07/01/2020

Whilst data is now firmly at the front and centre of political and corporate consciousness, regulators are still struggling to find the perfect balance between data security on the one hand and technological growth and innovation on the other.

Nowhere has the debate on where the fulcrum should lie been fiercer than in Europe. The European Union’s latest weapon in its arsenal of regulatory instruments is the ePrivacy Regulation (the ePR), which has threatened for some time to build on the broad foundations of the GDPR and take them to an unprecedented height. Negotiations on the ePR have been deadlocked for a while, with developments at the end of 2019 leading to further uncertainty.

The ePR - what is it?

In Europe, the protection of personal data and the privacy of electronic communication data was historically governed by Directive 2002/58/EC (ePrivacy Directive). As a directive, the ePrivacy Directive needed to be implemented into domestic law by European member states to become effective, leaving member states to interpret and choose their own rules for adoption. The ePrivacy Directive therefore did not provide a consistent and enforceable framework across Europe, and operators in the EU were left to navigate the web of national frameworks, each of which has different obligations and rules.

In an effort to achieve some uniformity in this space, the European Parliament rolled out a landmark regulation (directly enforceable in EU member states without the need for further implementation) to cover the personal data aspect of the ePrivacy Directive called the General Data Protection Regulation (GDPR). In January 2017, the European Commission proposed the next step in its ‘Digital Single Market’ strategy– the ePR. Hot on the heels of the GDPR, the ePR was meant to address what was left of the ePrivacy Directive - namely the privacy of electronic communication data – and to ultimately repeal the ePrivacy Directive.

As with the GDPR, the ePR was intended to have a broad extraterritorial reach and would have been enforceable against entities located outside the EU. This means that Australian and other non-EU service providers that collect or process data from a person located within the EU would potentially be subject to the ePR and its strict fines. Particularly affected would be direct marketing providers, platforms employing cookies as well as providers of over-the-top communication services such as online messaging platforms.  

How will it work?

The ePR was intended to act alongside the GDPR – supplementing it where necessary - and together forming a cohesive framework for data protection. The GDPR is broadly framed, providing protection for personal data in a general sense. Meanwhile, the ePR is proposed to “particularise and complement” the GDPR. In broad terms, the ePR specifies how the general data protection framework outlined in the GDPR will be applied to electronic communication services provided over telecom networks and the internet.

This has two main implications for interplay between the two.  Firstly, where overlap exists, it would be the provision that deals with the subject more specifically that will prevail. As the GDPR tends to deal with data protection in a general sense, the ePR will typically be the regulation dealing with matters more specifically and therefore will prevail. Secondly, the ePR would complement the GDPR by providing protection for users previously outside the scope of the GDPR. For example, where the GDPR only provides for the protection of personal data of natural persons i.e. human beings, the ePR also provides protection for legal persons e.g. corporations.

The following table sets out some of the key concepts and distinctions between the GDPR and ePR:

Issue

GDPR

ePR

What data is covered?

Personal data, i.e. data which relates to a specific and identifiable natural person

Covers information such as:

  • Names
  • Locations
  • health status
  • ID numbers
  • other information that specifies the culture, physique, genetic economic or social identity of a person.

Covers all data and metadata created and transferred through electronic communication.

For example, it would cover:

  • Text, voice, video, images and sound information of phone and internet calls;  
  • Information about the equipment used for communication (phone, laptop);
  • Publicly available directories of end-users of electronic communications services; and
  • Targeted advertising

How does it apply to entities outside the EU?

Applies to all processing of personal data by individuals or organisations located in the EU.

Also applies to individuals and organisations not located in the EU where:

  • The data processed belongs to people in the EU; and
  • The processing is for the purposes of selling goods and services or to monitor their behaviour.

Applies to:

  • All providers of electronic communication services where the user is located within the EU;
  • The processing of electronic communication data of EU users; and
  • Direct marketing material sent to people in the EU

Is consent required to process data?

Not always - processing is lawful in any of the following circumstances:

  • Consent has been granted;
  • It is necessary for the performance of a contract the user is party to;
  • It is necessary for compliance with a legal obligation of the controller;
  • It is necessary to protect the vital interests of the user or another natural person;
  • It is necessary for the public interest; and
  • It is necessary for the legitimate interests pursued by the controller or by a third party, except where it is necessary to protect this data.

Yes, processing under the ePR always requires the consent of the user.

This requires users to freely give consent through both:

  • A clear affirmative act; and
  • An unambiguous indication of their agreement to the processing of personal data

Suggested methods include ticking a box on a web page:

  • Silence or inactivity will not constitute consent

Users must also be reminded of their ability to withdraw or modify this consent at least every 12 months.

How are cookies treated?

Only covers cookies very specifically when used to identify a user or make that user identifiable through age, race, sex, ID number etc.

Features comprehensive cookie articles that require more customisable browser settings and including cookies for non-personal data and metadata.

Penalties

Up to the higher of €10 000 000 or 2% of the total worldwide annual turnover for breaches regarding:

  • Specific controller, processor and data protection officer obligations
  • certification obligations
  • A failure to safeguard against, report or punish breaches of the Regulation

Up to the higher of €20,000,000 or 4% of global annual turnover for breaches regarding:

  • Unlawful processing and failure to obtain valid consent
  • Breach of the data subject’s rights including rights to access, rectify and erase personal data
  • Not ensuring data protection when transferring to international organisations or third countries
  • Member state law obligations
  • Non-compliance with a supervising authority

Up to the higher of € 10 000 000, or 2 % of total worldwide annual turnover for breaches regarding:

  • Protection of users' terminal equipment information
  • Publicly available directories
  • Direct marketing

Up to the higher of €20,000,000 or 4% of global annual turnover for breaches regarding:

  • Confidentiality of data
  • Unauthorised processing
  • Keeping information for longer than necessary
  • Non-compliance with a supervisory authority order

 

 

For a more in-depth insight into the GDPR and how it impacts Australian organisations click here.

Where is it now?

It has been almost 3 years since the first draft of the ePR was tabled. In that time the proposal has undergone significant transformation, with many concerned that the current form is too watered-down. Five separate progress reports and exchanges of views have been published since June 2017. Throughout 2018, a further seven compromise texts were put forward by the Working Party on Telecommunications and Information Society outlining the necessary changes made to the bill and providing a rationale for further compromise, and on 8 November 2019, the Finnish government issued a revised proposal for the ePR with amendments concerning electronic communication content, data & metadata, and further processing of metadata.

On 22 November 2019, however, the European Council once again rejected the latest draft of the ePR. This rejection came down primarily to differences in opinion between the EU’s member states about whether consent exemptions were appropriate to prevent serious child abuse and other serious crimes. Other notable sticking points included how conditional content access (cookie walls) should be structured as to not disrupt existing business models.

Looking to the future

It remains unclear whether consensus can be reached. With the Finnish Presidency of the European Council wrapping up at the end of 2019, the future of the ePR rests with the incoming Croatian and German presidencies. Critics of the ePR’s recent ‘watering down’ will welcome the incoming German Presidency as they look set to double down on greater protections of user metadata and terminal information as well as more sophisticated cookie consent obligations.

In 2020 the ePrivacy Directive was scheduled to be reviewed for potential updates. However, when the ePR was announced, this review was sidelined given the ePrivacy Directive was to be repealed by the ePR. Now, with the review of ePrivacy Directive arriving early next year, stakeholders have suggested that a better approach would be to scrap the ePR altogether, and instead to update the ePrivacy Directive and use the GDPR to fill the gaps. In the meantime, the rules in the EU around electronic tools such as cookies and spam will remain a patchwork of national laws, and companies will have to check their compliance on a country by country basis.

Either way the fate of the ePR is very uncertain. As we move towards a future dominated by data, the calls from industry and users alike for clarity and consistency will only increase. Whether the ePR will be able to deliver this reform in the immediate future remains unclear. With technological innovation and user needs become increasingly sophisticated, the regulatory battle is far from over and any organisation employing electronic communications should expect a shake-up of these laws in the very near future.

Authors: Lesley Sutton, Nikhil Shah and James Lamberton 

""

A one-stop shop for the most frequently asked legal questions by in-house counsel, providing expert tips, example clauses and usage guides.