ePrivacy Regulation
Proposal for a Regulation concerning the respect for privacy in electronic communications (COM (2017) 10)
Category
Status
EU
Trilogue negotiations initiated on 28 March 2022. Currently stalled.
EEA
Pending.
Norway
Pending.
Scope
The proposed Regulation applies to the processing of data in connection with the provision and use of electronic communication services. In additional to traditional telecom companies, the proposal will apply to Over-The-Top (OTT) service providers offering messaging, voice calls, and email services over the internet (e.g. WhatsApp, Skype, and Gmail).
Companies using electronic communication data (e-com data) for advertising and marketing purposes (including by employing cookies and similar tracking technologies) are also subject to the Regulation.
Relevance
The ePrivacy Regulation, once finalized and adopted, will necessitate adjustments in the Norwegian Electronic Communications Act and Marketing Act. how Norwegian companies manage electronic communications and direct marketing. Upon implementation, Companies will need to re-assess how they provide electronic communication services and direct marketing and prepare for the operational, strategic, and financial implications of compliance. Regulatory fines are proposed set to the higher of EUR 10,000,000 or 2 % of the worldwide annual turnover for undertakings.
However, political agreement and adoption of the proposal has been delayed several times from the original proposal in 2017, and the incumbent Spanish Council Presidency does not regard the e-Privacy Regulation as a priority file. Accordingly, it may still take time before we see any progress towards an adopted Regulation.
Key obligations
The proposal imposes strict confidentiality requirements for e-com data, including a general prohibition on listening, tapping, intercepting, or processing communications without user consent. The proposal further details specific lawful grounds for the processing of e-com data, related metadata and content (voice, video, sounds exchanged through an electronic communications service).
Specific obligations with respect to the use and collection of information from terminal equipment (such as smartphones, laptops, and connected smart home devices), which includes the use of cookies and similar technology. As a general rule, an informed, specific, and freely given consent is required unless such terminal equipment use is non-privacy intrusive, or necessary to provide a service or transmit communication. The proposal opens up for providing consent “by using the appropriate technical settings of a software application enabling access to the internet” (such as a web browser).
Software that enables electronic communications, including internet browsing, must include options to block third-party information storage or processing on the user’s device. When installing such software, users must be informed about privacy settings and must consent to a specific setting before proceeding.
Finally, the proposal imposes restrictions on unsolicited marketing communications, i.e. by requiring explicit consent as a starting point.