The ePrivacy Regulation

On 10th January 2017, the Commission submitted a reform proposal for the ePD which should replace it with a "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications” (Regulation on Privacy and Communication (ePR)). The proposal for the Regulation contains revised rules for the protection of fundamental rights and freedoms in the field of electronic communication, in particular the fundamental right for respect of privacy, the right of confidentiality of communication and the protection of personal data, which are inter alia granted by Art. 7 and 8 CFR.

With the proposal for the ePR the Commission aims at providing a consistent level of data protection across the EU Member States, for both natural and legal persons, while ensuring the free movement of electronic communications data, equipment and services (Art.1 ePR Proposal and 1.2. and 1.3. Context of the Proposal). As, the different implementation of the ePD in the individual Member States can be an obstacle for the free flow of communication data across the EU (3.1. Results of Ex- post Evaluations). Unlike the previous Directive, the new ePR will immediately apply without transition in Member State law and take precedence over any national laws. Additionally, the prospective Regulation should align the provisions in the field of electronic communication with the reformed EU data protection framework in order to avoid duplication and ensure coherence of EU legislation (1.2 and 1.3. Context of the Proposal). In this manner, the Commission intends to more effectively protect privacy and personal data (2.4. Legal Basis). Thus, the proposal for the ePR refers to various other legal acts, in particular the GDPR (e.g. Art. 4). Moreover, the aim of the Commission is to adapt the provisions of the ePD to the altered technical and economic

39 reality (1.1. Context of the Proposal). In the following the important provisions of the proposal are presented:

The Proposal uses similar definitions as the ePD and refers directly to terms used in other laws such as the GDPR and the EECC. Additionally the ePR introduces new definitions – central is the term of "electronic communications data" which includes both the "contents" and the "metadata" of electronic communications (4 (3) ePR Proposal). Electronic communications content refers to the actual content exchanged by means of electronic communications services, such as text, voice or videos. Electronic communications metadata means data processed in an electronic communications network for the purposes of transmitting, distributing or exchanging electronic communications content, this includes e.g. data about the physical source and destination of a communication as well as the date, time and duration of a communication (Art. 4 (3) ePR Proposal).

The ePR will apply whenever electronic communications data is processed to provide electronic communication services in the EU. Moreover, it will apply for the protection of information about the end user (Art. 2 (1), (2) and Art. 3 (1) ePR Proposal). As the GDPR, the Regulation will also apply if the processing itself is carried out outside the EU. Thus, the only requirement for this protection is that the end-user is located in the EU (Art. 3 ePR Proposal). Accordingly, companies which are not based in the EU must designate a representative in the EU who acts as a contact person for customers and supervisory authorities (Art. 3 (2) ePR Proposal). In contrast to the ePD the Proposal includes Over-the-top (OTT) services services in the scope of the law. OTT services are service which provide a product over the Internet and bypass traditional distribution. OTT services are often related to media and communication. Examples include Netflix or similar video streaming services as well as Facebook, WhatsApp and Skype or similar services (1.3. Consistency with other Union policies)

Firstly, the ePR prohibits any interference of electronic communication, such as monitoring, storage, tapping or scanning of electronic communication (Art. 5 ePR Proposal). Accordingly, it should be prohibited to store files on the end users device which can be used to collect information about him or her (e.g. cookies) without the end user's consent (Art. 8 (1) ePR Proposal). In contrast to the ePD, end-users should not only be protected against cookies, but also against new tracking techniques that do

40 not require access to the end-user's device. Such tracking methods monitor data which is send from the end users device in order to connect to a service or network. In this way, individuals can be tracked which can pose a threat to their privacy (ePR Preamble 25).

Moreover, the new Regulation also strengthens protection against unsolicited direct communication known as Spam. In comparison to the ePD the term "direct mail" is extended to cover not only commercial advertising for the supply of goods or services, but also election advertising by political parties or advertising by non-profit organizations (ePR Preamble 32). Direct mail are only allowed if the user gave his or her prior consent, which must be easily revocable at any time. (Art 16 ePR Proposal). Additionally, every service provider is obliged to inform the user about the privacy settings when using their service (Art 10 (2) ePR Proposal). As regulated by the GDPR the ePR will require the service providers to inform the users about any potential risk to their privacy (Art. 17 ePR Proposal).

According to the Proposal, the same national supervisory authorities will be responsible for monitoring and enforcing the GDPR and the ePR in all EU Member States. (Art 18 (2) ePR Proposal). Consequently, the EDPB established under the GDPR has the task of ensuring consistent application of the new Regulation. Moreover, it will advise the Commission on future amendments of the ePR and examine issues regarding the application of the Regulation (Art. 19 ePR Proposal). The remedies, the liability rules and the sanctions are also largely aligned with the corresponding regulations in the GDPR. Like the GDPR, the EPR contains tiered fines for diferent violations. For example, the penalties for less serious infringements should be regulated by the Member States (Art. 23 (4) ePR Proposal). In the event of violation of the cookie regulation or the prohibition of unsolicited communications, fines of up to EUR 10 million or 2% of worldwide annual turnover of the service provider can be imposed (Art. 23 (2) ePR Proposal). Infringements of the principle of communication confidentiality or the unauthorized processing of electronic communications data can be punished with penalties of up to EUR 20 million or 4% of the global annual turnover (Art. 23 (3) ePR Proposal). However, as previously stated, the ePR is yet not effective. It is expected to be implemented by the end of 2019 (Eickmeier, 2018).

41 4.3 Conclusion of the Chapter

After examining the European data protection frame work after 2015, the last SQ: What are the innovations brought by the new European data protection policies to data protection framework of the EU? can be answered.

Regarding the EU-US data transfer the Privacy Shield increased the transparency of the legal framework as official authorities are obliged to make reports publicly available. Second, with binding restrictions for US authorities to access personal data of EU citizens, the level of protection is increased in general. In the same light, the threshold for granting data transfer to third countries is increased as well. In this regard, the access right is revised and a dispute mechanism is newly established. Moreover, through a closer cooperation between the DOC and the European DPAs an effective enforcement of the principles laid down in the agreement ought to be ensured. Another new aspect of the Privacy Shield is the annual review mechanism which requires the Commission to periodically review its decision on an adequate level of protection, allowing to take altered circumstances into account.

All in all, the GDPR introduces a series of innovations. First, by the implementation of the GDPR technological developments are now taken into account and it is explicitly referred to new practices, such as profiling, which can pose a threat to the right to privacy of individuals. Second, the importance of unambiguous consent is underscored. Third, with the “right to be forgotten” and the “right to data portability”, two new rights for data subjects are established. According to the GDPR, European citizens are also able to file direct complaints to companies which are required to respond to complains within 45 days. In case of conflict with the provisions of the Regulation, non-profit organizations are now able to present collective claims in front of court. Furthermore, the legal basis for compensation of immaterial damage is included. With the establishment of the GDPR, official authorities are now required to document all data breaches and to inform the DPAs as well as effected individuals immediately if such have occurred. In certain cases, data controller are also required to carry out a Data Protection Impact Assessment.

To improve the application and enforcement of the provisions of the GDPR, the EDPB as a new monitoring and advisory body has been established. Cooperation mechanisms between the monitoring bodies have been strengthened. In addition, the GDPR increases the leverage of the DPAs by paving the way for imposing harsh sanctions if

42 the principles of the Regulation are violated. Finally, the GDPR specifies that - regarding data transfer to third countries – for a sufficient Adequacy Decision a review is at least necessary every four years.

Finally, the ePR - in comparison to ePD – provides several innovations. By shifting from a directive to a regulation, consistent application of the rules regarding electronic communication across the Member States ought to be ensured. A significant change is the inclusion of OTT services, as these services have not been previously regulated under ePD. The usage of OTT services is constantly growing; hence, their inclusion to the provisions is of major importance for the general public. In addition, the cooperation between DPAs and the newly established EDPB ought to improve enforcement mechanisms on European level. Meanwhile, the application of sanctions is clearly defined.