New EU ‘ePrivacy’ Regulation Aims To Increase Privacy Protections For Electronic Communications And Metadata

The European Commission proposed a new draft “ePrivacy” regulation that would alter how it governs communications, metadata, and consent for data processing in the EU. The new regulation would also eliminate the so-called “EU cookie law,” which requires websites operating within the European Union to ask for consent before tracking users with cookies.

All Communications Must Be Confidential

In a recent “Eurobarometer” survey conducted by the European Union, 92% of the respondents said that it’s important or very important that their personal information is only accessed with their permission.

This makes a good case not just for strong privacy protections in the EU, but also for increased adoption of end-to-end encryption by services companies wherever possible. Encryption backdoors should also be out of the question, as EU’s cybersecurity advisory agency recently suggested as well.

“Listening to, tapping, intercepting, scanning and storing of, for example, text messages, emails or voice calls will not be allowed without the consent of the user,” said a recent press release by the European Commission.

Although consent is required to access information on a user’s device, it wouldn’t be needed for meant to improve the user experience. This includes the cookies needed to remember shopping cart history, for filling in online forms over several pages, or the login information for the same session. Cookies set by a website counting the number of visits made by a certain visitor will also not require consent anymore.

This seems like a compromise between the existing “EU cookie law” and stronger privacy protections in order to make the online user experience a little better by not prompting you with a cookie consent request every time you visit a new website.

Unless needed for billing purposes, processing user metadata, such as you called, the timing, location, and duration of the call, as well as websites visited, will also require consent. There is also a requirement to delete or make anonymous all electronic communications metadata obtained without consent.

Prior consent will also be required for any unsolicited marketing call. Member states that employ a do-not-call list can opt-out of this requirement, as long as the marketing callers use a prefix number that indicates their call is a marketing call.

The new rules will also require browsers to prompt European Union users at installation whether they want to enable third-party cookies or not, as well as offer other options for increased privacy during online surfing.

It’s not clear yet what the impact will be to data sharing between Facebook and WhatsApp, which is temporarily suspended.

The new ePrivacy regulation, which focuses on communications between individuals and individuals and companies, will complement the General Data Protection Regulation (GDPR), which focuses on protecting personal data. Both will be put in front of the European Council (comprised of heads of member states), and the European Parliament for revisions and they are expected to be adopted by member states by May 25, 2018.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.