The European Commission has just published (21st February) a new draft of the long-awaited ePrivacy Regulation as there was a failure to reach agreement on the previous draft.
This Regulation will replace the ePrivacy Directive of 2002 that is enacted in the UK via the Privacy and Electronic Communications Regulations (PECR). The new Regulation will primarily have an impact on:
- The sending of direct marketing by electronic means
- Communications and content metadata (e.g. geolocation information)
- The activities of major communications providers (such as Facebook, WhatsApp, Gmail, Skype) in addition to traditional telecoms providers
It is important to remember that ePrivacy legislation is not about the use of personal data but the use of technology in a way that impacts upon privacy rights. For example, the setting of a tracking cookie on a device may not involve personal data initially, but the manner in which cookies (and similar technologies) can track user behaviour can have a significant impact on an individual as profiles are built and used for numerous purposes.
Even if you outsource website or app development work, you are still required to ensure those providers are creating products that are compliant with ePrivacy law – whether the current PECR or the new Regulation. As such, contractual arrangements and oversight of the activities of developers are key to make sure you are meeting your organisational responsibilities.
The latest draft does reference the ability to use some “communications metadata” under legitimate interests (mirroring GDPR) but, importantly, not where such data is “used to determine the nature or characteristics of an end-user or to build an individual profile of an end-user” and “not if the electronic communications metadata include special categories of personal data” (i.e. health, religion, ethnicity etc.).
This is very much still a draft and there will be much further discussion of its content prior to publication. And Brexit may of course have an impact on the applicability of the Regulation in the UK, albeit this is unlikely to be an area in which standards diverge given the global nature of such technologies.
We will continue to monitor developments around its progress. Watch this space.
If you would like any more information on this, please feel free to contact us here…