On 10 January, the European Commission presented a proposal for a Regulation (hereafter, the “Regulation”) concerning the processing of personal data and the protection of privacy in electronic communications, aimed at repealing Directive 2002/58/EC (hereafter, the “ePrivacy Directive”).

This proposal for a Regulation updates the legislation currently in force, providing better protection of confidentiality in electronic communications – including through the alignment of legislation with the new world-class standard provided in the recent EU General Data Protection Regulation (GDPR) – and consequently contributing to the creation of new useful tools to facilitate international data exchanges in the digital economy, and therefore to the development of the digital single market.

The main innovations:

  1. Material scope

The current rules only apply to processing carried out by “traditional” telecoms operators: “(…) the processing of personal data in connection with the provision of publicly accessible electronic communication services on public communications networks, including public communications networks supporting data collection and identification devices” (art. 121 Legislative Decree no. 196/2003).

The proposal for a Regulation has extended the scope of these rules to the processing of electronic communication data carried out in connection with the “provision and the use of electronic communications services and to information related to the terminal equipment of end-users” (art. 2, proposed Regulation): i.e. to the processing connected to the exchanging of e-mail and online messages, including the new electronic communications services (such as, WhatsApp, Facebook Messenger, Skype, Gmail, Viber).

  1. Harmonisation

The choice of a regulation as the legislative instrument (directly applicable in all EU Member States) meets the need to obtain a uniform application of rules at an EU level, avoiding the fragmentation of the internal market due to the divergent national implementing legislations.

  1. New protection and simplification measures

Under this new EU law, both the content and metadata derived from electronic communications (e.g. the websites visited, the numbers called, the time and date when an individual made a call, etc.) will need to be anonymized or deleted if users have not given their consent, unless the data are required for special purposes (art. 6, proposed Regulation).

In addition, the proposed Regulation also seeks to:

  • simplify the “consent” rules for the use of cookies and other identifiers when they are not intrusive but aim improving user navigation;
  • provide for more control over spam: the proposed Regulation bans, regardless of the technology used, any unsolicited electronic communication without prior consent by end-users. Member States may opt for a solution that gives consumers the right to object to the reception of marketing calls.

 

  1. Jurisdiction

National data protection Authorities will be responsible for any breaches of this Regulation.

  1. Penalties

 

The proposed Regulation provides a penalties system that is similar to that in the GDPR, in both structure and philosophy: penalties for the breaches of new rules – in order to be effective, proportional and dissuasive – are as follows:

  • up to Euro 10.000.000 or up to 2% of the total worldwide annual turnover, whichever is higher, in case of breach of rules regarding notice and consent (art. 8, proposed Regulation), default privacy settings (art. 10, proposed Regulation), publicly available directories (art. 15, proposed Regulation) and unsolicited communications (art. 16, proposed Regulation), or
  • Up to Euro 20.000.000 or up to 4% of the total worldwide annual turnover, whichever is higher, in case of breach of rules regarding the confidentiality of communications (art. 5, proposed Regulation), permitted processing of electronic communications data (art. 6, proposed Regulation) and in breach of the terms of storage and erasure of electronic communications data (art. 7, proposed Regulation).

Finally, it should be pointed out that the European Commission would like to adopt the new Regulation no later than 25 May 2018, which is when the General Data Protection Regulation will enter into application, so that citizens and businesses may have a complete legal framework for privacy and data protection in Europe by this date.

For more information, go to the FAQ: http://europa.eu/rapid/press-release_MEMO-17-17_en.htm