Data protection and e-Privacy
The EC has proposed an update to the e-Privacy Directive, which aims to amend the current rules to extend their scope to all electronic communication providers.
The update also aims to “create possibilities to process communication data and to reinforce trust and security in the Digital Single Market”, as well as align the rules for electronic communications with the newer and more stringent rules set out in the General Data Protection Regulation (GDPR).
The proposed rules have a number of key features, including expanding the coverage of the directive from traditional telecoms operators to new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skye and Gmail.
The e-Privacy Directive will also be updated with directly applicable regulation, meaning all EU citizens and businesses will enjoy the same level of protection.
Privacy will be guaranteed for both content and metadata derived from electronic communications, which will need to be anonymised or deleted if users have not given their consent, unless the data is required for legitimate purposes.
Once consent is given for communications data to be processed, traditional telecoms operators will have more opportunities to use data and provide additional services.
The so called cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience.
The proposal also bans unsolicited electronic communication by any means – for example, by emails, SMS and automated phone calls – unless users have given their consent.
In principle, this will also apply to marketing phone calls unless a member state opts for a system that gives consumers the right to object to the reception of voice-to-voice marketing calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
National data protection authorities, such as the Information Commissioner’s Office (ICO) in the UK, will be responsible for enforcement of the confidentiality rules in the regulation.
The proposals set out a strategic approach to the issue of international personal data transfers to facilitate commercial exchanges, promote co-operation between law enforcement agencies and ensure a high standard of data protection.
The EC intends to discuss reaching “adequacy decisions” with key trading partners around the world, starting with Japan and South Korea in 2017, allowing the free flow of personal data to countries with equivalent data protection rules to the EU.
The EC will also make use of the alternative mechanisms allowed under the GDPR to facilitate the exchange of personal data with other countries where adequacy decisions cannot be reached.
On 17 January 2017, prime minister Theresa May indicated that Britain will leave the single market following the outcome of the referendum on the UK’s membership of the European Union.
It remains to be seen how Brexit will affect the measures recently announced by the European Commission and their application in the UK. It would be prudent for organisations to monitor updates as Brexit discussions progress and consider how their operations may be affected as the UK’s future relationship with the EU becomes more clear.