The European Commission's proposed e-privacy regulation sets forth obligations on handling electronic communications and clarifies obligations for seeking consent for the use of cookies. Meant to bring the e-privacy directive in line with the General Data Protection Regulation (GDPR), the regulation imposes steep penalties for failure to comply for companies worldwide, including in the United States.

What is the significance of the regulation?

  • Greater harmonization and certainty: The regulation is directly binding on member states, but does not require all 28 implementing national laws. Similar to the GDPR, the regulation is meant to harmonize the privacy regime relating to electronic communications, providing the same level of protections to all individuals and businesses throughout the EU. It is also meant to provide greater certainty regarding enforcement.

  • Applies to more companies: Intended to bring the 2002 e-privacy directive, up to the present day, the regulation will apply not only to traditional telecommunications providers but to a wide variety of providers, including "over the top" communications service providers such as Facebook Messenger, WhatsApp, Gmail, and others. It also applies to individuals who use electronic communications services to send direct marketing commercial communications or collect information related to or stored in end-users’ terminal equipment. This significantly increases the number of companies who will need to comply.

  • Greater fines: The fines for violation of key provisions in the regulation are subject to two-tier fines similar to those in GDPR, raising the stakes for the companies subject to its jurisdiction. The national data protection authorities of each member state will be in charge of enforcement.

    • Breaches of the rules regarding notice and consent, default privacy settings, publicly available directories, and unsolicited communications will be punishable by fines of up to the greater of 10 million euros or 2 percent of worldwide turnover.

    • Breaches regarding the confidentiality of communications, permitted processing of electronic communications data, and the time limits for erasure of data may be punished with fines of up to the greater of 20 million euros or 4 percent of worldwide turnover.

  • Greater clarity regarding cookies: The regulation sets forth clearer rules regarding when consent and disclosure may be needed in connection with cookies stored on users' devices. For example, no consent would be needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or for cookies set by a visited website counting the number of visitors to that website.

  • Applies to more information: The regulation applies to all "electronic communications content" and "electronic communications metadata." This is a much broader set of information than "Personal Data," which is covered by the GDPR.

  • Enhanced consent and disclosure requirements: The regulation requires consent or the right to object for unsolicited electronic communications by any means (email, text, etc.). It also requires prominent disclosure for certain collection of information including metadata and location data. Once consent is provided, however, companies would be able to use the information for additional broader purposes. 

What to do now?

The regulations are still subject to review and approval by the European Parliament and the European Council and are expected to go into effect concurrently with the GDPR on May 25, 2018. Companies that fall under the scope of the regulation can get started on preparing for compliance by:

  • Assessing the information they collect and adapting their disclosures and practices as necessary: Collection and use of metadata will need to be incorporated into the consents. Prominent notice may need to be added when monitoring or using location data emitted by a mobile device.

  • Reviewing and revising cookie policies: Corporations should assess what cookies they use and to what end and determine whether those require consent. Some disclosures regarding information stored on the user device may need to be amended. Users of software used for electronic communications would need to be provided information about the privacy setting options at installation as well as the opportunity to prevent third parties from storing information on their device.

  • Appoint an EU representative: Companies subject to the regulation that do not have a physical presence in the EU will need to designate in writing a local representative in one of the member states.

Ballard Spahr's Privacy and Data Security Group provides a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors. Our cyber incident response team assists organizations of all sizes in preparing for and responding to cyber incidents, and the investigations and litigation that often follow them. Our attorneys also regularly work with companies on structuring and properly documenting cross-border data transfers, drafting privacy policies, third-party vendor agreements, and information security policies and procedures as necessary to comply with the requirements of the General Data Protection Regulation and the EU–U.S. Privacy Shield.

Copyright © 2017 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices