Draft Amendment to the Electronic Communications Act from the Perspective of Personal Data Protection

Cookies and Consent Requirements

The original wording of Sec. 109(8) ECA was: “Anyone who stores or gains access to information stored in a user’s terminal equipment is authorized to do so only if the data subject has given demonstrable consent.” The draft amendment removes the word “data subject” from this provision. At the end of the provision, it adds the phrase “meeting the requirements under a special regulation,” referring directly to the GDPR. This seemingly minor change means that, going forward, consent given via a cookie banner will also be subject to the GDPR, and such consent will have to meet all requirements set out in the GDPR.

New Definition of Direct Marketing

Until now, direct marketing was defined as: “Any form of presentation of goods or services in written or oral form, sent or presented via a publicly available service directly to one or more subscribers or users.” The legislator proposes to add “including obtaining information about goods and services from the subscriber or user.” It is unclear what objective the legislator intends to achieve with this addition and whether it is consistent with the purpose of the GDPR or the ePrivacy Directive. The definition of direct marketing does not normally cover communication between a controller and a customer (except in cases such as product complaints) after the sale of goods (the subscriber or user has already paid for the goods and is actively using them). This is more a matter of the seller’s or service provider’s interest in improving services, rather than advertising them. We assume this refers to so-called customer satisfaction surveys, which do not clearly belong under direct marketing.

Cold-Calling for Consent

In Sec. 116(4), the draft amendment expands the prohibition on cold-calling for consent to include standard calls with human involvement, which would be prohibited from the date the amendment takes effect.

Time Limit for Contacting Existing Customers about Sold Goods and Services

Previously, the time limit for contacting existing customers was left to the discretion of the seller or service provider, who was expected to set a reasonable limit in accordance with GDPR principles.

In Sec. 116(16), the draft amendment sets this limit at two years after the end of the contractual relationship. The time limit is primarily based on Art. 13(2) of the ePrivacy Directive, which states that when a natural or legal person obtains customers’ electronic contact details for electronic mail in connection with the sale of a product or service, and in accordance with Directive 95/46/EC, that same person may use those electronic contact details for direct marketing of its own similar products or services, provided that customers are clearly and unequivocally offered the opportunity to object, free of charge and easily, to such use at the time the details are collected and with each subsequent message, unless the customer has previously objected to such use.

Recital 41 of the ePrivacy Directive further supports the use of such consent, stating that the use of electronic contacts within existing relationships is permissible only by the company that obtained them in compliance with Directive 95/46/EC.

After obtaining electronic contact information, the customer must be clearly and unequivocally informed of its further use for direct marketing and must be able to refuse such use. This opt-out option should continue to be offered free of charge with every subsequent direct marketing communication.

In view of the ePrivacy Directive, it remains questionable how long a relationship can be considered “existing.” Since the period is set at two years after the service is provided, it is likely that the legislator linked the two-year period to the statutory warranty period that consumers generally have when purchasing goods.

Sanctions

Changes are also proposed in the sanctions section. In Sec. 124(4), according to the explanatory memorandum, the legislator proposes introducing a so-called “second chance” for certain administrative offences. These are breaches where immediate imposition of a financial penalty is not essential, and compliance with the breached obligation is more meaningful. As a condition for avoiding a financial penalty, the identified deficiencies must be remedied. However, this does not apply to any breaches in the field of personal data protection.

Furthermore, the legislator proposes a change in the procedure for imposing fines on natural persons (including for breaches in the field of personal data protection), shifting from the procedure under Act No. 372/1990 Coll. on Offences to the procedure under Act No. 71/1967 Coll. on Administrative Proceedings (Administrative Procedure Code). The reason is that, in offences relating to electronic communications, it is often not possible within the one-month period set by Sec. 59(4) of the Offences Act to clarify and prove the offence to a specific person. Identifying the offender, drafting and sending the record, and addressing any objections while meeting procedural and delivery deadlines generally takes more than one month.

Conclusion

The proposed amendment to the ECA introduces several significant changes in the field of personal data protection, primarily to align with the GDPR and the ePrivacy Directive. The most substantial adjustments concern consent for cookies, a stricter definition of direct marketing, restrictions on cold-calling for consent, and the introduction of a fixed two-year limit for contacting former customers.

While some changes may contribute to greater transparency and legal certainty for data subjects, others – such as the expanded definition of direct marketing – may raise questions about compliance with the intent of existing EU privacy legislation. The changes in sanctions, including the shift to administrative proceedings and the introduction of a “second chance,” may increase enforcement efficiency, but personal data protection remains excluded from this more lenient regime. Overall, the draft amendment represents an attempt to modernize the legal framework, but its actual impact can only be objectively assessed after adoption and practical application.

References

1. Sec. 116(2) of the ECA