By Ivan Blomqvist.
ePrivacy Regulation (ePR)
The “Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)”, known also as the ePrivacy Regulation (ePR), is a proposed legal act of the European Union, enforceable as law in all member states, that intends to focus on a more expansive regulation of electronic communications by outlining data security laws and reinforcing rules regarding the electronic transfer of data.
Noncompliance of ePrivacy Regulation could mean penalties of up to 20 million euros or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
ePrivacy Regulation objectives
The ePrivacy Regulation plans to account for the new players providing electronic communications services like WhatsApp and Skype, while benefiting from one single set of rules across all of the European Union.
It also looks to simplify the provision of cookies by utilizing rules that are friendlier to users and to prohibit unsolicited electronic communications, commonly referred to as spam, such as emails, text messages and automated calls. Additionally, the ePR seeks to repeal the Privacy and Electronic Communications Directive (Directive 2002/58/EC), also referred to as the ePrivacy Directive (ePD), while also overriding the General Data Protection Regulation (GDPR) on specific matters (lex specialis).
Since its inception in 2017, the ePR has been the subject of many discussions in the Council of the European Union. But, despite its progress, common ground could not be found on the some matters like the protection of terminal equipment information, the processing of electronic communications data by third parties, and the cooperation among data protection and telecommunications regulatory authorities.
In 2020, the current Presidency of the Council of the European Union released a newly revised draft of the ePrivacy Regulation in which it focuses on metadata and what can be considered as “legitimate interests” to process it and to also place cookies on end-users’ devices.
Companies obligations
Under the new draft, businesses would require to conduct data protection impact assessments, consult the relevant supervisory authority body, implement appropriate security measures, provide information to end-users about data processing activities and the right to object to such data processing, and to not share metadata or information collected through the use of cookies or similar technologies with third parties, unless it has been anonymized.
In March 2020, the current presidency invited all delegations to provide their final comments on the proposed draft, so that negotiations with the European Parliament can begin as soon as possible. Should the ePR be finally approved, it will finalize the European Union’s framework regarding the protection of data and the confidentiality of electronic communications.