ePrivacy Directive (ePD)

Who is excluded from ePD compliance? 

The ePD is not applicable to “activities which fall outside the scope of the Treaty establishing the European Community” or to “activities concerning public security, defense, State security (including the economic well-being of the State when the activities relate to State security matters) and the activities of the State in areas of criminal law.”

In addition to this, Article 10 outlines a few exceptions where calling line identification may be temporarily suspended where there is a request to trace what the ePD calls “malicious or nuisance calls” or where both calling line identification may be temporarily suspended and consent can temporarily be denied to or absent from a user or subscriber “for the processing of location data, on a per-line basis for organizations dealing with emergency calls and recognised as such by a Member State, including law enforcement agencies, ambulance services and fire brigades, for the purpose of responding to such calls.”

How can I keep my organization ePD compliant? 

The ePD’s most well known contribution to data privacy is cookie consent, of which it mandates that before cookies may be used, consent has to be obtained. Later on, when the GDPR came into force, it expanded on this and supplemented the ePD by mandating that cookie identifiers could be considered personal data. 

What this means is that your organization’s website has to obtain a user’s permission before storing cookies on their device, unless said cookies are absolutely necessary for the functioning of the website. For example, a cookie that helps remember a user’s login details for the website is not subject to user consent as the user wouldn’t be able to access and use the website without it. However, before giving their consent, users have to be informed of the general purpose for cookies, meaning not every single cookie has to be included, but rather every category (functional, analytical, first party, third party, etc.), which is why cookie banners are used on many websites nowadays, to comply with the ePD.

Another requirement for your organization refers to data anonymization and data deletion. You are required to delete or anonymize data that is no longer required, unless it must be kept for billing purposes. Additionally, the ePD mandates the anonymity of all location data meaning that users’ whereabouts cannot be personally tracked. According to the GDPR, anonymous data is “information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”. To ensure that the data is anonymized it needs to match certain criteria, otherwise it would be considered pseudonymized data. 

For situations where your organization communicates with users, before you can do so, you must obtain the consent of the targeted users, and this is true about all forms of communication, such as call, text, marketing email, etc. This is an opt-in requirement which makes it clear that no form of communication is allowed unless the user expresses consent, unsolicited emails and calls, made via automated communications systems are forbidden, and any emails sent out to users have to be sent from a legitimate email address and include an option to unsubscribe from them. 

Data security is another requirement of the ePD, meaning that any personal data your organization holds must be protected by security measures. Additionally, the ePD forbids monitoring communications channels unless it is necessary to "safeguard national security," look into criminal cases, or in any other special circumstances. Some of these measures have to at least:

• “ensure that personal data can be accessed only by authorized personnel for legally authorized purposes;
• protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure; and,
• ensure the implementation of a security policy with respect to the processing of personal data.”

In the event of a data breach risk, as a service provider you “must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by [your organization], of any possible remedies, including an indication of the likely costs involved.” If an actual data breach occurs, you are required to notify the competent national authorities and if it is “likely to adversely affect the personal data or privacy of a subscriber or individual” you must also inform the subscriber or individual “without undue delay.” This is not required if you have “demonstrated to the satisfaction of the competent authority” that you have “implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach.”

According to the ePD, Member States must ensure confidentiality of communications by forbidding the “listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorized to do so (when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defense, public security, and the prevention, investigation, detection and prosecution of criminal offenses or of unauthorized use of the electronic communication system)” through national legislation. 

In all forms of data processing, such as traffic data, being registered in a public directory, opting in to communication with service providers, etc. users have to be given the possibility to withdraw their consent at any time. 

What data access rights does ePD grant? 

The ePD does not provide a list of data subject rights, such as those regulated by the GDPR, but it does give users and subscribers control of their personal data and its processing. 

Users and subscribers have several rights:

• to be informed beforehand and free of charge before their data is included in directories and to withdraw consent at any time;
• to have the opportunity to determine that their personal data has been included in a public directory, which directory that is, and to verify, correct, or have the data withdrawn;
• to receive non-itemised bills.

How to address data subject access requests under ePD?

The ePD offers no data subject rights but it does state that where users withdraw consent or wish to verify or correct data this should be made available to them and it should be free of charge. 

Enforcement and penalties

The ePD mandates that each Member State will have its own national regulating authority and its own set of sanctions, including criminal ones where applicable, and these sanctions “must be effective, proportionate and dissuasive and may be applied to cover the period of any breach, even where the breach has subsequently been rectified,” and have to be communicated to the European Commission, along with any subsequent amendments. 

Every national regulating authority will have to be provided with the necessary powers and resources in order to conduct investigations, and these authorities may adopt measures “to ensure effective cross-border cooperation in the enforcement of the national laws adopted pursuant to this Directive and to create harmonized conditions for the provision of services involving cross- border data flows.” However, before adopting such measures, they will have to be communicated to the Commission who may “make comments or recommendations thereupon, in particular to ensure that the envisaged measures do not adversely affect the functioning of the internal market.”