What is the European ePrivacy Regulation?

What is the European ePrivacy Regulation?

Before the end of 2018, the new ePrivacy European Regulation could be approved, a special rule on privacy and electronic communications that complements the RGPD and with which it is convenient to begin to familiarize oneself.


The General Data Protection Regulation (RGPD) that began to be applied last May 25th has marked a before and after in terms of privacy. Surely, in the days prior to the aforementioned date -even that same day and afterwards-, the readers of the Xenasegur blog received endless emails from companies that requested their consent to the processing of their personal data.

And, undoubtedly, the RGPD has forced many organizations, including those of the insurance sector, to “put the batteries” in terms of privacy and regulatory compliance. Prior to the approval of the aforementioned regulation, it was sufficient to comply with current regulations. But the RGPD goes a step further and forces organizations to apply proactive responsibility . And not only that. It contemplates a sanctioning regime that can suppose the payment of up to 20 million euros or 4% of the global annual turnover of a company in case of non-compliance.

However, the RGPD will not be an end point in terms of the protection of personal data. Thus, within the European Commission (EC) are already working on the development of a new regulatory text on privacy and electronic communications.

When will the European ePrivacy Regulation be approved?

This is known as the European Electronic Privacy Regulation or ePrivacy -in the proposal phase- , which, once approved, will repeal Directive 2002/58 / EC on the treatment of personal data and the protection of privacy in the sector of electronic communications -more known as the Directive on Privacy and Electronic Communications-. And that once it is transposed into the Spanish legal system it will replace the current Law of Services of the Information Society and Electronic Commerce .

As stated in Article 1 (Object) of the proposal of the future European Regulation of ePrivacy, the provisions of the latter “specify and complement those of the RGPD”, although, logically, the new text will establish specific rules. And it makes clear that “it will be applicable to the processing of electronic communications data carried out in relation to the provision and use of electronic communications services, as well as to the information related to terminal equipment of end users”.

Obviously, as with the RGPD, the ultimate goal of the European ePrivacy Regulation is to protect users and allow them to be the effective owners of their data. But some experts argue that a new regulation on digital privacy was not necessary and others warn that the existence of two regulatory texts can lead to overlaps.

Opinions that do not have many signs of being taken into account. If the roadmap marked by the EC follows the planned agenda, when this post is published the proposal of the European ePrivacy Regulation will enter its final stage and the Austrian presidency will try to have the final text approved before December 31, 2018 , date on which his legislative mandate will end.

Metadata: what are they and how can they be used?

Until then, the proposal advances some news of the future European Regulation of ePrivacy. One of them refers to the “metadata of electronic communications”, which replace the concept of “traffic data” and distinguishes them from the concept of “content of electronic communications”. According to the text under study and approval, the metadata of electronic communications are:

“Data processed in an electronic communications network for the purpose of transmitting, distributing or exchanging content of electronic communications. It includes the data used to track and identify the origin and destination of a communication, the data on the location of the device generated in the context of the provision of electronic communications services and the date, time, duration and type of communication. communication”.

If the final text of the regulation includes what is included in the proposal, the metadata of electronic communications may be treated for the following purposes:

  • For security reasons (protection of systems).
  • To detect technical failures.
  • With the aim of avoiding fraud or abuse of the service.
  • To provide value-added services (provided that the consent of the users is available).

And once the communication has been carried out, except in the case of legal reasons to maintain them, electronic communication metadata will have to be deleted or “anonymized”.

Will the regulation also affect “cookies”?

So is. The data that is sent by a website and stored in the browser of a user’s device – popularly known as “cookies” -, as well as other means of storing data necessary, among other purposes, for the operation of digital advertising , will also be subject to revision in the new European ePrivacy Regulation.

Specifically, what is proposed is to obtain the consent of users through the privacy settings of browsers, which will have to provide facilities to consumers so that they can easily review their options and maintain their preferences. A scenario that, a priori, would not make necessary the consent notices of the web pages.

In any case, as the experts remember, the consent may be withdrawn by the user at any time. And while the treatment of the data remains, companies will be obliged to remember every six months that consumers have that right.

And what other issues of interest does the regulation contemplate?

In addition, as recalled from IAB Spain, an association that brings together advertising, marketing and digital communication companies in Spain, it is important to consider other issues of interest for the future ePrivacy General Regulation:

  • The regulation will apply to the data of the services of the end users that are located within the EU, regardless of the location of the organization.
  • Regarding the use of advertising blockers or filtering (“ad blockers”), the proposal is aware that users can install “software” on their devices to prevent the display of ads, but also makes it easier for websites to ask Consumers if they receive their content and if they are willing to disable advertising.
  • Regarding the Internet of Things, emphasis is placed on transparency and the need to inform users, through prominent notices, about the use of data.
  • Regarding unwanted commercial communications by telephone (automatic calls), SMS or email, they must have the user’s prior consent; and in the case of similar products, the so-called “opt-out” or opposition will be considered.
  • Finally, the proposed sanctioning regime is the same as that of the RGPD, to which we have already referred: the payment of up to 20 million euros or 4% of the overall annual turnover of a company in case of non-compliance.

In short, the European ePrivacy Regulation will also have a significant impact on privacy and before its approval has already caused many reactions. In this sense, there are those who consider it a setback in the use of the Internet and that its entry into force will not do any favors to those who operate on the Internet.

Looks aside, what is clear is that its final version should be taken into account by those who communicate with users using information networks and commercial communications. Organizations forced to be proactive and demonstrate that they meet their requirements.

To achieve this, from the Xenasegur blog we recommend the interested parties -among them, the professionals of the insurance sector– to be in the hands of experts in “compliance” . No one better than them to explain how they will be affected by a rule that many will find complex and advise them how to proceed to ensure the legal safety of users and avoid being penalized.

You can also read: