ePrivacy - Everything you need to know about it

What exactly is ePrivacy and how does it affect your business? In this article we want to give you an overview over the new EU regulation.

1. What is ePrivacy

It is an EU regulation. The ePrivacy Regulation was supposed to come into effect at the same time as the General Data Protection Regulation (GDPR), but sparked so much debate that it is now set to come out in 2019 - if not later.

2. What does the ePrivacy regulation cover?

The ePrivacy Regulation applies to electronic communications. For that reason, the scope of the ePrivacy Regulation is very broad - “electronic communications” will cover any content exchanged by electronic means. This includes text, images, speech, videos, and metadata. ePrivacy pays special attention to, and specifically covers, the areas of unsolicited marketing, cookies and confidentiality.

3. What kind of actions are prohibited?

Any interception or handling of electronic communications content by anyone other than the end users can only be done if the ePrivacy Regulation allows it. Storing, monitoring, listening, scanning or otherwise surveilling electronic communications data are examples of processing that will only be legal when done ePrivacy-compliantly.

4. Who does it apply to?

ePrivacy will apply to any organisation providing any form of online communication service, using online tracking technologies or metadata, or engaging in electronic direct marketing. Examples of who ePrivacy applies to are:

  • website owners
  • owners of apps that have electronic communication as a component
  • natural or legal persons sending direct marketing communications
  • telecommunications companies
  • messaging service providers (Whatsapp, Facebook and Skype)
  • internet access providers, (ex. a store or café providing open WiFi access)

The regulation also applies to machine-to-machine communications (Internet of Things).

5. What will be new with the ePrivacy regulation?

Cookies

ePrivacy contains new rules on cookies. When cookies are only used for technical purposes (for example, remembering what you put in your basket while shopping online), users no longer need to consent to the cookie use. If the cookie is used for tracking or advertising however, it requires consent.

Tracking walls

The regulation also aims to get rid of tracking walls. The term “tracking wall” refers to websites that refuse users to access the website’s content unless the user consents to cookies. Websites will no longer be able to deny users access on the basis that they don’t consent to cookies.

Confidentiality

Providers of any electronic communication service - like Gmail, Skype, Facebook Messenger and WhatsApp, are now required to provide higher data safety standards to make sure communications data is kept confidential. They are required to secure all communications data through the best available techniques.

Metadata

Metadata is covered by the regulation. Interception of metadata can only happen in accordance with the regulation.

Directive vs. Regulation

The ePrivacy regulation is an update of the ePrivacy Directive from 2002. There is significant difference between EU directives, like the ePrivacy law from 2002, and regulations, like the new ePrivacy regulation. While a Directive needs to be implemented on a national level, a regulation becomes legally binding in the EU countries immediately. Directives are implemented with slight differences across country borders while regulations have the exact same content in all EU countries. The fact that the ePrivacy laws are now in a regulation shows EUs continuing dedication to thorough data protection across the EU.

Unsolicited Marketing

Marketers will not be able to send emails or text without prior permission from each email or mobile account holder, which will lead to a reduction in spam.

6. How does ePrivacy compare to GDPR?

The GDPR and ePrivacy regulation share a number of similarities:

  • They share the same high fines for non-compliance
  • Both aim to align data privacy laws across the EU
  • Both apply to processors of data of individuals residing in EU territory, whether or not the processors themselves are located within the EU
  • Both are EU regulations

There are however some major differences between the two regulations, which are outlined in the table below.

GDPRePrivacy
ScopeThe GDPR contains rules regarding “personal data”.ePrivacy contains rules regarding “electronic communications”.
Definition“Personal data” means any data that can be used to identify someone.“Electronic communications” means any data that is communicated electronically, whether or not it can be used to identify someone.
ReachSince “personal data” is not as wide of a definition as “electronic communications”, the GDPR has a smaller reach than ePrivacy.“Electronic communications” is a wider definition that “persona data”. ePrivacy is therefore more far-reaching than the GDPR.
PurposeThe purpose of the GDPR is to provide protection for people's personal data - to make sure that data subjects have rights and are informed about the processing of data that can identify them.The purpose of ePrivacy is to provide privacy in private and family life - to make sure people are aware of the processing that is done with their communications.
Electronic data / Hard copy dataThe GDPR covers any personal data, whether it is electronic or hard copy.ePrivacy covers only “electronic” communications data, not hard copy data.
Lex SpecialisGDPR is the less specific law compared to ePrivacy when it comes to electronic communications. Because of this, ePrivacy takes precedence over the GDPR in electronic communications cases.The ePrivacy Regulation is lex specialis - the more specific law compared to the GDPR - when it comes to electronic communications. Because of this, ePrivacy takes precedence over the GDPR in electronic communications cases.
Who is given responsibilitiesAnyone who is the controller or processor of personal data. Data controllers are those who decide why and how personal data should be processed. Data processors are the ones doing the actual data processing for the controller. As an example, if a restaurant has a payroll company pay the restaurant employees, then the restaurant is the data controller and the payroll company is the processor of the employees’ personal data.Anyone processing content of electronic communications; website owners, owners of communication apps, anyone engaging in direct marketing, telecommunications companies, messaging service providers (Whatsapp, Facebook, Skype), internet access providers, (ex. A café providing open WiFi access).
Who is given rights and protectionsGDPR provides protection only to natural persons - that means people.ePrivacy provides protections for both natural and legal persons - that means people as well as organizations, companies and businesses.
Coming into effectGDPR came into effect on 25th May 2018ePrivacy is still in the approval stage with EU legislators. It is supposed to come out in 2019 but might be delayed even further.

7. Why and how should companies prepare for ePrivacy?

Fines

The same fines as in the GDPR apply to noncompliance with ePrivacy: 20 million euros or 4% of yearly global revenue. When ePrivacy becomes effective it will immediately apply to electronic communications processors across the EU, and companies should make sure to be compliant before that point.

Preparing for ePrivacy

ePrivacy will not replace the GDPR; the two regulations are meant to coexist and complement each other. It is not the case that ePrivacy will totally change privacy rules so that GDPR-compliant companies have to start over again in 2019 - ePrivacy will only expand EU privacy laws. Even after ePrivacy becomes effective, companies are required to comply both with the GDPR and ePrivacy - or risk being fined.

Furthermore, consent will likely be more heavily relied upon as a legal basis for data processing after ePrivacy comes into effect, but ePrivacy uses the GDPR definition of consent. Having a GDPR-compliant method of obtaining consent in place already, is a great way of preparing for ePrivacy.

Usercentrics keeps track of regulatory developments to make sure that our product is up to date with the latest standards. Companies can use our Consent Management Platform to make sure that they are GDPR-compliant and prepared for future data privacy laws such as the ePrivacy regulation.

Further information:

Usercentrics GmbH does not provide legal advice. The contents of the above article are not to be understood as legally binding. The article constitutes the opinion of Usercentrics.