On 10 January 2017 the European Commission has adopted a Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications (“the draft e-Privacy Regulation” or “the Proposal”) which will repeal the Directive 2002/58/EC on privacy and electronic communications (the “e-Privacy Directive”).
The draft e-Privacy Regulation provides for enhanced privacy measures, including in relation to user consent, confidentiality of electronic communications, website cookies and unsolicited electronic communications. It also introduces an enforcement regime aligning with the GDPR, including significant fines for breaches.
The Proposal has been adopted in the context of a wider legislative package which also includes a Proposal for a Regulation on the protection of personal data by European institutions and bodies and a Communication on international personal data transfers.
Relation with the GDPR
This proposal aims to ensuring consistency with the General Data Protection Regulation (the “GDPR”), to provide a complete legal framework for privacy and data protection under the Digital Single Market Strategy.
The GDPR focuses on data protection for individuals. It was adopted in 2016 and its provisions will apply as from May 2018. The GDPR will enable users to better control their personal data. However, it only applies to the processing of personal data of individuals. It does not cover business-to-business communication or communication between individuals, which does not include personal data.
The draft e-Privacy Regulation complements the GDPR and ensures the fundamental right to the respect of private life with regards to communications. The new rules also give citizens and companies specific rights and protections, e.g. they guarantee the confidentiality and integrity of users’ devices (i.e. laptop, smartphone, tablets), as smart devices should only be accessed if the user has given their permission.
The draft e-Privacy Regulation also seeks to align privacy rules with the GDPR, for example by relying on its definitions, and repeals the security obligations outlined in the current e-Privacy Directive that have become redundant following the adoption of the GDPR.
The provisions contained in the draft e-privacy Regulation will be enforced by the Data Protection Authorities in the Member States, which are already in charge of the rules under the GDPR.
The adoption of the Proposal officially started the legislative process for the two proposed Regulations. The European Commission is calling on the European Parliament and the Council to ensure their adoption by 25 May 2018, alongside the entry into force of the GDPR.