ePrivacy Regulation: Breaking it down

The ePrivacy Regulation gasps, alive, after an extended period of uncertainty. In a press release on February 10, the EU Council announced an agreement on “a negotiating mandate for revised rules on the protection of privacy and confidentiality in the use of electronic communications services.” The updated rules will define “cases in which service providers are allowed to process electronic communications data or have access to data stored on end-users’ devices.”

What is the ePrivacy Regulation?

The ePrivacy Regulation was originally supposed to come into effect alongside the General Data Protection Regulation (GDPR) updating the ePrivacy Directive 2002. That ambitious timeline has come and gone.

When the original ePrivacy Directive 2002 came into force iPhones were still five years away. An update to the directive is necessary to cater to new technological developments such as the widespread use of telecommunications technology and an explosion in messaging services as well as the continued expansion of services connected over the internet (Internet of Things).

The ePrivacy Regulation will be lex specialis to the GDPR and complement the latter, but where both laws govern the same situation, the ePrivacy Regulation will override the GDPR. The ePrivacy Regulation will also bring a sense of uniformity across the EU. Whereas Directives lay out results to be achieved by members states who enact national legislation, the ePrivacy Regulation will be legally binding across the EU.

What is lex specialis?

As the ePrivacy Regulation is lex specialis, this fancy legal term means where GDPR and ePrivacy Regulation govern the same issue, the ePrivacy Regulation will have primacy.

What does the ePrivacy mandate say?

The ePrivacy proposal expands rules covering “electronic communications content transmitted using publicly available services and networks,” including metadata related to communications. (Metadata can be thought of as data about data and includes information on location, time, and recipient of the communication.)

Ad Tech and Cookie Compliance again comes under the microscope, and the proposal states that users “should have genuine choice on whether to accept cookies or similar identifiers.” The proposal also adopts whitelisting from the GDPR. This means that users can provide consent to the use of certain cookies or providers in their browser setting. 

Of particular importance to businesses, proposed penalties for noncompliance will be the same as the GDPR, up to €20 million or 4% of global turnover, whichever is higher.

Another issue relates to encryption. In 2017, the EU Parliament backed end-to-end encryption, but notably left out any mention of in its public comment. This is worrying as the EU Council advocates for lawful access to encrypted data.

When would ePrivacy Regulation Apply?

The regulation will apply when end-users are in the EU and effect many services used daily including Zoom, WhatsApp, Facebook Messenger, and Gmail, and covers cases where the service provider or processing takes place outside of the EU. In addition, a new layer of consent limits the processing of information on terminal equipment, like smartphones and watches that contain “highly personal information.”

What does the ePrivacy Regulation mean for Data Privacy?

As a main rule, electronic communications will be confidential. There is of course the tension between privacy and national security and exceptions will apply to consent requirements in cases where EU or member states’ law requires it. This is a concern for privacy advocates and represents what one commentator called a “mix of judicial imperialism and Eurocentric hypocrisy.”  Albeit these comments were made in reaction to the CJEU’s decision in Schrems II where the court rejected the adequacy of the EU-US data transfer agreement, in part based on American surveillance practices. These comments are relevant in the current context as the CJEU (Court of Justice of the European Union) acknowledged it had “no authority to elaborate or enforce these rights against any of the EU’s member states.” The decision of the CJEU acknowledges the primacy of national security over privacy as a fundamental right.

Access Now, a Privacy advocacy organisation, has called for restoring requirements for services providers to protect online users’ privacy by default and establish clear rules against online tracking beyond the use of cookies. In particular, challenging “dark patterns” that present a digital obstacle course to unsubscribe and “do not sell” buttons akin to the California Privacy Rights Act.

The German Federal Commission for Data Protection and Freedom of Information (BfDI) also released a statement critical of the Council’s position arguing the ePrivacy Regulation in its current form would be a serious blow to data protection. Removing the right to object to processing as well as the data protection impact assessment requirements were highlighted as concerns.

What happens next?

As part of the “trilogue process” the European Commission, the Council of the EU, and the European Parliament will begin negotiating on an agreed version of the Regulation.

While there is certainly room for improvement, we can optimistically look towards a future ePrivacy Regulation updating the Directive and complementing the GDPR. While the Regulation seemed dead in the water, it has been revived, led by the Portuguese Presidency in the Council moving negotiations forward. We will see how things play out with important consequences to come on the discussion of privacy in electronic communications and online tracking.

Prefer a visual representation of the ePrivacy: Directive vs Regulation? Download this infographic

Join your peers and get the latest GRC, Privacy, Security and Regulatory updates delivered straight to your inbox

Read more about our tailor-made software for data privacy and integrated risk management

Relevant news & insights: