Early this year, the European Commission released the first official draft of its ePrivacy regulation, a special regulation to the General Data Protection Regulation (GDPR). Both should enter into effect already on 25 May 2018. Yet, for ePrivacy, the legislative process is only in the initial stages, while GDPR has already been passed. The deadline thus seems rather short.
In the future, ePrivacy is to replace existing Directive 2002/58/EC on privacy and electronic communications. ePrivacy will affect not only providers of electronic communications services, public directories and software enabling electronic communication, but also all entities sending marketing communication online or collecting data on the terminal equipment of individual end-users. ePrivacy has the ambition to simplify rules on cookies, ensure better protection of metadata (such as time, place and length of communication), and introduce stricter condition for unsolicited offers.
WP29, an advisory body consisting of representatives of national regulators, has already opined on the ePrivacy draft. They appreciated the wide personal scope of the regulation, covering also providers of over-the-top (OTT) services (such as WhatsApp or Facebook Messenger). The regulation makes it possible to protect not just individuals/natural persons, but also legal entities that may also fall victim to unsolicited messages or interceptions of communication.
On the other hand, WP29 voiced its concerns about some provisions, mainly the setting of conditions for the monitoring of terminal equipment locations using WiFi-tracking. WP29 also misses an explicit ban of tracking walls that make access to a website conditional upon granting consent to the gathering of user data. Such an approach is contrary to the principle set in GDPR, which states that the provision of a service must not be conditional upon granting such consent. In general, WP29 emphasises the necessity to interpret ePrivacy in a manner that would guarantee at least the same level of protection as GDPR.
Similarly to GDPR, breaches of ePrivacy may be penalised with fines of up to EUR 20 000 000 or 4% of annual turnover. In light of such high penalties, entities affected should watch the legislative process closely. On the other hand, users of online communications services may look forward to better protection of their data.