New E-Privacy Regulation Proposed
In the EU (including the UK for now) there are two primary laws that govern the protection of personal data.
The first is the Data Protection Directive and the second is the E-Privacy Directive. Last year the European Union announced the repeal of the Directives which will be replaced by the Data Protection Regulation (GDPR). The European Commission has now published its plan to update the E-Privacy Directive. This will be accomplished by repealing the Directive and replacing it with a new Regulation (“the E-Privacy Regulation”).
So What’s New?
The European Commission Press Release says that the new Regulation will “…provide a higher level of protection for consumers whilst allowing businesses to be more innovative”. The Directive dates back to 2002 and was only updated in 2009 regarding a change in the law to cookies on websites. It was felt necessary to update the law regarding electronic communications and personal data in light of the wide sweeping changes presented by the GDPR. Here is a summary of the main changes proposed by the European Commission:
- Increased fines: penalties for breaching the E-Privacy Regulation will mirror those of the GDPR. In summary, those fines are €20,000,000 or 4% of worldwide turnover for serious breaches or €10,000,000 or 2% of worldwide turnover for less serious breaches.
- Increase of scope: the E-Privacy Regulation will extend its scope to cover internet-based voice and internet-messaging services such as Skype, WhatsApp, Facebook and Snapchat.
- The rules regarding cookies will be simplified: consent will no longer be required for non-privacy intrusive cookies. The UK Information Commissioner’s Office has already recommended this approach but, until now, it was considered more lenient than other European regulators.
- Regulation: because the new law will be a Regulation (not a Directive) it will have direct effect in all EU member states. This mirrors the approach taken with the GDPR.
The EC has said that it is calling on the European Parliament and the European Council to work swiftly to ensure a smooth adoption of the E-Privacy Regulation by the 25 May 2018. This is the same implementation date as the GDPR. Implementation by this date is optimistic, particularly in light of the four year negotiation time period for the GDPR.
How is this different to the GDPR?
The GDPR is a new law which will be implemented on the 25 May 2018 across the European Union and creates a new framework for governing the processing by organisations of personal data. The E-Privacy Regulation relates specifically to issues of electronic communication, for example, SMS, MMS and email as well as the new communication types described above. The ambition of the European Commission is clearly to have the E-Privacy Regulation and the GDPR operating simultaneously and harmoniously.
What about Brexit?
We now know that the GDPR will be implemented into the UK despite Brexit as was confirmed by the UK government towards the end of 2016. If the implementation date for the E-Privacy Regulation is achieved then it is possible that this Regulation could form part of the body of European Union law which is captured by the Great Reform Bill once enacted. However, if there are delays in the legislative process then there is a risk that the E-Privacy Regulation may not be specifically adopted by the UK. In our view it is unlikely that the UK would want to have a gap in compliance with EU data protection law and so further legislation may be required in the UK to ensure that UK law mirrors EU law as closely as possible in this respect.
What action should we take?
The E-Privacy Directive remains in force (as with its UK implementing legislation, the Privacy and Electronic Communications Regulations 2003) and, as such, compliance with the existing law is all that is currently needed. However, it is prudent to be aware that change is on the horizon and to start planning for those changes now. This would include a review of your business’ compliance with data protection as a whole, as well as undertaking training to ensure your business is aware of its data risk-areas to help ensure compliance.
If you would like more information on this, please contact Matthew Holman.