The ePrivacy Regulation – current status and the impact on electronic communication

Attorney and Chairman of the Board at eco – Association of the Internet Industry, Oliver Süme brought delegates at the CSA Summit 2018 on a guided tour to Data Protection Wonderland, with a stopover in Brussels, the heart of EU policy and lawmakers. Süme gave an overview of the EU ePrivacy Regulation currently being drafted and negotiated, and offered “six things you need to know” about the bill, the legislative process, and how companies can prepare for it.

What is the ePrivacy Regulation in the first place?

Firstly, Süme put the ePrivacy Regulation into the context of family relations: The legislation is basically the little sister of the EU General Data Protection Regulation (GDPR), conceived initially to come into effect simultaneously with, and aimed at being complementary to, its big sister. ePrivacy also has two cousins: the late Data Protection Directive (dead and buried and replaced by the GDPR) and what is known as the “Cookie” Directive (the first ePrivacy-related EU directive, now on its deathbed). 

However, the ePrivacy Regulation has been experiencing a much longer gestation period than the GDPR. Issues relating to eprivacy have been subject to very controversial discussion between industries, industry associations, and policy makers – even more so than was the case for the GDPR. There is seen to be a need to protect the interests of the consumers, but also the interests of the industry. The regulation is designed to replace the “Cookie” Directive, and has the same approach as the GDPR in terms of territorial scope and application – which means that every company will be subject to the ePrivacy Regulation if they are processing personal data from European consumers, regardless of where in the world the company is based. The much-publicized regime of fines imposed by the GDPR will also apply to the ePrivacy Regulation, and its status as an EU regulation means that it is directly applicable, with no need for implementation laws in the different member states.

What does the ePrivacy Regulation cover?

The legislation is designed to have a broader scope than the old privacy directive, with a focus on

the confidentiality of communications, irrespective of what kind of technology is used. The new regulation also covers electronic communication service providers – e.g. voice, messaging, and OTT services. The main aim of the regulation is to protect personally identifiable information (PII) – and as a result, it also covers Machine-to-Machine communication and metadata. Süme pointed out that this gives lawmakers a first opportunity to cover IoT devices, something which they want to have more control of in the future. He commented further that there are many stakeholders that are very concerned about this section of the law, because this has the potential to significantly slow down innovation in the IoT market.

Consent in the ePrivacy Regulation

In terms of consent, nothing changes with regard to classical email marketing; the regulation remains largely similar to the “Cookie” Directive. However, consent becomes the rule, with only limited exemptions from consent – in contrast to enabling communications to be based on legitimate interest as is the case in the GDPR. The ePrivacy Regulation considers everything as high risk, and will almost always require consent (exemptions given would include the use of a cookie in a shopping cart). According to Süme, this is a strong concern for online advertising and marketing as an industry. Süme pointed out that consent can be expressed by using appropriate browser settings, and the regulation requires browsers to have a range of settings and privacy categories to enable granular consent to be given.

Who devised the ePrivacy Regulation?

Oliver Süme went on to clarify law-making in the European Union in relation to the ePrivacy Regulation: There are three organizations responsible for law making. The EU Commission, after analyzing the situation, made the initial proposal. The first draft was published approximately 18 months ago. The draft then went to the European Parliament, which has to find a position on the legislation, and the Parliament published a second version of the draft. Then the draft was taken to the European Council (a very powerful body made up of representatives of the EU member states) – which is where the legislation currently stands. Once all three players have found their positions, they will go into the trialogue negotiations, which have a fundamental role in EU lawmaking.

Criticism of the ePrivacy Regulation

According to Süme, the ePrivacy Regulation is not complementary to the GDPR, it actually supersedes it. He criticizes the fact that there was no time to undertake an evaluation of the GDPR to identify potential gaps and figure out where potential rules are needed before the legislative process for the ePrivacy Regulation was set on course. He calls on the lawmakers to wait until we have gained initial experience with the GDPR before the ePrivacy Regulation is adopted.

Two points in particular were raised as criticism of the ePrivacy Regulation.

No risk-based approach to consent

Firstly, there is no risk-based approach to consent like in the GDPR. Consumers will constantly need to provide consent – which will lead to a situation where consumers cease to care about consent; they will not consider what they have consented to, and will not consider different levels of risk. 

No technology-neutrality

Technology is changing very fast, with new services emerging continuously. The legal framework cannot change at the same pace. According to Süme, the EU lawmakers used a very good approach when they drafted the e-Commerce Directive, drafting it in a way that allows it to be technology-neutral. Legislation must be technology-neutral, because otherwise it is too easily invalidated with new technological developments and the associated obsolescense of older technologies. On this point, the draft ePrivacy Regulation specifies browser settings and how to design them, making it very product-centered; as Süme pointed out, the problem is that no-one knows whether browsers will still be relevant in 5-10 years’ time.

When will the ePrivacy Regulation arrive?

As a next step, the EU Council has to find a common position – this can take a long time, especially since so far the two most important States (Germany and France) have not given their positions – in this kind of situation, the smaller States also remain quiet. Süme hypothesized that the lengthy period in which Germany was without a new government has contributed to the country not having prepared a position on the legislation yet, but he surmised that perhaps now a position is being worked on. Given the delay in the Council, Süme predicted that the trialogue negotiations will not start before the summer break – perhaps not until September or October 2018. However, in 2019 there will be EU elections, and if the trialogue negotiations are not finalized by then, the process will start all over again with the new government. As a result, there is no need for companies to panic about the draft legislation – even if the regulation were to come into force in 2019, there will be a grace period of at least one year. However, everything is under discussion, and nothing is written in stone as yet. It will take time before the ePrivacy Regulation will come into effect.