A lot of attention is understandably being focused right now on the General Data Protection Regulation (GDPR) - which is not the only piece of new regulation around data privacy. Since 2003 there has also been the Privacy and Electronic Communications (EC Directive) Regulations. In the UK this implements European Directive 2002/58/EC, also known as ‘the e-privacy Directive’. This directive has been updated several times since its introduction, especially to address various matters around direct marketing.
However, in January this year the European Commission published a Proposal for a new Regulation on Privacy and Electronic Communications to replace the old directive in its entirety. This is seen as necessary in view of the technological and economic changes that have taken place in the market place since 2002. The regulation adds to the GDPR for the specific case of electronic communications data that qualify as personal data.
What are the key features and changes in the regulation?
In general, the regulation applies to communication between end users who are ‘legal persons’ e.g. organisations and companies as well as ‘natural persons’, although there are some specific variations foe the different types of ‘persons’. It covers both the requirement for security of communications, although it makes no specific security requirements beyond those already in GDPR, and also the legitimate use of such communication data.
The regulation applies to both the content of electronic communications and the metadata such as the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call, etc. This would affect, for example, the generation of heat-maps based on location data. Where service providers use scanners to identify users entering an area such a shopping mall to target advertisement they will be required to display prominent notices. Generally, data obtained from the end user devices, for example that tracks online activity, locations, and so forth may only be used with the user’s consent except where limited use of data is necessary to provide the service.
The regulation applies to new internet-based services enabling inter-personal communications such as Voice over IP, instant messaging and web-based e-mail services, such as Skype and WhatsApp instead of traditional communications services. These were outside the scope of the old regulation.
One of the new technologies that has grown hugely since 2002 is machine-to-machine communication in the form of the Internet of Things. Recognising that this data also need to be secure and protected, the regulation also applies to machine-to-machine communication.
Using communications data to target advertising to individuals will require explicit consent and merely having subscribed to a broadband or mobile data service will not of itself constitute consent. End user consent will be required for direct marketing activities and when consent is given, it should be easy for the user to withdraw this consent.
A new cookie law?
One interesting change affects cookies. We have become used to frequent pop-ups advising us that so-and-so wishes to store a cookie on our device. The regulation proposes that, rather than an individual response being required from the user each time, browsers should offer a range of settings that the user can adopt that will apply to all cookie requests. Rejecting cookies should be default setting. However, no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history).
Companies providing Wi-Fi hotspots may be affected by the requirement that the confidentiality of the communications transmitted through such networks should be protected.
Although the regulations may appear restrictive, the EC argues that it in fact opens up the opportunity for new services such as heat maps indicating the presence of individuals to help public authorities and transport companies when developing new infrastructure projects, albeit with the user’s consent. Objectors have noted the possibility for communication providers to access the content of communications where consent is granted.
As with the GDPR, not being part of the EU does not mean that the regulation has no affect. The regulation applies to electronic communications data processed in connection with communication in the EU even if the actual processing takes place outside the EU. Similarly it applies to data processed in connection with services provided to end users inside the EU even if the services originate outside the EU.
The regulation applies from 25 May 2018, the same date as the GDPR.
If you would like further information about the GDPR and how to plan for it, get in touch with one of our experts today.