While quite some organisations are investing in personal data protection and privacy measures to attain the General Data Protection Regulation (GDPR) compliance and others are still in de stage of GDPR awareness, another EU Regulation requires our attention: the new Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications (ePrivacy Regulation).
This ePrivacy Regulation should have entered into force at the same time as the GDPR. Although the Regulation has been delayed, it should be adopted at least sometime in 2020. The Introduction of the GDPR has caused a lot of turmoil so let us reflect on the consequences as a result of the introduction of this new ePrivacy Regulation.
Key points
The scope of the new ePrivacy Regulation would apply to any business that provides any form of online communication service, uses online tracking technologies, or engages in electronic direct marketing. The key points of the ePrivacy Regulation includes:
- New players: privacy rules will in the future also apply to new players providing electronic communications services such as WhatsApp, Facebook Messenger and Skype. This will ensure that these popular services guarantee the same level of confidentiality of communications as traditional telecoms operators.
- Stronger rules: all people and businesses in the EU will enjoy the same level of protection of their electronic communications through this directly applicable regulation. Businesses will also benefit from one single set of rules across the EU.
- Communications content and metadata: privacy is guaranteed for communications content and metadata, e.g. time of a call and location. Metadata have a high privacy component and is to be anonymised or deleted if users did not give their consent, unless the data is needed for billing.
- New business opportunities: once consent is given for communications data – content and/or metadata – to be processed, traditional telecoms operators will have more opportunities to provide additional services and to develop their businesses. For example, they could produce heat maps indicating the presence of individuals; these could help public authorities and transport companies when developing new infrastructure projects.
- Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the number of visitors.
- Protection against spam: this proposal bans unsolicited electronic communications by emails, SMS and automated calling machines. Depending on national law people will either be protected by default or be able to use a do-not-call list to not receive marketing phone calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
- More effective enforcement: the enforcement of the confidentiality rules in the Regulation will be the responsibility of data protection authorities, already in charge of the rules under the General Data Protection Regulation.
EU’s existing ePrivacy legal framework
The Regulation aims to be an update of the EU’s existing ePrivacy legal framework, more specifically the EU ePrivacy Directive which goes back to 2002 and was revised in 2009. However, important technological and economic developments took place in the market since the last revision of the ePrivacy Directive in 2009. Consumers and businesses increasingly rely on new internet-based services enabling inter-personal communication such as Voice over IP, instant messaging and web-based email services, instead of traditional communication services. These Over-the-Top communication services (OTTs) are in general not subject to the current Union electronic communication framework, including the ePrivacy Directive, resulting in a void of protection of communications conveyed though new services. The ePrivacy Regulation is lex specialis to the GDPR and will particularise and complement it as regards electronic communication data. All matters concerning the processing of personal data not specifically addressed by the ePrivacy Regulation will be covered by the GDPR.
Important is also the fact that the update is in the form of a Regulation instead of a Directive. This means that the new ePrivacy Regulation is self-executing and becomes legally binding across the EU, whereas the ePrivacy Directive required local regulations for implementation. The reason for choosing a Regulation instead of a Directive is in order to ensure consistency with the GDPR and legal certainty for users and business alike by avoiding divergent interpretation in the Member States. As mentioned before, the ePrivacy Directive is part of the regulatory framework for electronic communication. In 2016, the European Commission adopted the proposal for a Directive establishing the European Electronic Communications Code (EECC), which revises the framework. The new ePrivacy Regulation will not be an integral part of the EECC but it partially relies on definitions provided therein. In addition, the EECC complements the Regulation by ensuring the security of electronic communication services.
The new ePrivacy Regulation and the Insurance Industry
The big question is whether this new ePrivacy Regulation will cause as much turmoil for the insured and the insurer as with implementation of the GDPR. The proposal now lies with the Council of Ministers of the European Union. When the EU member states will agree on the proposal, then it is expected that long-term negotiations with the European Parliament will follow so we should not anticipate things. However it is safe to prudently say it is expected that this will not be the case. The ePrivacy Regulation will be in line with the GDPR so the biggest impact in terms of implementing the requirements have already been. Regarding the particular subjects which the ePrivacy Regulation regulates and that are not mentioned – or at least not that wide – in the GDPR, some changes as reflected will be required. Assuming however that the privacy policy of Insurers will generally be compliant, it is expected that the required adjustments will be limited to a minimum.