What is ePD?
The ePrivacy Directive or ePD is a body of data privacy rules in the EU, containing instructions on how member states should design their own data privacy regulation in order to align with the directive’s aims.
It predates the GDPR by 14 years and although it is not a binding law in and of itself, it does contain valuable insights into data privacy, offering a solid foundation. Initially it was passed in 2002 and since then it has suffered some changes which resulted in a more consolidated version back in 2009, with clearer guidelines.
In order to protect fundamental rights and freedoms, particularly the right to privacy, as well as the free movement of such data and electronic communication equipment and services within the European Community, it harmonizes the Member States' provisions, regulating cookies, emails for marketing purposes, or data minimization, among other aspects of data privacy. It has been called ‘the cookie law’ on account of its impact on cookie banners appearing on websites, it comes alongside the GDPR to strengthen the EU’s data protection legal framework which is why the two should be read together, and it is expected that sometime in the future it will be replaced by an ePrivacy Regulation, currently in development.
What is Personal Information and what are other key definitions?
ePD does not offer a definition for personal data but it does however define what a ‘user’ is, namely “any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service.”
It also offers definitions for ‘traffic data,’ which is any data processed for the purpose of conveying communications on a network for electronic communication or for its billing, and ‘location data’ which refers to any data that is processed on a network for electronic communication that indicates the geographical position of the equipment of a user, belonging to an electronic communications service that is publicly available.
Consent has the same meaning here as with the GDPR, namely any freely given, informed and specific indication of a user’s wishes through which said user has signaled their agreement to the processing of their personal data.
Lastly, there are 2 other definitions that ePD offers that are relevant to its scope. According to the text, ‘value added service’ means “any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof.” This is relevant where a user’s location data that is other than traffic data is communicated to third parties, in which case users must be informed and consent withdrawal has to be readily and easily available at all times. The other definition is that of ‘personal data breach’ which is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.”
Who has to comply with the ePD?
The ePD applies to “the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices.
This means that any publicly available electronic communication and telecommunication services are covered, regardless of the technology used. As a service provider, your organization needs to implement the appropriate measure that will ensure data privacy and security, as well as a proper level of information made available to users.
Who is excluded from ePD compliance?
The ePD is not applicable to “activities which fall outside the scope of the Treaty establishing the European Community” or to “activities concerning public security, defense, State security (including the economic well-being of the State when the activities relate to State security matters) and the activities of the State in areas of criminal law.”
In addition to this, Article 10 outlines a few exceptions where calling line identification may be temporarily suspended where there is a request to trace what the ePD calls “malicious or nuisance calls” or where both calling line identification may be temporarily suspended and consent can temporarily be denied to or absent from a user or subscriber “for the processing of location data, on a per-line basis for organizations dealing with emergency calls and recognised as such by a Member State, including law enforcement agencies, ambulance services and fire brigades, for the purpose of responding to such calls.”
How can I keep my organization ePD compliant?
The ePD’s most well known contribution to data privacy is cookie consent, of which it mandates that before cookies may be used, consent has to be obtained. Later on, when the GDPR came into force, it expanded on this and supplemented the ePD by mandating that cookie identifiers could be considered personal data.
What this means is that your organization’s website has to obtain a user’s permission before storing cookies on their device, unless said cookies are absolutely necessary for the functioning of the website. For example, a cookie that helps remember a user’s login details for the website is not subject to user consent as the user wouldn’t be able to access and use the website without it. However, before giving their consent, users have to be informed of the general purpose for cookies, meaning not every single cookie has to be included, but rather every category (functional, analytical, first party, third party, etc.), which is why cookie banners are used on many websites nowadays, to comply with the ePD.
Another requirement for your organization refers to data anonymization and data deletion. You are required to delete or anonymize data that is no longer required, unless it must be kept for billing purposes. Additionally, the ePD mandates the anonymity of all location data meaning that users’ whereabouts cannot be personally tracked. According to the GDPR, anonymous data is “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”. To ensure that the data is anonymized it needs to match certain criteria, otherwise it would be considered pseudonymized data.
For situations where your organization communicates with users, before you can do so, you must obtain the consent of the targeted users, and this is true about all forms of communication, such as call, text, marketing email, etc. This is an opt-in requirement which makes it clear that no form of communication is allowed unless the user expresses consent, unsolicited emails and calls, made via automated communications systems are forbidden, and any emails sent out to users have to be sent from a legitimate email address and include an option to unsubscribe from them.
Data security is another requirement of the ePD, meaning that any personal data your organization holds must be protected by security measures. Additionally, the ePD forbids monitoring communications channels unless it is necessary to "safeguard national security," look into criminal cases, or in any other special circumstances. Some of these measures have to at least:
- “ensure that personal data can be accessed only by authorized personnel for legally authorized purposes;
- protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure; and,
- ensure the implementation of a security policy with respect to the processing of personal data.”
In the event of a data breach risk, as a service provider you “must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by [your organization], of any possible remedies, including an indication of the likely costs involved.” If an actual data breach occurs, you are required to notify the competent national authorities and if it is “likely to adversely affect the personal data or privacy of a subscriber or individual” you must also inform the subscriber or individual “without undue delay.” This is not required if you have “demonstrated to the satisfaction of the competent authority” that you have “implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach.”
According to the ePD, Member States must ensure confidentiality of communications by forbidding the “listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorized to do so (when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defense, public security, and the prevention, investigation, detection and prosecution of criminal offenses or of unauthorized use of the electronic communication system)” through national legislation.
In all forms of data processing, such as traffic data, being registered in a public directory, opting in to communication with service providers, etc. users have to be given the possibility to withdraw their consent at any time.
What data access rights does ePD grant?
The ePD does not provide a list of data subject rights, such as those regulated by the GDPR, but it does give users and subscribers control of their personal data and its processing.
Users and subscribers have several rights:
- to be informed beforehand and free of charge before their data is included in directories and to withdraw consent at any time;
- to have the opportunity to determine that their personal data has been included in a public directory, which directory that is, and to verify, correct, or have the data withdrawn;
- to receive non-itemised bills.
How to address data subject access requests under ePD?
The ePD offers no data subject rights but it does state that where users withdraw consent or wish to verify or correct data this should be made available to them and it should be free of charge.
Enforcement and penalties
The ePD mandates that each Member State will have its own national regulating authority and its own set of sanctions, including criminal ones where applicable, and these sanctions “must be effective, proportionate and dissuasive and may be applied to cover the period of any breach, even where the breach has subsequently been rectified,” and have to be communicated to the European Commission, along with any subsequent amendments.
Every national regulating authority will have to be provided with the necessary powers and resources in order to conduct investigations, and these authorities may adopt measures “to ensure effective cross-border cooperation in the enforcement of the national laws adopted pursuant to this Directive and to create harmonized conditions for the provision of services involving cross- border data flows.” However, before adopting such measures, they will have to be communicated to the Commission who may “make comments or recommendations thereupon, in particular to ensure that the envisaged measures do not adversely affect the functioning of the internal market.”
How can Clym help?
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Custom branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customize their individual experience.