What is the EU ePrivacy Regulation?
The proposed EU Regulation on Privacy and Electronic Communications (also known as the ePrivacy Regulation or ePR) will replace the 2002 ePrivacy Directive (the ‘cookie law’) and all EU member state laws that implement it.
It is not yet known whether the UK’s PECR (Privacy and Electronic Communications (EU Directive) Regulations 2003), which enacts the ePrivacy Directive, will be amended or superseded to bring UK law into line with the ePR.
When will the ePrivacy Regulation take effect?
The European Commission proposed the ePrivacy Regulation in January 2017. It was intended to take effect alongside the EU GDPR (General Data Protection Regulation) on 25 May 2018.
However, the final text is still to be agreed, with the Council of the European Union and the European Parliament disagreeing about a number of issues.
How are the ePrivacy Regulation and GDPR linked?
The ePrivacy Regulation will complement the GDPR’s general rules on personal data processing by providing specific rules governing electronic communications. As such, the ePrivacy Regulation will take precedent over the GDPR in situations where both laws apply.
Unlike the GDPR, the ePrivacy Regulation does not apply to just personal data. It also affects B2B marketing, for instance.
The scope of the ePrivacy Regulation
The final text of the ePR is yet to be agreed, but the Council’s draft recommends that the Regulation applies to:
· The processing of electronic communications content and metadata carried out in connection with the provision and use of electronic communications services;
· End users’ terminal equipment information;
· The offering of a publicly available directory of end users of electronic communications services; and/or
· The sending of direct marketing communications to end users.
Whatever the Regulation’s final wording, it will have the same territorial scope as the GDPR and apply directly in all EU member states as well as having extraterritorial reach to non-EEA organisations that:
· Process EU residents’ electronic communications content and/or metadata;
· Process EU residents’ terminal equipment information;
· Offer publicly available directories of EU residents; or
· Send direct marketing communications to EU residents.
Organisations that fall within the ePrivacy Regulation’s scope but are not based in the EU must designate a representative in an EU member state where their end users are based.
Organisations that have already appointed an EU representative to meet their GDPR obligations could appoint the same representative to comply with the ePrivacy Regulation.
How we can help you comply?
· Organisation-wide awareness;
· How risks are managed;
· The security procedures in place such as access limitation;
· Handling of data subjects’ rights and privacy notices;
· Staff training;
· Data transfer mechanisms and third-party processors;
· Your ISMS (information security management system), including testing and frameworks; and
· Your breach response processes.
We will identify areas of non-compliance and deliver a report to help you take remedial action.