Global menu

Our global pages

Close

e-Privacy

  • Poland
  • Privacy, data protection and cybersecurity

10-02-2017

2017 and 2018 promise to be particularly intriguing from the perspective of several tightly interwoven fields with a huge impact on all entities and all regions. The legal changes will affect not only individual consumers but also legal persons—new regulations on electronic marketing, electronic services, and data protection.
Adoption of the EU’s General Data Protection Regulation (2016/679) will revolutionize this area. It enters into force in 2018, but now is the time to start preparing for implementation of the regulation. A further step toward consistent and tight regulation of privacy, data protection and electronic services will be adoption and entry into force of the EU’s proposed e-Privacy Regulation.
What makes this change revolutionary is primarily that the e-Privacy Directive (2002/58/EC) will be replaced by a regulation. This is an instrument of EU law that applies directly in the same form in every member state. It does not require implementation into the national legal system, although on certain issues even an EU regulation allows the member states a small degree of legislative discretion. Then the member states can clarify certain issues under national law, but typically only to heighten its protections, not relax them.
What will be the most pressing issues in the immediate future?
It should be stressed that the e-Privacy Regulation which has been published on the European Commission website is not a final document yet. It will no doubt undergo changes during the legislative process. Nonetheless, the proposal gives a good picture of how EU lawmakers intend to regulate the issue of privacy on the internet and more broadly in the virtual world.
The issues to be governed by the e-Privacy Regulation which will generally be essential for every business include the conduct of electronic marketing, collection of user data, and first and foremost the legal basis for such activities, such as consent, the conditions for obtaining it, the ability to withdraw it, and so on.
What else should you know?
First, art. 8 and 16 of the draft regulation should be examined. Under art. 8, as a rule, it will be prohibited to collect information about an end user of terminal equipment, such as a computer or mobile phone, unless one of the enumerated exceptions applies. One such exception is the user’s prior concept. But consent must be “informed” and given for specific and transparently defined purposes. Nonetheless, the preamble to the proposal expressly recognizes that consent may be given via internet browser settings. The drafters thus seek to make the manner in which the required information is presented to users and their consent is obtained as user-friendly as possible.
Further consideration should be given to art. 16 of the proposed regulation, addressing “unsolicited communications”—electronic marketing contacts. A condition for delivering such marketing materials is to obtain the end user’s prior consent. But an interesting possibility is also provided for: if the sender already has the electronic contact details for the end user because the end user is already a customer, it may use these contact details for direct marketing of its own similar products or services, but only if customers are clearly and distinctly given the opportunity to object to such use (free of charge and in an easy manner). The right to object would have to given at the time of collection of the contact details and each time a message is sent using the contact details.
Significantly, the draft of the e-Privacy Regulation provides for fines for violations of the regulation of up to EUR 20 million, or in the case of an enterprise, up to 4% of its global turnover in the preceding financial year—whichever is higher.

2017 and 2018 promise to be particularly intriguing from the perspective of several tightly interwoven fields with a huge impact on all entities and all regions. The legal changes will affect not only individual consumers but also legal persons—new regulations on electronic marketing, electronic services, and data protection.

Adoption of the EU’s General Data Protection Regulation (2016/679) will revolutionize this area. It enters into force in 2018, but now is the time to start preparing for implementation of the regulation. A further step toward consistent and tight regulation of privacy, data protection and electronic services will be adoption and entry into force of the EU’s proposed e-Privacy Regulation.

What makes this change revolutionary is primarily that the e-Privacy Directive (2002/58/EC) will be replaced by a regulation. This is an instrument of EU law that applies directly in the same form in every member state. It does not require implementation into the national legal system, although on certain issues even an EU regulation allows the member states a small degree of legislative discretion. Then the member states can clarify certain issues under national law, but typically only to heighten its protections, not relax them.

It should be stressed that the e-Privacy Regulation which has been published on the European Commission website is not a final document yet. It will no doubt undergo changes during the legislative process. Nonetheless, the proposal gives a good picture of how EU lawmakers intend to regulate the issue of privacy on the internet and more broadly in the virtual world.

The issues to be governed by the e-Privacy Regulation which will generally be essential for every business include the conduct of electronic marketing, collection of user data, and first and foremost the legal basis for such activities, such as consent, the conditions for obtaining it, the ability to withdraw it, and so on.

First, art. 8 and 16 of the draft regulation should be examined. Under art. 8, as a rule, it will be prohibited to collect information about an end user of terminal equipment, such as a computer or mobile phone, unless one of the enumerated exceptions applies. One such exception is the user’s prior concept. But consent must be “informed” and given for specific and transparently defined purposes. Nonetheless, the preamble to the proposal expressly recognizes that consent may be given via internet browser settings. The drafters thus seek to make the manner in which the required information is presented to users and their consent is obtained as user-friendly as possible.

Further consideration should be given to art. 16 of the proposed regulation, addressing “unsolicited communications”—electronic marketing contacts. A condition for delivering such marketing materials is to obtain the end user’s prior consent. But an interesting possibility is also provided for: if the sender already has the electronic contact details for the end user because the end user is already a customer, it may use these contact details for direct marketing of its own similar products or services, but only if customers are clearly and distinctly given the opportunity to object to such use (free of charge and in an easy manner). The right to object would have to given at the time of collection of the contact details and each time a message is sent using the contact details.

Significantly, the draft of the e-Privacy Regulation provides for fines for violations of the regulation of up to EUR 20 million, or in the case of an enterprise, up to 4% of its global turnover in the preceding financial year—whichever is higher.

 

Download our brochure "Law and Business 2017" >

For more information contact

< Go back

Press contact

Renata Misiewicz
PR team
+48 22 50 50 719
renata.misiewicz@eversheds-sutherland.pl