The New EU e-Privacy Regulation Draft

On January 5, 2021, the Council of the European Union under the Portuguese Presidency released the new draft, draft 14th of the e-Privacy Regulation which is meant to replace the e-Privacy Directive. The latest draft of the e-Privacy Regulation attempts to align with the European Union’s General Data Protection Regulation (GDPR) and applies to both current and future means of communications, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media. This article aims to provide an overview of the new draft of the e-Privacy Regulation, highlighting its key principles.

The e-Privacy Regulation regulates the processing of electronic communications data including the electronic communications content and electronic communications metadata in connection with the provision and the use of publicly available electronic communications services in the European Union, irrespective of the technologies used.

The underlying theme of the e-Privacy Regulation is that the electronic communications data shall always be held confidential keeping in consideration an individual’s fundamental right to data privacy. Any interference with electronic communications data, including listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance and processing of electronic communications data by anyone other than the end-users concerned is permitted only in limited circumstances:

• where it is necessary to provide an electronic communications service,
• where it is necessary to maintain or restore the security of electronic communications networks and services, or detect technical faults and/or errors and/or security risks and/or attacks in the transmission of electronic communications,
• where it is necessary to detect or prevent security risks or attacks on terminal equipment of end-users,
• where it is necessary for compliance with a legal obligation to which the electronic communications service provider is subject.

Processing of Electronic Communications Content:

Providers of electronic communications networks and services can process electronic communications content in any of the following circumstances:

• for the purpose of the provision of a service requested by an end-user for purely individual use if the requesting end-user has given consent and where such requested processing does not adversely affect fundamental rights and interests of another person concerned,
• if all end-users concerned have given their consent to the processing for one or more specified purposes.

Processing of Electronic Communications Metadata:

Providers of electronic communications networks and services can process electronic communications metadata in any of the following circumstances:

• if it is necessary for the purposes of network management or network optimisation or to meet the technical quality of service requirements,
• if it is necessary for the performance of an electronic communications service contract to which the end-user is a party,
• if the end-user has given consent to the processing for one or more specified purposes
• if it is necessary to protect the vital interest of a natural person,
• if it is necessary for statistical purposes of electronic communications metadata or other than based on electronic communications metadata that constitute location data or for scientific research purposes, provided certain conditions are met.

Where the processing of electronic communications metadata is done for scientific research or statistical purposes, end-users should be given the right to object to such processing. Moreover, such processing should only result in aggregated data and such data should not be used for any other purpose such as profiling or drawing conclusions concerning the private life of an end-user.

Processing and storage capabilities from end-user’s terminal equipment:

End-user’s consent is required prior to the processing and storage capabilities and the collection of information from the terminal equipment. This means that the user’s consent must be obtained before processing cookies or other tracking technologies.

However, consent is not required where the processing is necessary and proportionate for the purpose of carrying out the transmission of electronic communication over an electronic communication network or for the provision of the service specifically requested by the end-user. For example, consent is not required for cookies stored for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages, authentication session cookies that are used to verify the identity of end-users engaged in online transactions, and cookies that are used to remember items selected by the end-user and placed in the shopping basket.

To enable the data subject to provide consent via transparent and user-friendly mechanisms, the e-Privacy Regulation encourages service providers to implement suitable technical means in electronic communications software. One way of ensuring that valid consent has been obtained from the end-user is by offering him/her a genuine choice between a service that includes consenting to the use of data being processed for additional purposes on the one hand, and an equivalent service offered by the same data controller that does not involve consenting to data use for additional purposes, on the other hand. In such a case, both the services offered to the data subject should be genuinely equivalent.

Rules governing direct marketing communications:

Direct marketing communications refers to any form of advertising sent by a natural or legal person directly to one or more specific end-users using publicly available electronic communications services. It is allowed only with the consent of the concerned end-user. Besides, end-users should be provided the right to object at the time of collection of their contact details and they should be able to withdraw their consent at any time, free-of-charge, in an easy and effective manner.

How Securiti can help?

The e-Privacy Regulation once made into law, will have potentially significant effects on organizations especially those that use metadata or tracking tools to monitor online behavior. By aligning with the principles of the GDPR, the e-Privacy Regulation aims to create more uniformity and certainty for organizations as to what compliance actions need to be taken.

Failing to comply with the provisions of the e-Privacy Regulation may lead organizations to pay administrative fines up to 20 million euros or four percent of the company’s total worldwide annual revenue, whichever is greater. Considering such exorbitant fines, it is highly important for organizations to proactively manage electronic communications data as per the applicable requirements.

Read The e-Privacy Directive and the e-Privacy Regulation - What to Expect and learn how e-Privacy Regulation will change the e-Privacy Directive.

Securiti with its PrivacyOps methodology and automation enables organizations to discover data over a web of internal and external systems, stitch a data graph to link personal data with each individual, conduct an automated internal assessment of policies and third-party vendors, and effectively manage consent, revocation of consent, and consent in relation to cookies and other tracking technologies.

Ask for DEMO today to understand how Securiti can help you prepare for compliance with the upcoming e-Privacy Regulation as well as comply with GDPR, e-Privacy Directive, and a whole host of global privacy regulations, with ease.