The Proposal for a Regulation with regards to the respect for private life (Article 7 of the EU Charter of Fundamental Rights) and the protection of personal data in electronic communications (Regulation on Privacy and Electronic Communications – EPR), which was released as a draft in January 10th 2017, introduces notable changes on this field, as it is repealing Directive 2002/58/EC.
The main goal of the EPR is to achieve harmonization on the communications field both with the current technological and market framework as well as the GDPR framework.
In particular, the key changes of the EPR and its connection to the GDPR are analyzed as follows:
The EPR extends the scope of the existing Directive (2002/58/EC) as it:
- Includes the processing of any electronic communications data (online/offline) by means of users terminals,
- Includes any content transmitted, distributed or exchanged by means of electronic communications services,
- Includes metadata,
- Applies to any type of direct marketing communications and any machine to machine services, which therefore would include Industrial Internet of Things communications,
- Expands the applicability to non-EU entities which are processing data of individuals located in the European Union, regardless of where the processing is taking place.
The EPR will apply to new providers of electronic communications services (e.g. WhatsApp, Skype etc.) in order to ensure the same level of confidentiality on communications as traditional telecom operators guarantee.
According to the EPR, stricter rules are provided for the user’s consent both in electronic communications services and direct marketing communications purposes without alternative solutions (e.g. legitimate interest).
Furthermore, prior user’s consent must be provided in any interception of electronic communications either by means of wireless networks or for traffic analytics.
However, once consent is provided telecom operators will have more opportunities to provide new services and to expand their businesses.
New rules and procedures (e.g. browser settings) will apply to the users in order to accept or refuse tracking cookies and other identifiers. However, the aforementioned consent is not required for cookies that are technically necessary for measuring the reach of an information society service requested by the user, provided that such measurement is carried out either by the provider or on behalf of the provider and
- data are aggregated,
- user is given the right to object,
- no personal data are made accessible to any third party and
- data are kept separate from the data collected in the course of audience measuring on behalf of other providers.
In any case, it must be noted that data retention, by third parties in their terminal equipment, is prohibited and users must be given sufficient options related to the categories of their consent.
The EPR prohibits the unsolicited electronic communications by emails, SMS and automated calling machines. Depending on national law people will either be protected by default or be able to use a «do-not-call» list to not receive marketing phone calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
The stricter fines’ applicability (the highest fine of 4% of the global turnover or € 20 million) will be extended to include not only the breach of the provisions on consent but also on privacy settings for cookies.
EPR & GDPR CONNECTION:
The EPR provides that «electronic communications data are generally personal data as defined in the Regulation (EU) 2016/679» (Recital 4). In this context, it appears that the EPR and the GDPR are the two sides of the same coin. The main difference is that the EPR includes specific dispositions for Data Protection in electronic communications.
However, there is a possibility that some uses of personal data, permissible under the GDPR, will not be such under the EPR. In such cases, it is difficult to decide which of the two legislations will prevail and the solution will be given on an ad hoc basis by the National Data Protection Authorities which are responsible for the enforcement of both the aforementioned Regulations.
In any case, if the same conduct represents a breach, both under the EPR and the GDPR, the highest fine will apply.
In conclusion, it is worth to be noted that, as the EPR is not yet published, entities can only comply with the GDPR, which is already promulgated and published, but this compliance will be a strong basis for EPR compliance when this comes to force.
Edited by Dimitra Panagidi