Publicly available wireless network operators

As the user’s terminal equipment (i.e. cell phone), both software and hardware, may store highly personal information, the use of processing and storage capabilities and the collection of information from the device is allowed only with the user’s consent.

ePR carries with it the same possible fines as that of GDPR. This means fines up to €20 million or 4% of global turnover, whichever is higher.

Scope of Application (Article 3)

The rules of the ePrivacy Regulation apply to providers of electronic communication services and publicly available directories as well as those who use electronic communications to send direct marketing or make use of processing and storage capabilities or collection information stored processed on terminal equipment. Publicly available directories are directories that contain end-user’s information such as phone numbers, email address contact details and includes inquiry services.

Consent of end-users remains the centrepiece for processing and storage capabilities, and the collection of information from their terminal equipment.

According to Article 1, the ePrivacy Regulation applies to natural and legal persons involved in the electronic communication services. The ePrivacy Regulation provides specifically for protection with regards to processing of personal data for end users located in the EU, to the protection of information located within terminal equipment (i.e. cell phone) of users located in the EU, and the sending of direct marketing communications to end-users within the EU.

The ePrivacy Regulation is like the GDPR in that it has an extra territorial application and can apply regardless of whether the provider of an electronic communications service is established in the EU.

Article 3 also requires the appointment of a representative in the EU if the provider of electronic communications services, direct marketing communications, or the person storing and processing data in terminal users’ equipment is not established within the EU. This representative must be established in one of the Member States where the end-users are located.

Confidentiality with Respect to metadata collected from electronic communications (Article 6b)

Our communications reveal some of the most sensitive information about us including our “personal experiences and emotions to medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, economic loss or embarrassment.” The new regulation will cover not only the content of communications but also the metadata such as “numbers called, the websites visited, geographical location, the time, data and duration when an individual made a call.” Metadata has the power to reveal “social relationships, their habits and activities of everyday life” (ePR, Recital 2).

Metadata is information derived from the electronic communication other than the content of the communication. Metadata is data about data providing information like who were the communicating parties, when the communication was made or the IP address of a computer that sent a chat message. This type of information can be sensitive and revealing of one’s private life.

Where the directive only covered more traditional telephone marketers and similar services, the ePR extends the privacy protection of the directive by including ‘over the top’ (OTT) communication services like skype and instant messengers, like WhatsApp. OTTs are entities that offer communication services through the users’ internet connection.

The use and storage of metadata from OTT services is only allowed in the following specific cases:

  • For the provision of services requested by an end-user if the end-user has given consent;
  • If the end-user has given consent;
  • The information is necessary for the transmission of the communication;
  • The information is necessary for security reasons or for detecting technical faults;
  • The information is necessary for detecting and remove child pornography;
  • The information is necessary for achieving network optimisation;
  • For billing purposes or to prevent fraud;
  • In the case of an emergency;
  • Upon request of a competent authority;
  • For research/statistical purposes; or
  • Stored data is anonymized or deleted.

Location Metadata

The ePrivacy Regulation broadens the possibility of processing electronic communications metadata regulating processing of metadata for location services. Article 6b(e) states that metadata constitutes location data indicating the geographic position of the terminal equipment can be processed if it is necessary for statistical purposes provided that:

  • The data is pseudonymised;
  • The processing in question could not take place by processing anonymised data;
  • Location data is erased or anonymised when it is no longer needed; and
  • The location data is not used to determine the nature or characteristics of an end user or to build a profile.

Borrowing from GDPR, where processing of electronic communications metadata uses new technologies and is likely to result in a high risk to the rights and freedoms of natural persons, a data protection impact assessment and potentially consultation with the supervisory authority should take place prior to the processing.

Rules on Cookies and similar tracking devices (Recital 20aaaa, 20a, 21, 21a)

Cookies are the small files that gather data and are stored on the end user’s device. There are different online tracking devices that are also covered by the ePR, but for simplicity I will refer to all of them as cookies. For some cookies considered ‘non-privacy intrusive’ consent is not needed. Examples include e-commerce cookies like remembering shopping basket histories.

When a user visits a website, the website saves data in the users’ browser such as passwords and preferences like language. These are first-party cookies. When another website loads in your default language using a cookie that it did not collect to determine your preferences. This a third-party cookie. The cookies are distinguished and regulated differently under ePR.

The GDPR consent requirement does add additionally layers of information like privacy policies and explanatory messages that add to the assault on end-users. The ePR seeks to reduce this burden and counter ‘consent fatigue.’

Recital 20a addresses the issue of ‘consent fatigue’ when ubiquitous uses of tracking cookies overloads end-users with consent requests, which can lead to a situation when “consent request information is no longer read, and the protection offered by consent is undermined. The ePrivacy Regulation seeks to address this by allowing users to provide consent to a specific provider for the use of cookies for one or more specific purposes across service providers. The user could for example provide consent to the use of certain types of cookies for certain service providers through whitelists. Cookies assessing the effectiveness of website design and advertising or measuring the number of end-users visiting the website. These performance cookies do not require end-user consent. This is not the case with cookies used to identify the end-user.

“Cookie walls” where access to a website is denied to users who refuse to consent to trackers on a website are permitted in certain circumstances when the user has a real choice between services. Where access to website content is made dependent on the consent of the end-user to the installation of cookies for additional purposes, that does not deprive the end-user of a genuine choice so long as there is a choice between:

  • A service offer that includes consenting to the use of cookies for additional purposes
  • An equivalent offer by the same provider that does not involve consenting to use for additional purposes.

In cases where there is “a clear imbalance between the end-user and the service provider,” may deprive the end-users of a genuine choice.

Cookies present a challenge to regulators and this is a section of the regulation that has been revised and will be so in future versions of the regulation. What will remain is the aim to reduce the amount of cookie requests provided to the end-user with more detailed cookie settings.

Direct Marketing Provisions (Article 16)

Direct Marketing is any form of advertisement sent directly to one or more specific end-users using publicly available electronic communications services. Direct marketing includes voice-to-voice calls, the use of automated calling with or without human interaction, and e-mail. ePR forbids this direct marketing toward individuals unless prior consent has been acquired. An exception is made in the case of emails, if the individual has bought a product or service from the organisation before, and the individual can object to such messages.

This form of marketing does not apply to more general advertisements on websites. Recitals 33 and 34 address the possibility of withdrawing consent for direct marketing. This provision applies to natural persons so the rules for business-to-business marketing may be different.

Under Article 16, there are specific things that must be communicated in direct marketing communications including:

  • Informing end-users of the marketing nature of the communication and the identity and contact details of the legal or natural person on behalf the direct marketing communication is sent and
  • Provide a means for end users to object or withdraw consent to the receipt of further direct marketing communications

Next Steps

There is still a long road ahead for the ePrivacy Regulation. The Portuguese Presidency of the Council will enter talks with the European Parliament and European Commission to agree on a finalised text of the ePrivacy Regulation. To arrive at a finalised version the ‘trilogue’ will have to come to an agreement. The other two parties have not decided on their negotiation position yet, and further delay will be caused by the EU Parliament election in May.

The regulation will enter force twenty days after its publication in the Official Journal of the EU and enforcement will begin two years later.

Keeping up to date on the developments with ePR is important for all businesses active in the online communication market. Implementation of the ePR alongside the GDPR will reduce risk of enforcement penalties. Businesses redesigning their websites should take the proposed regulation into consideration ensuring those websites are sufficiently flexible to provide for compliance and adaptation to stricter requirements.

Prefer a visual representation of the ePrivacy: Directive vs Regulation? Download this infographic

Join your peers and get the latest GRC, Privacy, Security and Regulatory updates delivered straight to your inbox

Read more about our tailor-made software for data privacy and integrated risk management

Relevant news & insights:

Searching for Guidance on Data Transfers (Still)

Following “Schrems II,” privacy professionals have been waiting for a conclusive answer to the issue of data flows. The European Commission unveiled its draft implementing decision for the new SCCs last November and negotiations over an updated Privacy Shield have been “intensifying.”

Read more »