As part of its digital single market strategy, the European Commission recently proposed a revamp of its current digital privacy rules, with a view to increasing trust and security in the online world.

Presently, data protection in electronic communications is governed by the ePrivacy Directive, adopted in 2009.

Significant breakthroughs and developments in the digital world have necessitated better rules concerning data privacy and respect for private life in general.

Consumers and businesses alike increasingly rely on internet-based communications through e-mail, internet phone calls and messaging systems, such as WhatsApp, Facebook Messenger, Skype and Gmail. Their content may be highly sensitive and confidential , including personal experiences, emotions, sexual preferences, financial data and political views.

There exists also what is known as metadata, information derived from electronic communications such as the time of a call, websites visited and location. Such data also  enables conclusions about the private lives of individuals.

Currently, web browsers are in the large majority set to accept cookies

The Commission is proposing a regulation, which will automatically be applicable to all member states in 2018, providing harmonisation without the necessity for transposition at national level.

The proposed regulation has a much broader scope than the e-Privacy Directive. It will apply indiscriminately to all providers of electronic communications, including providers of publicly available directories and software providers. It will apply to processing of data taking place in the EU or elsewhere. It will also apply to data processed in connection with the provision of services from outside the EU, if directed to end-users in the EU.

Privacy will be guaranteed in respect of both content and metadata, which will be subject to strict rules. Contents and metadata have to be anonymised or deleted if users have not given their consent, unless the data is required for billing purposes.

In its draft regulation, the Commission seeks to update the rules on the use of cookies and similar technologies, which are placed on computers automatically by a website when visited for future recognition. These cookie files store data from pages visited – including information voluntarily given to the site. When the site is eventually revisited, the site recognises you by matching the cookie on your computer with the counterpart in its database. Computer cookies may be temporary (deleted as soon as browsing ends) or permanent (stored on the hard drive of your computer).

New rules on cookies are aimed at limiting surreptitious monitoring of actions by end-users and intrusion on their privacy. Such intereference is permitted only with the end-user’s consent and for specific and transparent purposes. Expressing consent must be user-friendly. Instead of being inundated with cookie consent requests for every website visited, the proposed regulation provides for the possibility of expressing consent by using the appropriate settings of a web browser.

Currently, web browsers are in the large majority set to accept cookies. Providers of internet browsers or similar software are obliged to configure browsers so as to enable end-users the ability to set their own privacy options.

Consent, however, is not required in all circumstances, for example for non-privacy intrusive cookies intended to improve the end user’s internet experience, such as remembering shopping cart history; carrying out the transmission of electronic communications, for instance for the transfer of an electronic message; or web-audience measuring, for the purpose of counting the number of visitors to that website.

In addition, the draft regulation bans unsolicited direct market activities by means of electronic communications. This rule applies  to SMS, e-mail and all kinds of messaging, including  that sent by political parties, and by non-profit organisations to support their cause.

The regulation allows EU member states the possibility to permit voice-to-voice marketing calls but in such cases, consumers must  have the right to object to the reception of such calls. Where allowed, marketing callers have to show their phone number or use a special prefix indicating a marketing call.

Liability for breach of these rules carries hefty penalties. The regulation stipulates administrative fines of up to €20 million, or up to four per cent of total worldwide annual turnover in the case of an undertaking, depending on the nature of the infringement. In addition, end-users are entitled to make a claim for material or non-material damage in case of infringement.

jgrech@demarcoassociates.com

Josette Grech is adviser on  EU law at Guido de Marco & Associates

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.