On 10th January 2017 the European Commission presented proposals for a Regulation on electronic communications to complete the European Union framework on the protection of personal data.
The regulation on privacy and electronic communications proposed by the Commission will ensure higher levels of respect for the private lives of users and will open up new commercial opportunities. The measures presented aim to update current regulations, extending their application to all communication service providers. From now on, privacy regulations will also apply to new operators providing electronic communication services, such as WhatsApp, Facebook Messenger, Skype, Gmail, IMessage and Viber. As a consequence the e-privacy directive, which currently only applies to traditional telecommunication operators, will be revised.
The objective is to reinforce trust and security in the digital market, creating an adequate balance between a high level of protection for consumers and innovation possibilities for businesses. The proposal also provides for the processing of personal data by EU institutions and bodies to guarantee the same level of protection as that ensured by individual Member States, as set out by the General Data Protection Regulation and defines a strategic approach towards issues concerning the international transfer of personal data.
Privacy will not only be guaranteed for the content of communications but also for so called metadata (for instance the time and place of a phone call), which, according to the Regulation, will have to be anonymized or deleted if users have not given their consent, unless those data are required, for example, for billing purposes. Once consent is obtained for the processing of communication data (both content and metadata), traditional telecoms operators will have greater opportunity to use such data and provide additional services.
The so called “cookie provision” which is currently resulting in an overload of consent requests for users, will be streamlined. The proposal clarifies that no consent is needed for non-privacy intrusive cookies which improve internet user experience (e.g. to remember shopping cart history). Those cookies counting the number of visitors to a website will also no longer require consent.
With regard to spamming, the current proposal bans unsolicited electronic communication, irrespective of the means used, so that, in principle, it is also applicable to phone calls if users have not given their consent for the processing of personal data. Member States may opt for a solution that gives consumers the right to object to the reception of voice-to-voice marketing calls, for example by registering their number on a do-not-call list. Marketing callers will need to display their phone number or use a special prefix that indicates the reason for the call.
With relation to the protection of personal data by European institutions and bodies, the proposed regulation aims to align the existing rules, which date back to 2001, with the newer and more stringent rules set out by the 2016 General Data Protection Regulation.
The proposed Communication defines a strategic approach to the question of international personal data transfers, which will facilitate commercial exchanges and promote better law enforcement cooperation. The Commission intends to use the alternative mechanisms provided by the General Data Protection Regulation and by the Directive on the Protection of Data in the fields of judicial and police cooperation to facilitate the exchange of personal data with other third countries with which “adequacy decisions” cannot be reached.
With the presentation of these proposals the Commission calls on the European Parliament and the Council to work swiftly and to ensure a smooth adoption process by 25th May 2018, when the General Data Protection Regulation will enter into application. The intention is to provide citizens and businesses with a fully-fledged and complete legal framework for privacy and data protection in Europe by this date.