The EU is changing the EU E-Privacy Directive also often called the “Cookies Directive”, in order to be line with the EU General Data Protection Regulation (“GDPR”) which was adopted in Spring this year – we previously wrote about the changes here.
A consultation on the changes was launched this April which ran to July 2016, the summary of which can be found here.
The next step is for the EU to issue the proposed legislation, which may come soon. The short title of the proposed rules is understood to be the “(EU) Privacy and Electronic Communications Regulation”. Key aspects of the proposed rules are understood to include the following, which are in many instances similar to the GDPR:
- Legal Form – the proposed rules will be in the form of Regulation meaning that a uniform set of rules will apply throughout the EU, although the EU Member States have some scope to introduce their own additional rules in a select number of areas;
- Scope – the proposed rules will apply to “the processing of electronic communications data processed in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end-users”;
- Reach – the proposed rules will also have extra-territorial effect and those who it affects outside the EU will have to appoint a representative in the EU to deal with regulators etc;
- Consent – under the proposed rules the same consent conditions apply as under the GDPR (freely given, specific, informed and unambiguous etc), and, consent must be obtained before Cookies are served;
- Direct Marketing – under the proposed rules an opt-in requirement will apply to direct marketing phone calls, and, the Right To Object provisions of the GDPR will apply to some direct marketing and profiling;
- Security Risks – security measures as set out under the GDPR must be applied, and, where there is “a particular risk that may compromise the security of networks and services the provider of an electronic communications service must inform end-users concerning such risk”;
- Sanctions – increased fines may be imposed for infringements, including up to Euro 20 million or 4% of annual global turnover, whichever is the greater, for infringements of certain Regulation provisions concerning confidentiality;
- Time of Applicability – the proposed rules are supposed to be fully applicable 6 months after they enter into force; and,
- Next steps – once the European Commission has officially issued the proposed Regulation it will then have to be considered by the European Parliament and the (EU) Council.
The proposed rules are a work in progress so the official version will have to be checked once it has been published by the European Commission to confirm our initial thoughts.
Once the proposed rules are officially published those businesses affected by them should dovetail preparation for them with their compliance preparation for the GDPR. Although this may sound like regulatory overload our experience is that proper procedures and a flexible plan for future legal change is realistic and achievable – the window of opportunity to comply before the rules fully apply will likely be short.
It is too early to say whether the new rules will apply in the UK, but, given that the aim of the proposed rules is to be in line with the GDPR, and, given that the UK government has announced that the GDPR will apply in the UK at their May 2018 full applicability date (as the Brexit process will still be underway then), it is conceivable that the proposed rules will also apply in the UK.
We have developed a special product to assist with compliance with EU GDPR called Cordery GDPR Navigator – more details about this can be found here. We also write regularly and produce films about data protection and privacy issues which can be found here.
Jonathan Armstrong and André Bywater are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com