Brussels, 10 January 2017
The Commission is proposing new legislation to ensure stronger privacy in electronic communications, while opening up new business opportunities.
The measures presented today aim to update current rules, extending their scope to all electronic communication providers. They also aim to create new possibilities to process communication data and reinforce trust and security in the Digital Single Market – a key objective of the Digital Single Market strategy. At the same time, the proposal aligns the rules for electronic communications with the new world-class standards of the EU’s General Data Protection Regulation. The Commission is also proposing new rules to ensure that when personal data are handled by EU institutions and bodies privacy is protected in the same way as it is in Member States under the General Data Protection Regulation, as well as setting out a strategic approach to the issues concerning international transfers of personal data.
First Vice-President Timmermans said: “Our proposals will complete the EU data protection framework. They will ensure that the privacy of electronic communications is protected by up to date and effective rules, and that European institutions will apply the same high standards that we expect from our Member States.”
Andrus Ansip, Vice-President for the Digital Single Market said: “Our proposals will deliver the trust in the Digital Single Market that people expect. I want to ensure confidentiality of electronic communications and privacy. Our draft ePrivacy Regulation strikes the right balance: it provides a high level of protection for consumers, while allowing businesses to innovate.”
Věra Jourová, Commissioner for Justice, Consumers and Gender Equality said: “The European data protection legislation adopted last year sets high standards for the benefit of both EU citizens and companies. Today we are also setting out our strategy to facilitate international data exchanges in the global digital economy and promote high data protection standards worldwide.”
Better online protection and new business opportunities
The proposed Regulation on Privacy and Electronic Communications will increase the protection of people’s private life and open up new opportunities for business:
- New players: 92% of Europeans say it is important that their emails and online messages remain confidential. However, the current ePrivacy Directive only applies to traditional telecoms operators. Privacy rules will now also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber.
- Stronger rules: By updating the current Directive with a directly applicable Regulation, all people and businesses in the EU will enjoy the same level of protection for their electronic communications.Businesses will also benefit from one single set of rules across the EU.
- Communications content and metadata: Privacy will be guaranteed for both content and metadata derived from electronic communications (e.g. time of a call and location). Both have a high privacy component and, under the proposed rules, will need to be anonymised or deleted if users have not given their consent, unless the data is required for instance for billing purposes.
- New business opportunities: Once consent is given for communications data, both content and/or metadata, to be processed, traditional telecoms operators will have more opportunities to use data and provide additional services. For example, they could produce heat maps indicating the presence of individuals to help public authorities and transport companies when developing new infrastructure projects.
- Simpler rules on cookies: The so called “cookie provision”, which has resulted in an overload of consent requests for internet users, will be streamlined. New rules will allow users to be more in control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.
- Protection against spam: Today’s proposal bans unsolicited electronic communication by any means, e.g. by emails, SMS and in principle also by phone calls if users have not given their consent. Member States may opt for a solution that gives consumers the right to object to the reception of voice-to-voice marketing calls, for example by registering their number on a do-not-call list. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
- More effective enforcement: The enforcement of the confidentiality rules in the Regulation will be the responsibility of national data protection authorities.
Data protection rules for EU institutions and bodies
The proposed Regulation on the protection of personal data by European institutions and bodies aims to align the existing rules, which date back to 2001, with the newer and more stringent rules set out by the General Data Protection Regulation of 2016. Anyone whose personal data are handled by the European institutions or agencies will benefit from higher standards of protection.
International data protection
The proposed Communication sets out a strategic approach to the issue of international personal data transfers, which will facilitate commercial exchanges and promote better law enforcement cooperation, while ensuring a high level of data protection. The Commission will engage proactively in discussions on reaching “adequacy decisions” (allowing for the free flow of personal data to countries with “essentially equivalent” data protection rules to those in the EU) with key trading partners in East and South-East Asia, starting with Japan and Korea in 2017, but also with interested countries of Latin America and the European Neighbourhood.
In addition, the Commission will also make full use of other alternative mechanisms provided by the new EU data protection rules – the General Data Protection Regulation and Police Directive – to facilitate the exchange of personal data with other third countries with which adequacy decisions cannot be reached.
The Communication also reiterates that the Commission will continue to promote the development of high data protection standards internationally, both at bilateral and multilateral levels.
With the presentation of the proposals today, the Commission is calling on the European Parliament and the Council to work swiftly and to ensure their smooth adoption by 25 May 2018, when the General Data Protection Regulation will enter into application. The intention is to provide citizens and businesses with a fully-fledged and complete legal framework for privacy and data protection in Europe by this date.
Together with today’s proposals the Commission also presented a Communication to give a boost to the data economy. More information can be found here.