The European Commission (EC) published its proposed update for the EU’s ePrivacy rules, which have the overall aim of ensuring “stronger privacy in electronic communications“. The key reforms touch on three areas: messaging services, cookie consent and marketing calls, as explained in the Commission’s fact sheet.
The new rules would require that online messaging services such as WhatsApp and Skype guarantee a higher level of confidentiality of Europeans’ communications than before. This covers the content of messages as well as metadata (such as time and location), which need to be anonymised or deleted unless users give their consent. Currently such rules apply only to telecom providers, but EC’s goal has been to expand the protections to cover the different possible communications services that are available to EU citizens.
Moreover, the new rules require that marketing callers do not use anonymous phone numbers or use a special pre-fix indicating a marketing call.
For non-EU countries, a separate EC communication published together with the proposal presents a system of Commission “adequacy decision”, which establishes that the country’s level of data collection is “essentially equivalent” to that in the EU. The EC said it would start discussions on adequacy decisions with Japan and Korea in 2017 (but also consider “other strategic partners such as India, and with countries in Latin America, in particular Mercosur, and the European neighbourhood”), as well as monitor existing adequacy decisions such as the EU-US Privacy Shield.
EUobserver looked at the proposed rules through the case of Gmail and other similar services that currently scan emails to help target advertising. According to the EC, these services would need to provide “effective consent” by asking for the users’ agreement explicitly. “It means today's email scanning will be banned unless the user agrees. But saying no to email scans only prevents adverts from being personalised or relevant to the user. It does not stop adverts.”
As part of the reform, companies could be fined for up to €20 million or 4% of their global turnover if they break the new rules, EurActiv reported.
The new ePrivacy Regulation aims to align EU-wide rules with those defined in the General Data Protection Regulation (GDPR), which will enter into application in May 2018. As a regulation, the ePrivacy rules will apply uniformly across EU Member States, as Hunton Privacy Blog points out.
The EC said it called on the European Parliament and Council to “work swiftly” so that the ePrivacy Regulation is adopted by May 2018, when the GDPR enters into force.