A new Cookie flavour? - leaked e-Privacy Regulation draft

We now know that the EU Directive,  best known in the UK through its implementation as the “Cookie law”, is in line for a make-over.  That directive is the reason why every time one enters a website for the first time on a computer, one is asked – probably annoyingly for most of us! - to consent to the use of cookies before using the website via an super-imposing banner.

An online version of the draft proposal for the new EU E-Privacy and Electronic Communications Regulation (ePR) legislation has been leaked online.  While the finalised ePR text is due to be released sometime in January 2017, the proposal’s content provides an insight into what we might come to expect from this new legislation which will replace the current EU Directive (on Privacy and Electronic Communications 2002/58/EC). 

So what are the key points that we can glean from the leaked draft of the ePR? 

·        As expected, there is alignment with the upcoming General Data Protection Regulation (the “GDPR”).  In particular, the new legislation will, like the GDPR, be a “Regulation” and therefore no further implementation will be required in the UK (or other EU Member States) in order to be applicable.

·        In terms of applicability, the ePR will mirror the GDPR in terms of the uplift in fines for a breach, that is, €20 Million or 4% of worldwide turnover.

·        “Over-The-Top” / “OTT” service providers (which means those providers offering a communications service on the top of regular internet accessibility services e.g. skype, WhatsApp, Viber, etc.) while not previously caught under the earlier EU Directive, will be subject to the ePR - This is despite concerted lobbying by OTT service providers during the consultancy period for the new legislation earlier in 2016.

·        any businesses publishing their own website will no longer be required to obtain permission for all cookies.  The draft makes clear the EU irritation with the standard consent box implementation that website users are all-too familiar with.  Apart from criticising the actual consent given in this way as not freely given, the ePR requires website providers:

o   Only require consent for any non-session (or configuration) based cookies e.g. tracking cookies; and

o   Where tracking cookies are present, these must be set by default to do not track – this mirrors the data protection by default principle seen within the GDPR.

·        In terms of privacy, some weakening in protection for individuals is introduced by the way in which consent for direct marketing is handled:

o   Website providers can use contact information obtained from users providing it has been obtained in the context of the sale or provision of a service (whether or not paid for) provided the user has not expressly opted-out;

o   Metadata that is sent along with any other information by telecommunications companies, such as location data and behaviour pattern data, are not treated as special; and

o   Oddly, while users can withdraw consent, there is no obligation to allow this possibility more than once every 6 months in direct apparent departure from the GDPR which allows users to withdraw consent at any time.

This is of course a leaked draft proposal and we await to see whether the finalised version of the ePR will remain the same or updated once released as expected in January 2017.