Beyond GDPR: EU’s ePrivacy Regulation to Add New Layer of Data Obligations

By Andy Droke

While many have been focused on the European Union’s General Data Protection Regulation (GDPR), the Council of the European Union has continued its efforts to finalize the ePrivacy Regulation (ePR), which will replace the current ePrivacy Directive. Although the ePR is still in draft form, U.S.-based companies should begin to understand how their obligations under the ePR will intersect with their current operations and their obligations under the GDPR.

The most recent complete draft of the ePR was published on May 28, 2018 (available here), and the Council published an update on July 10, 2018 (available here).

Who and What are Covered?

In its current form, the ePR primarily regulates the activities of: (1) those who provide electronic communications services (including certain public Wi-Fi networks, even when password protected), publically-available directories, and software that permits electronic communications; and (2) those who use electronic communications services to send direct marketing communications, to make use of the processing or storage capabilities of an end user’s terminal equipment (including cookies), or to collect information from an end user’s terminal equipment.

Under its broad scope, the ePR will apply to new and emerging messaging technologies like application and Internet-based messaging services that are functionally equivalent to traditional communication methods and to text messages (SMS and MMS), telephone calls, VoIP calls, machine-to-machine communications (connected/smart devices), and email correspondence. The ePR will apply as soon as the data is collected, regardless of whether the user has created an account for the service.

Importantly, for U.S.-based companies, the ePR will apply if the affected, live human end user is located in the E.U. It does not matter where the processing occurs or where the provider/processer is located.

What is Required/Prohibited?

The requirements and prohibitions in the current draft fall into two primary categories: (1) those addressing the protection of end users’ communications and the integrity of their terminal equipment; and (2) those addressing end users’ rights to control their electronic communications. Violations are subject to a maximum penalty equal to the greater of €20M or four percent of global revenue, and the ePR grants a private right of action to end users.

At a high level, the ePR addresses the following issues with respect to users’ communications and equipment:

Confidentiality. The ePR generally prohibits any interference with the content and metadata of electronic communications, including: listening to, tapping, storing, monitoring (including observing website activities), scanning, surveilling, intercepting, and processing this information. As a result, without user consent, service providers are only permitted to process the data in limited ways (such as for security purposes). As noted by the European Data Protection Board (EDPB) (available here), the consent requirements under the ePR correspond to those imposed by the GDPR and “access to services and functionalities must not be made conditional on the consent of a user.” The EDPB has also taken the position that “there should be no possibility under the ePrivacy Regulation to process electronic communications content and metadata based on open-ended grounds, such as ‘legitimate interests’, that go beyond what is necessary for the provision of an electronic communications service.” Further, even when consent is obtained, the ePR’s introductory recitals suggest that processing should be limited to the purposes and durations contemplated by the user. Nevertheless, the July 10, 2018 update introduced a new provision that, similar to the GDPR, would allow additional compatible processing of electronic communications metadata in certain instances.

Requirement to Delete/Anonymize. The ePR requires providers of electronic communication services to erase or anonymize electronic communications content after the message is received by the intended recipient and to erase or anonymize the associated metadata once it is no longer needed for transmission purposes (with a limited exception for billing purposes). The ePR acknowledges that the time of receipt will depend upon the technology employed and that, in turn, the confidentiality and deletion obligations will also depend on the specific nature of the messaging system.

Protection of Equipment. The ePR includes a general prohibition on both (1) using the processing and storage capabilities of users’ terminal equipment; and (2) collecting information from the equipment. Thus, although certain exceptions apply, the ePR will typically require user consent and a specific and transparent purpose to support the use of any cookies or trackers. As noted above, the ePR’s consent requirements mirror those imposed by the GDPR.

Application Privacy Settings. The July 10, 2018 publication removed the previously-included mandate that software include features designed to give users the option to prevent third parties from storing or processing information (including cookies) on their machines.

In addition to the provisions affecting users’ communications and terminal equipment, the ePR includes the following protections with respect to end users’ rights to control their electronic communications:

Number-based Interpersonal Communications. The ePR incorporates certain protections with respect to number-based communication systems. In particular, service providers must offer users, free of charge, the ability to block Caller ID information and certain calls (with limited exceptions for emergency communications). The ePR also requires providers to “deploy state of the art measures to limit the reception of unwanted, malicious or nuisance calls by end users.” Providers of number-based services would also be required to obtain user consent before listing an individual’s personal data in a publically available directory.

Direct Marketing Communications. The ePR generally prohibits the sending of direct marketing communications via electronic communications services without user consent. Direct marketing communications include any form of advertising communicated by voice-to-voice calls (live calls not using automated systems), communications made via automated calling/communication systems (with or without human interaction), emails, text messages, and messages via functionally-equivalent apps or other techniques. It does not, however, include advertisements displayed to the general public on websites that are not directed to a specific end user.

The current draft of the ePR would permit those who receive contact information in connection with a sale of goods or services to use that information to send marketing communications so long as the user is given an opportunity to object at the time the contact information is provided and in each future marketing communication. The future correspondence must be limited to the sender’s own similar products or services, and E.U. member states may adopt time limits addressing how long the seller can use the information.

Further, senders of permissible messages will be obligated to include certain identifying information and to give recipients the opportunity to object to receiving future marketing communications. The method for objecting or withdrawing consent must be easy to use, free, available at any time, and effective. Additional restrictions apply to direct marketing calls.

What next?

Because the ePR remains in draft form and may be further revised, U.S.-based companies must continue to monitor the legislation. Further, organizations that proactively determine the scope and nature of their communications with end users in the E.U., that review their current controls, and that develop strategies for adjusting those processes will be able to more efficiently implement the required controls upon finalization of the ePR.

Atlanta Cyber Week aims to connect the dots in our cybersecurity ecosystem and contribute to the story of metro Atlanta as a top venue for global commerce. Registration for Atlanta Cyber Week and Cybercon is open now! Visit www.atlcyberweek.com or www.cybercon.us to register.