ePrivacy: The EU’s other data protection rule

The European Union takes the flow of data seriously. They recognize that data is a representation of our private lives that can be used to undermine our autonomy. We may choose to relinquish our data, but it should always be our choice.

You’re probably aware of the General Data Protection Regulation (GDPR), but there’s another important piece of privacy legislation that completes the EU’s data security framework: the ePrivacy Directive.

What is the ePrivacy Directive?

The ePrivacy Directive (ePD) is an older piece of legislation, enacted in 2002 and amended in 2009. It requires each EU Member State to pass their own national laws on data protection and privacy. It regulates several important issues, such as consent, confidentiality, spam, cookies, and treatment of traffic data.

The purpose of the ePD is to align national protections of EU fundamental rights - namely the rights to privacy, confidentiality, and the free movement of data. It applies to the processing of data in connection with electronic communication services. Its main provisions include:

• Providers of electronic communication services must provide secure services and inform subscribers whenever there is risk (like a breach or malware attack).
• Member States must maintain confidentiality by prohibiting the listening, storage, tapping, or interception of communications unless the users give consent.
• Providers of services must erase or anonymize data when it’s no longer needed. Retention is only allowed for billing purposes. Data may be retained if users consent. Users must be informed why data is being processed and for how long.
• Location-related data is only permitted if the data is anonymized. Users must be informed, consent to the service, and be given an opportunity to opt out.
• Unsolicited emails or text messages may only be sent if the user consents, except for existing customer relationships and for marketing of similar products and services.
• Member States must ensure that communication tools that store information in a user’s browser (cookies) are only allowed if the user is given “clear and comprehensive information” about the purpose of the storage and the opportunity to consent. Basically, users must opt-in to the cookie. Cookies that are necessary for the delivery of the service (e.g. a cookie that tracks the contents of a shopping cart) are exempt.

Article 5 is the most important section for website owners. This section directs the 27 EU Member States to create laws that state websites may only store information or gain access to information already stored on users’ devices if they have provided users with clear and comprehensive information about the purpose of the processing and received user consent.

Recital 17 of the ePD explains how consent can be obtained. It offers a few appropriate methods, but one is most popular: ticking a box when visiting a site. This method is called a “cookie consent banner” (and why the ePD is commonly called the “EU cookie law.”) You’ve probably seen a lot of banners lately like this one on Osano's website.

On October 1, 2019, the highest legal entity of the EU, the Court of Justice of the European Union, ruled that consent can not be implied. It must be explicit. That means a note in the footer that says “By using this site you agree to let us use cookies…” or a pre-checked box aren’t sufficient. The user must actively consent.

While there’s plenty of overlap between ePD and the GDPR, they do not conflict. The GDPR deals generally with the rules of processing personal data. The ePD, however, focuses on the right to privacy and the right to freedom of communication, two rights in the EU Charter of Fundamental Rights. In a sense, the ePD elaborates on the GDPR in regards to electronic communications.

The ePrivacy Regulation

The ePrivacy Regulation (ePR) is an upgrade to the ePD. It’s intended to complete the GDPR. When it passes, it will override the many country-specific laws and create a single data protection standard for electronic communications in the EU. It broadly applies to traditional telecommunications service providers and over-the-top communications services such as instant messaging apps, social media platforms, webmail, voice- and video-calling services, and machine-to-machine communication services.

What’s the difference between a regulation and a directive? A directive is a flexible legislative instrument. It’s an objective EU Member States must meet. States can implement a directive however they like as long as they achieve the desired result. They can adapt their existing law or pass new ones.

A regulation, however, is more powerful than a directive. Once passed, a regulation is binding across all EU Member States. It becomes enforceable on its set date. It does not need to be transposed into law at the state level as it supersedes existing state law.

The GDPR, for example, is also a regulation that replaced a directive (the Data Protection Directive). The change from an ePrivacy Directive to an ePrivacy Regulation will be equally impactful.

Why change from a directive to a regulation? Because state laws are all different. A single regulation makes things simpler for everyone to do business with each other. As European Commissioner Andrus Ansip puts it:

"All this will mean the same level of protection for everyone in the EU. It also cuts red tape for European businesses. They will have just one set of rules to deal with, not 28."

ePrivacy Regulation Changes

There has been significant evolution in electronic communications over the last decade, which is why the Directive is now considered obsolete. ePR aims to modernize and harmonize existing law around electronic communications. According to the EU Commission, the ePrivacy Regulation will...

• Create stronger rules that apply to all people and businesses in the EU. Everyone gets the same level of protection of their electronic communications. Businesses will only have to follow one set of rules.
• Expand privacy rules to new players who provide electronic communication, such as Facebook, Skype, and WhatsApp) so they provide the same level of confidentiality as traditional telecoms operators.
• Guarantee privacy for content and metadata of communications. For instance, the file size of an email will be just as private as the email content itself. Metadata must be anonymized or deleted if users did not give consent, unless the data is needed for billing.
• Protect against spam. Unsolicited electronic communications by emails, SMS, and automated calling machines are banned. People will either be protected by default or have the opportunity to use do-not-call lists. Marketing callers must display their phone number or use a special prefix.
• Simplify rules on cookies by permitting browsers to create user-friendly ways to accept or refuse cookies and clarifying that no consent is needed for non-privacy-intrusive cookies that improve the internet experience, such as cookies that track your shopping cart or remember your username. (There are several new exemptions for cookie consent.)
• Improve enforcement of the confidentiality by granting more power to data protection authorities, who are already in charge under the General Data Protection Regulation.

The ePR is designed to complement the GDPR. Whereas the GDPR provides a framework for activities involving personal data, the ePrivacy Regulation will apply the framework to privacy in electronic communications. If ePrivacy conflicts with the GDPR in any way, ePrivacy will override the GDPR.

Like the GDPR, ePR is extra-territorial. It would apply to companies offering services in Europe, not just EU-based companies. And it includes serious penalties - up to 2% or 4% of a company’s global annual turnover).

Additionally, people and businesses in the EU are prohibited from transferring data to countries outside the EU unless those countries are deemed to have an adequate level of data protection. The US does not meet the “adequate level” requirement as it lacks comprehensive federal legislation equivalent to the ePD and GDPR. US businesses and organizations can use the US Privacy Shield to obtain an adequacy agreement with the EU, allowing the transfer of data between US and EU entities.

ePrivacy Regulation Timeline

The European Commission's proposal came out in January 2017. It was supposed to pass in May 2018, but EU institutions are still trying to reach a consensus. As of June 2020, EU legislators are still debating the language. There’s no guarantee that it will pass at all. If ePR fails to pass, ePD still applies.

Businesses and organizations are holding up the legislation because their models are based on exploiting online activity, which means ePR will require big changes on their end. On the other hand, consumer protection groups want stronger protections, especially in the light of data misuse scandals like the Facebook-Cambridge Analytica mess that highlight our need to protect people from data-driven business models.

How Can Osano Help?

Regardless of when the EU will enact the ePR, the breadth of the regulation and its potential penalties mean companies inside the EU and abroad should take it seriously today. It’s important to use this time to work toward compliance.

Osano's consent management software is the most popular cookie consent solution on the planet, serving more than 2 billion consents per month across 3.5 million websites. Our private, fast quantum blockchain records every single visitor consent.

If you want to comply with the current ePrivacy Directive and the upcoming ePrivacy Regulation, get started with Osano now.