The European Union’s ePrivacy Directive
set forth rules guaranteeing the protection of privacy in the electronic communications sector. It aims to ensure that the protection of confidentiality of communications, in line with the fundamental right to the respect of private and family life enshrined in Article 7 of the EU Charter of Fundamental Rights, is guaranteed.
The proposed rule updates existing privacy rules for internet service providers by also including electronic communications such as email, text message and chat services and extends them to cover all use of such services in the EU regardless of where the data is processed.
As summarized by the EU, the new rules requires consent for retrieving data from users’ devices and for direct marketing:
- All electronic communications must be confidential. Listening to, tapping, intercepting, scanning and storing of for example, text messages, emails or voice calls will not be allowed without the consent of the user. The proposed Regulation also specifies when processing of communications data is exceptionally permitted and when it needs the consent of the user.
- Confidentiality of users’ online behaviour and devices has to be guaranteed. Consent is required to access information on a user’s device – the so-called terminal equipment. Users also need to agree to websites using cookies or other technologies to access information stored on their computers or to track their online behaviour. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. cookies needed to remember shopping cart history, for filling in online forms over several pages, or for the login information for the same session). Cookies set by a visited website counting the number of visitors to that website will no longer require consent.
- Processing of communications content and metadata is conditioned to consent. Privacy is guaranteed for content of communication as well as metadata – for example who was called, the timing, location and duration of the call, as well as websites visited. Metadata linked to electronic communications have a high privacy component and need to be deleted or made anonymous if users did not give their consent, unless the data is needed for billing purposes.
- Spam and direct marketing communications require prior consent. Regardless of the technology used (e.g. automated calling machines, SMS, or email), users must give consent before unsolicited commercial communications is addressed to them. This will in principle also apply to marketing phone calls unless a Member State opts for a solution that gives consumers the right to object to the reception of voice-to-voice marketing calls, e.g. by registering on a do-not-call list. Marketing callers will need to display their phone number or use a special prefix number that indicates a marketing call.