The GDPR Gets a Sidekick: Introducing the new EU e-Privacy Regulation

Autor: Sascha Villoro

Fecha: 23.01.2018

While your company is getting ready for the new EU General Data Protection Regulation (or at least it should be getting ready: the GDPR will be fully applicable next 25th may and fines can reach 20 Million Euros or higher) the EU is working against the clock to pass the new EU e-Privacy Regulation. Together they form the new European privacy & data protection framework.

Only a proposal text for said Regulation is known today, but companies should start becoming familiar with it, as it is planned to enter into force on the same date as the GDPR: the 25th of May. Of this year! (Although, it seems like the final date might be postponed by a bit). Do you need another reason to panic? Fines for non-compliance with either Regulation may reach up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. Furthermore, any end-user of electronic communications services who has suffered material or non-material damage as a result of an infringement of these Regulations shall have the right to receive compensation from the infringer for the damage suffered.

This is not a light subject and we could write whole books on this new EU e-Privacy Regulation, but we will try to keep this entry short by giving you just the most important highlights. If you suspect your company may not be compliant or needs to adapt to the Regulation, you should get in touch with your privacy expert.

Main points: 

- Broad material and territorial scope: The Regulation applies to any and all processing of electronic communications data carried out in connection with the provision and the use of electronic communications services and to information related to the terminal equipment of end-users. Services that were left out of the old Directive (such as WhatsApp, Facebook, Skype, etc.) will now be subject to the e-Privacy Regulation. Territorial scope is determined by the end-user being in the European Union, regardless of where the provider is.

- Cookies: Cookies and similar software and techniques pose an undeniable intrusion of privacy and as a general rule, the consent of the end-user will be required to install or use such tools. Some non-intrusive cookies, such as session cookies or web visitor counters, will be exempt. For those cookies that require clear, affirmative consent of the user, the Regulation favors a user-friendly approach and we may see the end of warning banners and web-by-web cookie acceptance and the rise of privacy settings on devices and software. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). To this end, it is necessary to require providers of software enabling access to internet that, at the moment of installation, end-users are informed about the possibility to choose the privacy settings among the various options and ask them to make a choice. Information provided should not dissuade end-users from selecting higher privacy settings and should include relevant information about the risks associated to allowing third party cookies to be stored in the computer. Web browsers are encouraged to provide easy ways for end-users to change the privacy settings at any time during use and to allow the user to make exceptions for or to whitelist certain websites or to specify for which websites (third) party cookies are always or never allowed.

- Consent: Just as with the GDPR (, the new e-Privacy Regulation aims at giving end users a bigger say. With that intent, bar a few exemptions, companies will need the users consent to process electronic communications data, metadata and content. End-users who have consented to the processing of electronic communications data shall be given the possibility to withdraw their consent at any time and be reminded of this possibility at periodic intervals of 6 months.

- Direct marketing: Sending direct marketing communications will only be allowed if the recipient consents or if he or she is already a customer (and the marketing pertains to similar products or services). Customers must clearly and distinctly be given the opportunity to object, free of charge and in an easy manner, to such use of their contact data. Marketing communications must be clearly labeled as such.

- Geolocation: Remember that scene in the movie Minority Report, in which Tom Cruise is fleeing down a busy street trying to remain undetected when suddenly advertisement screens that push personalized ads detect him and start engaging him directly? Well that technology is here today. The unique identifier on your mobile device (MAC, IMEI, IMSI, etc.) lets companies know if you are in a certain place, such as shopping street, and allows them to send you commercial messages, tailored for you. Companies which engage in this activity will now have to warn people entering the area in which this technology is used and let them know who is responsible for the marketing as well as how to block this type of advertisement.

- Metadata: Metadata is data contained in other data that gives information about the data it is contained in. Did you know that when you send or share a picture with your phone or PC, it contains a little file (commonly referred to as “Exif tag” or simply “Exif”) which anyone can access and lets them know the exact location and time the image was taken, and the unique ID number of the phone? Metadata can be a lot more: how often do you call a number, how much time you spend on a certain website, etc. Companies will now have to request consent from users to process this metadata, unless it is necessary to meet mandatory quality of service requirements or it is necessary for billing, calculating interconnection payments, detecting or stopping fraud or abusive use of electronic communications services.

- Privacy by default: Software shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment. Upon installation, the software shall inform the end-user about the privacy settings options and, to continue with the installation, require the end-user to consent to a setting. In the case of software which has already been installed on 25th May 2018, the above cited requirements shall be complied with at the time of the first update of the software, but no later than 25th August 2018.

- Internet of things (IOT): Increasingly our mobile devices, our household appliances, even our cars are connected and exchanging data, information that reveals a lot about the user, sometimes unbeknownst to us. Therefore, the Regulation will also apply to the transmission of machine-to-machine communications.

- Phone books (and ANY other public directory, physical or online): Natural persons do not only have the right to decide whether they want to be included in any such guide (or be erased from one), but they can also choose exactly what data is included (maybe you want to let other people know your email address, but not your personal phone) and even if the directory may enable a search function for the person’s data.

- Incoming call blocking: Providers shall, free of charge, deploy state of the art measures to limit the reception of unwanted calls by end-users, allow blocking of incoming calls from specific numbers or from anonymous sources, and to stop automatic call forwarding by a third party to the end-user.