The Council of the European Union (“Council”) has predicted that the ePrivacy Regulation will not come into force by 25 May 2018. The ePrivacy Directive (Directive 2002/58/EC) will, therefore, continue to apply.
The new ePrivacy Regulation
The new European data protection regime will enter into force in about one year. The General Data Protection Regulation (“GDPR”) will provide the general framework.
Besides the GDPR, the European Commission has adopted a proposal for a Regulation on Privacy and Electronic Communications (“ePrivacy Regulation”) on 10 January 2017. The ePrivacy Regulation will provide specific data protection rules for the online space on cookies, online communications, analytics and spamming. It seeks to align the rules for electronic communications with the new standards of the GDPR. We have previously provided a summary of the main provisions of the proposed ePrivacy Regulation here.
The January draft of the ePrivacy Regulation was – rightfully – criticized heavily from various stakeholders. The online community criticized, for example, the various consent requirements in context of website analytics, and that it covers OTT. The ePrivacy Regulation is currently under review.
Review by Council
The ePrivacy Regulation was originally planned to enter into force 25 May 2018 – together with the GDPR. While many have already questioned the timeline, the Council stated in a Report on the ePrivacy Regulation of 19 May 2017 that the proposed date of application is “unrealistic”.
Some of the most important issues raised by the Council in its review of the ePrivacy Regulation include:
- A detailed analysis of possible overlaps, duplications or contradictions with other legislation, including the GDPR, is necessary.
- The impact of the extension of scope of the ePrivacy Regulation to over-the-top players needs clearer explanations.
- It is unclear if the proposed solution for cookies (consent via browser settings) will achieve its objectives. The impact on online advertising companies must be further analysed.
The Council will continue its analysis until approximately end of June 2017.
Review by WP29
On 4 April 2017, the Article 29 Working Party (“WP29”) has also issued an Opinion on the ePrivacy Regulation. WP29 stated that it generally welcomes the ePrivacy Regulation and the approach chosen in the Regulation of broad prohibitions and narrow exceptions, and the targeted application of the concept of consent. However, WP29 also raised concerns that the ePrivacy Regulation would lower the level of protection enjoyed under the GDPR regarding (i) the tracking of location of terminal equipment, (ii) the conditions under which analysis of content and metadata is allowed, (iii) the default settings of terminal equipment, and (iv) tracking walls.
What’s next?
It remains to be seen when the ePrivacy Regulation will enter into force and what its final content will look like. Organizations that are getting ready for the new data protection regime – in particular those that use cookies and direct marketing – should continue to follow the developments regarding the ePrivacy Regulation, and review their respective processes. However, as the GDPR will also provide for the basis for data protection in the online space, organizations should continue to include online data protection into their GDPR readiness plans.
The new ePrivacy Regulation will be just as important for organizations as the GDPR. A violation could also lead to fines of up to EUR20 million or 4% of the worldwide annual turnover.