EU Issues Third Proposal of ePrivacy Regulation Changes in February
The Romanian Presidency of the Council of the European Union has issued its third set of revisions to the ePrivacy Regulation this month ahead of a WP TELE meeting tomorrow.
Activity on the ePR is definitely higher than anticipated after the release of the provisional agendas for Council meetings suggested that the Telecommunications Council wouldn’t take up legislative deliberations until June 2019. This seemed strange at the time because there was a suggestion by a high ranking official at the end of December that there was a good chance things would be approaching finalization in 2019. Still, it had appeared at the end of 2018 that several areas of disagreement between delegations
Notwithstanding the limited guidance in the released agenda, the February 4th proposal discussed possible compromise solutions arising from discussions in January on a few different areas, including the impact of ePR consent on new technologies, the processing of data for child protection, and the exclusion of national security from the scope of the regulations. On February 15th, the Romanian Presidency included more than ten changes to the text and provided the first comprehensive update on the additions, deletions and other changes to the text in many months.
These two proposal releases, already what seemed like a high level of activity for the month compared to the last year, were followed up by yet another draft revised text of the ePrivacy proposal head of a WP TELE meeting tomorrow (Feb. 26th). These modifications were based on delegations’ written comments and the meeting discussions of WP TELE last week.
We have been following ePR primarily for its impact on the setting and storing of data on cookies, as well as the accurate disclosure of that data storage and processing in cookie banners and privacy policies. In the latest draft, cookies are mentioned in Recitals 20, 20a, 21, 21a. ePrivacy Article 8 contains the prohibition on processing, storage and collection from the terminal equipment of an end-user unless it meets one of the specified exemptions; it provides a few additional exemptions from the current set included in the ePrivacy Directive. Article 4a and 6 governs the establishment of the consent of the end-user for the storage and processing.
In terms of the fines and penalties provisions of ePR, the current draft of the regulation applies the rights and remedies of Articles 77 through 84 from GDPR.
Article 23(2) of ePR specifies the violations that may be subject to administrative fines of up to 10 million euros or 2% of the total worldwide annual turnover of the prior financial year (whichever is higher). These fine limits are placed on:
– processing of electronic communications data under Article 8
– publicly available directory providers under Article 15
– users of electronic communications services under Article 16
Article 23(3) of the ePrivacy text identifies three areas subject to the higher fines of up to 4% of worldwide annual turnover of the preceding financial year, or 20 million euros (whichever is higher). These include:
– violations of the confidentiality of communications
– permitted processing of electronic communications data
– time limits for erasure under ePR Articles 5-7
– noncompliance with an order by a supervisory authority
Article 24 provides for regulation around the penalties of other infringements of ePR shall be set by each Member State. Article 24 establishes that they shall be “effective, proportionate and dissuasive.”
The ePrivacy Regulation also establishes in Article 22 that “[a]ny end-user of electronic communications services who has suffered material or non-material damage as a result of an infringement … shall have the right to receive compensation fromm the infringer for the damaged suffered in accordance with Article 82 of [GDPR].”
There has been some discussion about the intersection of the ePrivacy Regulation and GDPR, which went into effect in May 2018. The ePR allows member states to identify the public authorities responsible for monitoring conduct under ePR, but the regulation makes clear that electronic communications data under ePR that qualifies as personal data under GDPR is monitored by the appropriate data protection authority. The European Data Protection Board (EDPB) also has competence to assist with consistent application of ePR Articles 1-11.
Article 29 sets forth the implementation of ePrivacy, which will enter into force on the 20th day following its publication in the Official Journal of the European Union and the effective date will be two years from that date. In other words, it has a two year implementation period before enforcement similar to GDPR. If this section remains the same (last year the regulation called for a one year implementation period before enforcement), then the earliest enforcement could begin is 2021.
If you need assistance with the ePrivacy Directive in the interim, please call Clarip at 1-888-252-5653 or contact us online.
Other Relevant Posts:
Consent Required by Danish DPA for Customer Service Call Recording under GDPR
EDPB Releases GDPR Guidance on Contractual Necessity Lawful Basis
Poland and Denmark Issue First GDPR Fines (covering Transparency and Data Minimization)
Third-Party Data Sharing In Focus Again with Finland DPA Investigation
Dutch DPA Issues Policy on GDPR Fines
EDPB Issues Opinion on Intersection of GDPR and ePrivacy
Dutch DPA Says No Cookie Walls Because of GDPR Consent
Summary of Ireland’s Data Protection Commission Annual Report
Romanian Presidency Offers ePrivacy Regulation Compromises
CNIL Releases Data Sharing Guidance for Third-Party Marketing under GDPR – Requires Informed Consent