5 April 2017
While preparations for the GDPR dominate the headlines, it’s not the only change for the digital economy. As technology evolves at a phenomenal rate, the laws that govern internet-based services are moving at an equally rapid pace.
The next piece of legislation in line for an overhaul is the European directive that forms the basis of the Privacy and Electronic Communications Regulations (PECR).
PECR currently set out the rules on electronic communications, including nuisance calls and messages, cookies and the provision of internet or telecoms services.
Earlier this year, the European Commission published its proposal for the new updated ePrivacy Regulation (ePR), to better protect people’s privacy in the digital age.
What is the proposal?
This proposal is just the beginning of the process, and the details are likely to change as we move forward. It will be a tough deadline for EU lawmakers to meet – the ePR is due to come into effect in May 2018 alongside the GDPR. With only 14 months to go, the next step is for the European Parliament and the European Council to each review the draft and form their own view on what it should say, before coming together around the end of this year to negotiate the final text.
As a regulation, it will apply directly within every EU member state. As with GDPR, the UK government has confirmed it would be implemented in the UK before we leave the EU.
The current draft proposal includes some headline changes:
- It removes separate security obligations, which will be covered under the GDPR, but introduces customer notification of specific security risks.
- In terms of cookies and other online tracking devices, the focus shifts from website cookie banners to users’ browser settings, and seeks to address issues around ad-blocking and Wi-Fi location tracking.
- It tightens the rules on marketing, with the default position being that all marketing to individuals by phone, text or email must be opt-in.
- It incorporates the GDPR’s two-tier system of fines of up to €20 million, or 4% of worldwide turnover, for breaches of some parts of the Regulation.
- It would apply to services providing so-called ‘over-the-top’ communication channels over the internet, such as Skype, Messenger or WhatsApp. It would also apply to businesses providing customer Wi-Fi access, as well as the traditional telecoms and internet providers.
- It would apply to organisations based anywhere in the world if they provide services to people in the EU.
What's the ICO's role?
The responsibility for enforcement will mirror the GDPR and therefore will fall to the ICO. We’ll be watching the negotiations closely to understand how they might affect the UK.
We have already provided our views to those drafting the proposal and we are currently working with the Article 29 Working Party, the group of European data protection authorities, to influence a collective opinion on how it could be improved.
Where appropriate we will provide input to try and achieve a good outcome for individuals and businesses alike. We are likely to have a role in providing expert advice to assist the UK government during this process.
Because there is currently no agreed timetable for finalising the new ePrivacy law within Europe, we can’t yet make fixed plans for guidance.
An initial guidance document from the ICO, highlighting the likely key issues, is planned for later in the year. We will consider how best to follow this up with more detail on what the key changes are likely to be as negotiations progress.
We’ll keep you updated through data protection reform section of the ICO’s website. You can also follow us on Twitter, and sign up for our e-newsletter which provides regular monthly updates on all of our work.
Jo Pedder is Interim Head of Policy and Engagement. She has lead responsibility for the ICO’s guidance on the Data Protection Act and the Freedom of Information Act.