Another Colossal Privacy Regulation Looming in EU Parliament
Most companies in the United States are just now evaluating their exposure and planning their compliance under the General Data Protection Regulation (the “GDPR”), which we have addressed in previous articles. As soon as 2019, another wide-reaching European Union (“EU”) measure also may cause hysteria when the ePrivacy Regulation (the “ePR”) is implemented. The present bill proposing implementation of the ePR (the “ePR Bill”) originally was to be implemented with the bill proposing the GDPR in May of 2018, but it remains under review. Nonetheless, it certainly seems that it is merely a matter of time until the ePR Bill passes.
The ePR resembles a lot of the characteristics of the GDPR, but it is distinct in subject matter. While the GDPR seeks to protect the processing of personal data, the ePR is aimed at regulating the processing of electronic communications data. Key features of the ePR are:
- broad territorial scope
- regulations of direct marketing
- significant fines
Similar to the GDPR, the ePR features significant fines and a broad territorial scope, with its ultimate goal being transparency that will give EU citizens more control over the communications sent to them. The ePR protects communications not only in the traditional sense (telephone calls and email and text messages) but also in mobile app communications, internet video communications (for example, Skype), and entities processing electronic communications data (direct marketing, cookies, metadata, etc).
The GDPR causes confusion for companies for the most part in its territorial scope, given that the GDPR’s coverage applies to the data of all EU citizens no matter where in the world they are located. The ePR will follow suit in that respect, meaning that its regulations will apply to processing of electronic communications that take place outside the EU. That wide-reaching scope of the regulation likely subjects most United States companies to the ePR.
Direct marketing is any form of advertising sent to one or more EU resident(s), including through telephone calls, email communications, and text messages. Under the ePR, companies are required to obtain each recipient’s individual consent prior to sending the communication. The ePR also requires companies to provide straightforward, user-friendly means to revoke consent once given. Under the ePR, a company is required to provide information to the recipient on how they can opt out of the program. Beyond that, a company also must notify recipients of the nature of its marketing and of its identity as the marketer.
The ePR is currently in the negotiation stage, but a final version of its text is anticipated later this year or early in 2019. The EU government will distribute further guidance on the ePR Bill around that time as well. It will be important for companies concerned with the GDPR to keep the ePR Bill and the ePR in mind for many reasons, not the least of which is that non-compliance will lead to steep penalties. The ePR carries a fine of up to $25 million (USD), or 4% of annual global turnover (whichever is higher).
Our experienced attorneys at Dickie, McCamey & Chilcote, P.C. have advised clients on international and domestic data privacy compliance for years and will continue to provide updates on this latest development (and others to be forthcoming of course) as the global trend toward stricter data privacy inevitably continues. If you have any questions or concerns, please contact us.
Jason L. Ott, Esq.
Derrick L. Maultsby, Jr.