Updated: Oct 31, 2018

Since the e-Privacy Directive entered into force in 2002, the European digital market has notably evolved allowing for new manifestations of electronic communications. Although these state-of-art e-communications service providers routinely have exposure to personal and other sensitive data, many of them fall outside of scope of the e-Privacy Directive[1]. As a result, they are not obliged to meet the same rigorous standards of personal data protection that are otherwise applicable to traditional telecoms operators.

The Proposal ofthe e-Privacy Regulation (the e-Privacy Regulation” or “Regulation”) is set to change this setup and bring all Over-the-Top (the OTT) providers as well machine-to-machine communications over the Internet of Things into the scope of a single EU data protection framework. The same approach was endorsed in the course of public consultations preceding the release of the draft Regulation by 76 % of citizens and civil society, 93.1 % of public authorities and, unsurprisingly, only 36.2 % of industry representatives[2] who will be the ones ultimately facing the burden of compliance with the new piece of EU legislation.

Generally, the concept of OTT refers to media services distributable to end-users directly through the Internet without involving telecommunications and broadcasting platforms. This encompasses heavyweight market players such as Skype, WhatsApp, Facebook, Gmail and also other Voice over Internet Protocol, online web-based email and instant messaging services, etc. The Regulation goes further by including any “interpersonal communications services that are ancillary to another service”[3]. Although the breadth of what exactly “ancillary” means in the context of Regulation is yet to unfold, one may assume that any web-site or application offering interpersonal communication features may be affected.

How this flows down to the market players, in practice, depends on the extent to which their existing data processing guidelines are based on end-users’ consent and safeguards maintained vis-à-vis data collected from legal entities that will also enjoy protection under the Regulation[4]. OTT service providers may need to substantially amend their terms and condition as well as privacy policies. Although this inevitably entails additional compliance costs, the stakeholders, already relying upon end users’ consent and/or operating in the Member States that have imposed equivalent data protection obligations on the OTT sector, will not be heavily impacted. At the same time, the traditional telecom providers will finally end up on a level playing field with the OTT operators.

While some of the OTT stakeholders have already partially or in full adhered to adequate confidentiality requirements and data protection standards as a matter of applicable local laws and internal companies’ policies, the European Commission is determined not to leave such vital facet of data privacy to self-regulation of the industry[5]. Therefore, having OTT providers under the Regulation scope is one feature of the draft that may be regarded as ironclad. Despite all the ambivalence around the Regulation, one can be fairly confident that once it enters into force the OTT communications sector will be markedly impacted.

[1] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

[2] Explanatory Memorandum to the Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (hereinafter the “Proposal”).

[3] Article 4 and s. 11 of the Proposal.

[4] Article 1 of the Proposal.

[5] Explanatory Memorandum to the Proposal.


©2018 eprivacy tracker. Powered by PIERSTONE.

logo (1).png