The ePrivacy Regulation: The Next European Initiative in Data Protection

While many are still digesting the changes brought about by the EU General Data Protection Regulation (GDPR), a new privacy regulation is already on its way. The Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications – in short, the ePrivacy Regulation  – is currently a draft under discussion (the latest version by the EU Council was published on 13 March 2019).

Relationship Between the ePrivacy Regulation and the GDPR

Unlike the GDPR, the draft ePrivacy Regulation focuses on privacy with respect to electronic communication services and on the data processed by electronic communication services. This means that in relation to such communication services, the ePrivacy Regulation provides the specific obligations that flesh out the more general provisions of the GDPR. The draft ePrivacy Regulation covers more than just data protection law; it also relates to non-personal data, such as metadata. Lastly, the draft ePrivacy Regulation contains provisions on telecommunication confidentiality.

Background

The draft ePrivacy Regulation is meant to update and replace the current ePrivacy Directive, which, together with the GDPR, provides the current legal framework to ensure digital privacy for EU citizens. By changing from a directive to a regulation, the new rules will apply directly in all EU member states, and implementation into national laws will no longer be required. This promises a uniform set of rules in all member states. However, as GDPR has shown, this probably sounds easier than it will be in practice.

Key Changes

In a nutshell, the main points of the draft ePrivacy Regulation include:

  1. While the existing ePrivacy Directive applies to emails and text messages (SMS), the new ePrivacy Regulation aims to also catch data created or processed by the newest forms of electronic communication, such as machine-to-machine communication (Internet of Things), internet telephony, and internet access provider services.
  2. The draft ePrivacy Regulation scope extends to more than just personal data – it covers certain non-personal data such as metadata. Not only does this further increase the compliance obligations for enterprises, it may also challenge data analytics schemes dealing with anonymized or aggregated data instead of personalized data, developed to allow big data business models.
  3. While many concepts of when and how data may be processed may essentially stay the same, the draft ePrivacy Regulation introduces new, additional obligations requiring enterprises to adapt their compliance systems. For example, Article 7 of the draft ePrivacy Regulation requires that enterprises delete electronic communications data after its receipt by the intended recipient. Such obligation is new in many member states and would require operators to implement certain technical measures. It also raises questions about the ability to pursue certain communications, for example in relation to illegal content.
  4. The draft ePrivacy Regulation provides a clear, albeit more restrictive, legal framework for the use of cookies and similar tools that collect data from end-users’ equipment (e.g., mobile phones and laptops). The use of cookies will require that such cookies are necessary for the transmission or the security of the electronic communication service, or that the end-user has given consent. Previous drafts of the regulation contained several different ways in which such consent could be given. The most recent draft refers to giving consent to providers via white lists.

Outlook

The new draft ePrivacy Regulation has been approved by the EU Council. After the May 2019 European Parliament elections, negotiations on the regulation between the Council and the European Parliament will start. The ePrivacy Regulation will likely not enter into force before 2021, given it covers many different subjects (i.e., metadata, cookies, and telecommunications confidentiality).