20 December 2019 #Data Protection
Amidst the hype of the GDPR in 2018, one other area of data protection reform progressed relatively under the radar – the ePrivacy Regulation. Surprising given the potential impact this could have on an organisations’ marketing practices.
Currently, in the UK, the Privacy and Electronic Communications Regulations 2003 (“PECR”) is in force, which sets out further data protection obligations, specifically aimed at electronic communications. It regulates areas such as electronic marketing and the use of internet cookies.
This is set to be replaced with the ePrivacy Regulation, a piece of EU legislation designed to run alongside the GDPR and harmonise practices across member states.
The ePrivacy Regulation was due to come into force at the same time as the GDPR. However, it is a complex area of law prompting much debate and, as such, the wording for the Regulation has still not been approved. A revised draft has been put forward recently, but it seems highly unlikely that anything will be agreed until 2020 now.
Why should I care?
The exact impact of the ePrivacy Regulation cannot be predicted at this stage as the legislation has undergone many changes and wording has still not been agreed. However, we know that it could well have significant implications for organisations around areas like B2B marketing and internet cookies and so it’s important for organisations to be alert to potential changes.
The end of B2B Marketing as we know it?
The PECR places restrictions on an organisations ability to send marketing communications electronically without the recipient’s consent. However, there are two generally recognised exemptions to this:
In both cases, an opt out must be clearly in place from the very first communication.
Changes being proposed in the ePrivacy Regulation include placing a time-limit on soft opt ins and potentially removing the B2B exemption altogether.
Many organisations in 2018 decided to continue with their marketing practices for B2B contacts in light of the exemption (and relying on ‘legitimate interests’ to avoid falling foul of the GDPR) but, such organisations may need to revisit their approach if this latter change makes it through to the final text for the ePrivacy Regulation!
One thing’s for sure, if these changes come in, our work inboxes will start to see the raft of consent emails that our personal ones saw in 2018 – collective sigh!
The introduction of the ePrivacy regulation could see stricter confidentiality requirements around monitoring of electronical communications.
The e-privacy directive prohibits monitoring of electronic communications and metadata. However, the prohibition currently in place does not sufficiently cover electronic communications services that are made over the internet and/or devices that use the internet to communicate.
Changes may include the requirement that any monitoring of electronic communication of any kind will be prohibited. This includes sms, WhatsApp, email and instant messaging applications. There are proposed exemptions to this, for example where monitoring is needed to prevent security risk and attacks “in the transmission of electronic communications”.
Tighter controls on public directories
Currently you need to inform individuals that you are going to include them in the directory, you also need to give them the chance to opt out before including them and you need to gain their explicit consent if you were to include them for reverse searches. The consent to include an individual in a public directory is quite soft.
Changes include ensuring that communication services (such as BT (which includes EE), Talk Talk, Vodafone, Virgin Media and Telefonica) are under a duty to implement measures to limit unwanted, malicious or nuisance calls. Public directories (such as Yellow Pages, Thomson Local, Yelp and Yalwa) must obtain explicit consent from the end user before they publish any personal data in the directory.
Doesn’t Brexit mean the ePrivacy Regulation won’t apply to the UK?
To some extent, this depends on whether the UK leave with, or without, a deal.
If the UK leaves without a deal then the UK will not be bound by the new Regulation. If the EU leaves with a deal then it’s likely that EU law will continue to apply for any transition period and could become law in the UK.
However, regardless, the UK may well want to adopt the new requirements in any event to assist with it being given an adequacy decision by the EU (making data transfer from and to the UK easier). Also, businesses that deal with EU based counties will likely need to comply as EU countries may well request this and have more complex sharing arrangements as a result.
When will this come into force?
It is unlikely that the draft legislation will be agreed until 2020 and, then, it seems likely that it would have a transition period, like there was with the GDPR, before it comes into force.
As the draft text may change substantially there seems little point in businesses adapting their processes yet but it is good to be aware of the legislation and to start considering how this may impact any current or future projects.
Click here to contact Clarkslegal’s Data Protection team.