In January 2017, the European Commission published its proposal for an ePrivacy Regulation ("ePR") to replace the existing ePrivacy Directive (Directive 2002/58/EC). The draft ePR is currently working its way through the EU legislative process. Below we set out a summary of the key points of the most recent draft of the ePR, published in October 2017:
While the ePR was initially intended to come into force simultaneously with the GDPR, it is more likely that the ePR will be finalised in 2018 and enter force in late 2018 or early 2019.
The ePR will apply to all providers of electronic communications services, including so-called 'over-the- top' or OTT internet-based services (e.g. web-based email, voice-over IP and online messaging apps). Data- emitting connected devices will also be regulated by the ePR.
The ePR will have extra- territorial effect where services (including advertising) are provided to or target end-users located within the EU by providers located outside the EU, regardless of where the processing takes place.
RELATIONSHIP WITH GDPR
The ePR is intended to "particularise and complement" the GDPR and also provides that "electronic communications" under the ePR will generally be considered personal data for GDPR purposes. In short, the ePR should be read in tandem with the GDPR as there is likely to be significant overlap.
The GDPR-level of consent will also apply under the ePR to the processing of message content and metadata for advertising purposes. This means that consent must be freely given, specific, informed and capable of...