A work in progress for several years (the last changes cane into effect in 2011), and lying dormant while its big sister the General Data Protection Regulation (GDPR) was drawn up, the new ePrivacy law finally has a landing date – and, somewhat ambitiously, it is the same as the GDPR (25 May 2018). While that makes total sense from a legal and logical perspective, the fact that the legislation is not yet in final form means that some are doubting whether this timescale is realistic (the commentary below is on the latest draft version form, leaked just before Christmas and released "officially" earlier this month).
It is now intended that what was previously known as the ePrivacy Directive will itself have the status of a Regulation by the time it becomes law. If it were to remain a directive rather than a regulation, it will not have direct effect on EU member states. But for those thinking that, either way, Brexit Britain might not consider itself bound by this piece of legislation, it is worth noting that it is intended to act in concert with the GDPR – which the UK has confirmed it will be adopting. That would make it irrational not to accept the two as a package, especially if the UK wishes to remain on a level playing field for e-commerce with the EEA (even if it has been suggested by Karen Bradley of the DCMS and the Information Commissioner Elizabeth Denham that the detail of the GDPR might be revisited after it is on the statute books, and once it is back up the list of UK Government's priorities).
So what is actually in it? Well, quite a lot is technical and narrow, sector-specific material mainly affecting ISPs and telecoms (but also, for the first time, "over-the-top" providers like instance messaging services like WhatsApp and Facebook Messenger). Perhaps unsurprisingly, the draft proposal has not made many headlines outside these industries: such commentary as there has been has focused to date on the consumer issues, notably the promise of an end to those irritating cookie "pop ups" and banners whenever you visit a website. Of course this will benefit companies too, and enable more user-friendly customer interaction, although it remains to be seen if the replacement regime will be entirely straightforward.
The common-sense principle is that cookies used purely for "configuration" (i.e. website usability) will not require notice or consent; however, software that tracks customers' internet activity will require consent and the default position will be opt-in only. A further change to cookies rules is that web browser manufacturers (Microsoft, Apple, Mozilla et al) will be tasked with designing their software so that users can set their privacy / cookie preferences at the browser level, rather than for each website visited.
Building on this principle, the preferred method of consent, in accordance with the bold new GDPR world, is via flexible user settings. However, there is some debate about what the effect will be when applied to tracking of electronic communications (i.e. gathering information about location, receipt and sending etc. from people's emails and messages). Clearly this is valuable information for marketing analysis but does present a personal privacy issue. Other areas where we can expect more clarity concern obligations on providers for encryption and retention of data.
It also seems that the scope of this law will not extend to in-site advertising and pop-ups, being a necessary evil for publishers and websites. Those companies will indeed hope the final form regulation will uphold their right to detect when users are employing ad-blocking software to work around these intrusions, which was briefly debated last year.
Of most interest to the majority of organisations will be the regulation of electronic direct marketing by telephone, email and SMS – currently subject in this country to the Privacy and Electronic Communications Regulations (PECR) 2003 (but updated as recently as last year). Prior to the recent announcement that the ePrivacy Regulation is expected to arrive simultaneously with GDPR, it had been expected that PECR would remain the effective relevant law after GDPR. Aside from its status as a regulation bringing consistency to the law on unsolicited e-marketing across Europe, early signs are that the like-for-like replacement within the new regulation will not substantially change the existing landscape in the UK. Of course, GDPR is already doing that quite sufficiently – notably around the standard of consent (on which we expect to hear from the ICO very soon).
Perhaps the most fundamental question from a UK perspective, however, is whether the UK Government's desire for extensive surveillance powers – notably Theresa May's much-discussed Data Retention and Investigatory Powers Act (DRIPA) is compatible with this new ePrivacy law (in particular the emphasis on the confidentiality of communications).
If not, there is an argument that this policy might this even be enough for the European Commission to decide that a post-Brexit UK does not, in fact, meet the adequacy standard to do digital business freely with Europe (even after fully adopting GDPR). This is perhaps the doomsday scenario but, if the divorce with the EU is not an amicable one, it is one that cannot be ruled out. DRIPA may be the Trojan horse that brings down UK adequacy – and with it, restricts access to the digital single market – just as the NSA's snooping powers brought down Safe Harbor with the US, and continues to concern observers about its replacement (the so-called "Privacy Shield"). This will of course be a major compliance concern and could bring unwelcome additional cost for business.
If you require further information on anything covered in this briefing please contact Owen O'Rorke (email@example.com; 020 3375 7348) or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Information Matters page on our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, January 2017