The EU ePR (ePrivacy Regulation)
What is the ePR?
In January 2017, the European Commission proposed a new ePR (Regulation on Privacy and Electronic Communications) as part of its digital single market strategy.
The ePR will replace the 2002 ePrivacy Directive (the ‘cookies law’) and all member state laws that implement it – including the UK’s PECR (Privacy and Electronic Communications (EU Directive) Regulations 2003).
The PECR set out the rules on:
- Electronic communications, including marketing emails, faxes, texts and phone calls;
- The security of public electronic communications services; and
- The privacy of end users.
The ePR is broader in scope and aims to ensure privacy in all electronic communications – including over-the-top service providers such as instant messaging apps and VoIP (Voice over Internet Protocol) platforms, and machine-to-machine communications such as the IoT (Internet of Things).
The ePR has the same territorial scope as the EU’s GDPR (General Data Protection Regulation), carries an identical penalty regime for non-compliance and was also intended to come into effect on 25 May 2018. However, there have been delays and it is likely to come into force in 2019.
Key points of the proposed regulation
The ePR will apply to:
- The processing of electronic communications content in transmission and of electronic communications metadata carried out in connection with the provision and the use of electronic communications services;
- Information related to/processed by/emitted by/stored in the terminal equipment of end users;
- The placing on the market of software permitting electronic communications, including the retrieval and presentation of information on the Internet;
- The offering of a publicly available directory of end users of electronic communications services; and
- The sending or presenting of direct marketing communications to end users.
The ePR will not apply to:
- Activities that fall outside the scope of EU law;
- Member state activities relating to border checks, asylum and immigration;
- Electronic communications that are not publicly available (e.g. closed corporate networks);
- Activities of competent authorities that relate to the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties; or
- Radio equipment – that must comply with Directive 2014/53/EU.
The ePR will apply to:
Providers of electronic communications services that are not established in the EU must designate a representative in an EU member state where their end users are located.
- The provision of electronic communications services to end users located in the EU;
- The processing of electronic communications content in transmission or electronic communications metadata of end users located in the EU;
- The protection of information related to/processed by/emitted by/stored in the terminal equipment of end users located in the EU;
- The offering of publicly available directories of end users of electronic communications services located in the EU;
- The placing on the EU market of software permitting electronic communications; and
- The sending/presenting of direct marketing communications to end users located in the EU.
Under the ePR, many cookies will no longer require end-user consent. Instead, expanded browser settings should control the sharing of user information, which means there should be fewer cookie banners.
Direct marketing communications – i.e. “any form of advertising, whether written or oral, sent to one or more identified or identifiable end-users of electronic communications services, including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, etc.” – will also require end-user consent.
Moreover, when end users have consented to receive direct marketing communications, they should be able to easily withdraw that consent at any time.
Content and metadata
The ePR covers electronic communications metadata (“data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content; including data used to trace and identify the source and destination of a communication, data on the location of the device generated in the context of providing electronic communications services, and the date, time, duration and the type of communication”) as well as their content in transmission.
Providers of electronic communications services may process electronic communications content only if they: erase or anonymise electronic communications content after the intended recipients receive it.
Providers of electronic communications services may process electronic communications metadata if they: erase or anonymise electronic communications metadata when it is no longer needed for transmitting a communication.
When the processing of metadata is necessary for billing purposes, the relevant metadata can be retained until the end of the period during which the bill may lawfully be challenged or a payment pursued.
- For the sole purpose of providing a specific service to an end user, if the end user has given their consent and the service cannot be provided without processing the content; or
- If all end users concerned have consented to the processing for specified purposes that cannot be fulfilled by processing anonymised information, and the provider has consulted the supervisory authority – the Information Commissioner’s Office (ICO) in the UK.
- It is necessary to meet “mandatory quality of service requirements”;
- It is “necessary for billing calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communications services”; or
- The end user has given their consent to the processing, provided that the purpose(s) of the processing could not be fulfilled by processing anonymised data.
Fines for non-compliance
As with the GDPR, there is a two-tier regime of fines set at a maximum of €20 million or 4% of annual global turnover – whichever is greater.
End users who suffer “material or non-material damage” as a result of infringement of the ePR also have the right to receive compensation from the infringer.
In the UK, the ICO will be responsible for enforcing the ePR. Because the Regulation is still in draft form, the ICO is yet to issue any guidance on compliance. We will update this page when that guidance is released.
The ePR and the GDPR
The GDPR and the new Data Protection Act 2018 apply to the processing of personal information. The ePR has been designed to complement the GDPR by providing specific rules “regarding the protection of fundamental rights and freedoms of natural and legal persons in the provision and use of electronic communications services”.
The security obligations in the GDPR and the proposed EECC (European Electronic Communications Code) will apply to the providers of electronic communications services.
Click here for more information about the GDPR >>
Speak to an expert
Please contact our expert team, who will be able to give advice and guidance about the proposed Regulation.