Which types of data processing are covered by the E-Privacy Regulation?
The E-Privacy Regulation applies to how communications data are processed when using electronic communications services and to information relating to the end-user’s terminal equipment.
This means that, in contrast to the GDPR, processing both personal and non-personal communications data falls under the material scope of the E-Privacy Regulation – regardless of whether the service in question is provided for a fee or not.
To whom does the E-Privacy Regulation apply?
The entire online sector is affected by the E-Privacy Regulation.
This includes a whole host of companies such as those in the advertising industry, Internet service providers, as well as third-country electronic communication providers offering their services to end users in the EU.
All over-the-top services, i.e. providers of electronic communications services offering IP-based services such as VoIP (Skype), messenger platforms (WhatsApp), webmail (Gmail) and social media (Facebook, Instagram), are covered by this regulation to the same extent as machine-to-machine communication between “smart” devices that is an increasingly common occurrence in the Internet of Things.
What are the penalties for non-compliance?
In the event that any provisions of the E-Privacy Regulation are violated, severe fines may be levied – the EU will align the penalties under the E-Privacy Regulation with those of the GDPR.
This means that the unlawfully processing communications data will be subject to an administrative fine of up to EUR 10 million or up to 2 % of a company’s total worldwide annual turnover (Article 23 para. 2 (a) of the draft). Unlawful direct marketing communications will be subject to the same administrative fine (Article 23 para. 2 (d) of the draft).
Administrative fines of up to EUR 20 million or up to 4 % of a company’s total worldwide annual turnover may be imposed for violations of the principle of confidentiality of communications, the authorised processing of electronic communications, and time limits for erasure under Articles 5, 6 and 7 of the draft (Article 23 para. 3 of the draft).
In addition to these fines, end users can claim material and non-material compensation from the infringer (Article 22 of the draft).
It is interesting to note that Article 21 para. 2 of the draft explicitly protects legitimate business interests of third parties, meaning that competitors shall have a right to initiate legal proceedings in respect of infringements of the E-Privacy Regulation.
When will the E-Privacy Regulation come into force?
The E-Privacy Regulation is not expected to take effect before 2022.