Does the proposed ePrivacy Regulation signal the end of spam?

The EU General Data Protection Regulation (GDPR), which needs to be applied starting from 25 May 2018, has been a topic of intense discussion over the last couple of years. Currently changes are also being planned to the electronic communications sector in the form of a new Regulation on Privacy and Electronic Communications. If the proposed Regulation, issued by the European Commission on 10 January 2017, on the processing of personal data and the protection of privacy in the electronic communications sector enters into force, the Regulation will replace the existing ePrivacy Directive 2002/58/EC and form a completely new legal framework for the electronic communications sector, together with the GDPR.

The aim of the Regulation is to strengthen the protection of privacy in the electronic communications sector and to harmonise the rules within the EU. The Regulation is lex specialis to the GDPR. Thus, the GDPR would apply to all cases that involve the processing of personal data and that are not regulated by the proposed Regulation. The changes introduced by the Regulation are expected to benefit both consumers and businesses. Like the GDPR, the new Regulation would bring a lot of changes to businesses, also outside the EU.

• All natural persons and legal persons in the EU would receive the same level of privacy protection for their electronic communications. In particular, companies’ daily lives would be made easier by a single set of rules across the EU.

• The rules would also change to include providers of electronic communications services such as Facebook Messenger, WhatsApp, Skype, Gmail, Viber, and iMessage.

• The Regulation would also apply to content generated from electronic communications (text, audio, etc.) as well as metadata. Service providers would be obliged to delete or make anonymous all content after it has been received by the end-user or a third party entrusted to record, store or otherwise process such content, in accordance with the GDPR. All metadata must also be deleted or anonymised after it is no longer needed for billing purposes.

• The Regulation would ban all electronic direct marketing for which the end-user (a natural person) has not given their consent. This would provide more effective protection against junk mail or ‘spamming’. However, companies should be able to market similar products and services to their existing customers using contact details collected in the past in the course of a sale.

• Rules on the use of cookies will be simplified, as the current rules have resulted in an overload of consent requests for internet users. The Regulation would allow users to provide consent in the future, for example, via internet browser settings. In addition, consent would not be required for cookies that do not directly relate to privacy such as, say, remembering online shopping history.

• The Regulation would apply globally to all service providers that provide electronic communications services or collect data from terminal equipment within the EU, regardless of whether the company is located within the EU or not. Thus, the same rules would also apply to companies that provide electronic communications services in Finland, regardless of whether the company is located in, say, the US, Japan, or an EU Member State.

• Infringement of rules would result in a fine, which may be as high as 4% of the company’s overall turnover. This is in line with the GDPR. Users who suffer either material or non-material damage as a result of an infringement are also entitled to receive compensation from the infringer.

• Digital marketing companies are now concerned about the future of their activities, as the strict rules could significantly limit the ways in which many websites finance themselves and provide their services. In the future, companies should inform users of the opportunity to prevent third parties from storing information on the terminal devices used by the end-user. If an increasing proportion of users opt to prevent third party advertising and marketing, many companies will lose an important source of revenue.

The European Commission’s proposal is currently under review by the European Parliament and the Council. The Regulation is intended to enter into application at the same time as the GDPR on 25 May 2018, provided that both the European Parliament and the Council accept the proposal first.