On 8 September 2017, the European Council published its first revisions (“Revised Draft”) to the draft EU ePrivacy Regulation (version COM(2017) 10 of 10 January 2017, “ePrivacy Regulation”). The Revised Draft is based on the discussions held in previous meetings of the European Union’s Working Party for Telecommunications and Information Society (“WP TELE”), and on comments provided by delegations.
The Revised Draft
The Revised Draft aims for clarifications compared with the previous draft by the European Commission, and outlines issues to be discussed in further WP TELE meetings. The Revised Draft does not make changes to the general scope addressed by the ePrivacy Regulation. It tries, however, to be clearer about the territorial scope of applicability of the ePrivacy Regulation, and also about excluding legal entities from the definition of data subjects. Even in the form of the Revised Draft, the ePrivacy Regulation seems like an “elephant” that hampers innovation in Europe.
In terms of tracking technologies and commercial communications, the proposed amendments include, inter alia, the following elements:
The ePrivacy Regulation already included the obligation to remind users of their possibility to withdraw the consent. However, the Revised Draft extends the time period for the reminder from six to 12 months (Article 4a (3) of the Revised Draft).
Regarding direct marketing communications (e.g., email or push notification marketing), the Revised Draft does not suggest substantial changes to the ePrivacy Regulation. The general consent requirement remains unaffected – for B2C and also for B2B communications.
The Revised Draft clarifies that the scope of the direct marketing provision should cover all kinds of direct marketing messages. Therefore, the wording of the provision now includes any direct marketing communications that are sent or presented to end-users, including push messages and similar technologies (Article 16 of the Revised Draft).
The Revised Draft has also introduced a new possibility of class actions for end-users who are natural persons. This shall ensure consistency with the GDPR (Article 21 (1a) of the Revised Draft).
The European Council pointed out that the Revised Draft is only a first draft, focussing on the main part of the regulation, and will be followed by an examination of the recitals at a later date. An important topic still to be further explored is, e.g., the “lex specialis” relation of the ePrivacy Regulation to the General Data Protection Regulation (“GDPR”). Additional WP TELE meetings are being held until 25 September 2017. The next step will then be the release of a draft proposal of the European Parliament. Afterwards, the European Commission, the European Council and the European Parliament will debate all proposals in trilogue discussions.
The ePrivacy Regulation is still not sufficiently innovation-friendly and certainly in some passages too far away from real life (e.g., tracking consent or B2B commercial mailings). As there are still many steps to take, it is unlikely that the ePrivacy Regulation will enter into force by the ambitious deadline of 25 May 2018, in tandem with the GDPR. We expect a final text by the end of this year at the earliest, followed by a 12-month grace period for organizations to get ready.
The final version of the ePrivacy Regulation will affect similar processing activities as the GDPR which will enter into force by 25 May 2018. Organizations must have in mind the upcoming ePrivacy Regulation when getting ready for GDPR. However, very likely, organizations will have to go through a second wave of getting ready for EU-privacy rules once the final text of the ePrivacy Regulation is available.