'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on January 25, 2021 AUTHOR PRIVACY RESEARCH TEAM
On January 5, 2021, the Council of the European Union under the Portuguese Presidency released the new draft, draft 14th of the e-Privacy Regulation which is meant to replace the e-Privacy Directive. The latest draft of the e-Privacy Regulation attempts to align with the European Union’s General Data Protection Regulation (GDPR) and applies to both current and future means of communications, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media. This article aims to provide an overview of the new draft of the e-Privacy Regulation, highlighting its key principles.
The e-Privacy Regulation regulates the processing of electronic communications data including the electronic communications content and electronic communications metadata in connection with the provision and the use of publicly available electronic communications services in the European Union, irrespective of the technologies used.
Electronic Communications Data
|Electronic Communications Content||Electronic Communications Metadata|
|The content exchanged by means of electronic communications services, such as text, voice, videos, images, and sound.||Data processed by means of electronic communications services for the purposes of transmitting, distributing or exchanging electronic communications content, including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication.|
The underlying theme of the e-Privacy Regulation is that the electronic communications data shall always be held confidential keeping in consideration an individual’s fundamental right to data privacy. Any interference with electronic communications data, including listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance and processing of electronic communications data by anyone other than the end-users concerned is permitted only in limited circumstances:
Providers of electronic communications networks and services can process electronic communications content in any of the following circumstances:
Providers of electronic communications networks and services can process electronic communications metadata in any of the following circumstances:
Where the processing of electronic communications metadata is done for scientific research or statistical purposes, end-users should be given the right to object to such processing. Moreover, such processing should only result in aggregated data and such data should not be used for any other purpose such as profiling or drawing conclusions concerning the private life of an end-user.
End-user’s consent is required prior to the processing and storage capabilities and the collection of information from the terminal equipment. This means that the user’s consent must be obtained before processing cookies or other tracking technologies.
However, consent is not required where the processing is necessary and proportionate for the purpose of carrying out the transmission of electronic communication over an electronic communication network or for the provision of the service specifically requested by the end-user. For example, consent is not required for cookies stored for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages, authentication session cookies that are used to verify the identity of end-users engaged in online transactions, and cookies that are used to remember items selected by the end-user and placed in the shopping basket.
To enable the data subject to provide consent via transparent and user-friendly mechanisms, the e-Privacy Regulation encourages service providers to implement suitable technical means in electronic communications software. One way of ensuring that valid consent has been obtained from the end-user is by offering him/her a genuine choice between a service that includes consenting to the use of data being processed for additional purposes on the one hand, and an equivalent service offered by the same data controller that does not involve consenting to data use for additional purposes, on the other hand. In such a case, both the services offered to the data subject should be genuinely equivalent.
Direct marketing communications refers to any form of advertising sent by a natural or legal person directly to one or more specific end-users using publicly available electronic communications services. It is allowed only with the consent of the concerned end-user. Besides, end-users should be provided the right to object at the time of collection of their contact details and they should be able to withdraw their consent at any time, free-of-charge, in an easy and effective manner.
Key Changes in the new draft of the e-Privacy Regulation
Some of the notable changes introduced in the new draft of the e-Privacy Regulation from previous versions are set out below:
|Widening the territorial scope||The new draft clarifies that the e-Privacy Regulation applies to data controllers that are not established in the EEA but are established in a place where member state law applies by virtue of public international law.|
|Definition of Location Data||The new draft introduces the definition of location data. According to which, location data means data processed by means of an electronic communications network or service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.|
|Processing for purposes compatible with initial purposes||The new draft allows the processing of electronic communications data including electronic communications metadata for purposes compatible with the initial purpose for which the data was collected.|
|Processing for the performance of a contract||The new draft reaffirms the GDPR’s standard for the “performance of a contract” as one of the lawful basis of data processing. Accordingly, service providers can process electronic communications data where it is necessary for the provision of an electronic communications service based on a contract with the end-user.|
|Requirement of a Data Protection Impact Assessment||The new draft requires service providers that share anonymized statistical metadata to conduct a data protection impact assessment (DPIA), consult the supervisory authority as the case may be, and inform the concerned data subjects of the envisaged processing operations. This should take place in accordance with Articles 35 and 36 of the GDPR even though the GDPR does not consider anonymized data as personal data. Moreover, where the processing of electronic communications metadata is likely to result in a high risk to the rights and freedoms of natural persons or using new technologies, service providers must conduct a DPIA and consult the supervisory authority as the case may be, prior to such processing.|
|Clarification on consent||Consent that is directly given by an end-user to a service always prevails over software settings which must be updated and implemented without further delay.|
The e-Privacy Regulation once made into law, will have potentially significant effects on organizations especially those that use metadata or tracking tools to monitor online behavior. By aligning with the principles of the GDPR, the e-Privacy Regulation aims to create more uniformity and certainty for organizations as to what compliance actions need to be taken.
Failing to comply with the provisions of the e-Privacy Regulation may lead organizations to pay administrative fines up to 20 million euros or four percent of the company’s total worldwide annual revenue, whichever is greater. Considering such exorbitant fines, it is highly important for organizations to proactively manage electronic communications data as per the applicable requirements.
Read The e-Privacy Directive and the e-Privacy Regulation - What to Expect and learn how e-Privacy Regulation will change the e-Privacy Directive.
Securiti with its PrivacyOps methodology and automation enables organizations to discover data over a web of internal and external systems, stitch a data graph to link personal data with each individual, conduct an automated internal assessment of policies and third-party vendors, and effectively manage consent, revocation of consent, and consent in relation to cookies and other tracking technologies.
Ask for DEMO today to understand how Securiti can help you prepare for compliance with the upcoming e-Privacy Regulation as well as comply with GDPR, e-Privacy Directive, and a whole host of global privacy regulations, with ease.