ePrivacy Regulation update
Four years on from the first draft of the proposed ePrivacy Regulation and an impressive fourteen drafts later, is the end in sight?
This month saw a significant leap forward as the Council of the European Union reached agreement on a mandate for negotiating the final text with the European Parliament and European Commission.
Okay, ‘leap’ is probably being too dramatic! A significant milestone yes, but it’s still likely to take months before a final version can be agreed and adopted. And there’s plenty of room for the text to deviate from where we are now.
What is the ePrivacy Regulation?
Just to recap, the purpose of the ePrivacy Regulation is to overhaul the EU ePrivacy Directive of 2002 (and subsequent amendments) . This governs the processing of personal data and privacy with regard to electronic communications.
The current Directive, by its very nature is interpreted rather differently across EU Member States and gives us a myriad of rules to navigate if we want to communicate across Europe.
For example, the UK’s own law derived from the EU Directive is called the Privacy and Electronic Communications Regulations (known as PECR) and has different rules for electronic marketing than you’d find in Spain or Germany.
The aim of the new ePrivacy Regulation is to update the rules to reflect significant technological developments and to align these rules across the EU, alongside GDPR. No small task!
As a Regulation rather than a Directive, the hope is for harmonisation – the same rules across all EU Member States. Leaving less wriggle-room for individual Member States to interpret the rules in differing ways.
At a top-level, this complex new legislation sets out to cover areas such as:
- Electronic communications to individuals (e.g. email, SMS and telephone marketing)
- Electronic communications metadata, including geo-location data
- Machine-to-machine communications
I remember reading concerns raised that many Data Protection Officers are unlikely to have sufficient knowledge and skills to understand the legislation fully due to it’s complexity.
Some believe this complexity means full agreement will be impossible to achieve, and that either the Regulation is doomed or it will emerge with a number of areas where individual Member States can still go their own way.
When could the ePrivacy Regulation be enforced?
Once finalised and adopted, it’s proposed there will be a two year transition period (like there was with GDPR) to give businesses time to prepare and comply with the new rules.
So, IF the Regulation was to be finalised later this year, it wouldn’t be enforced until 2023.
What about Brexit?
The UK, in theory, won’t have to adopt this EU Regulation. But in practice may decide it makes sense to implement it into UK law, so there is a parity with European counterparts.
It’s worth noting the Brexit trade deal commits both parties to upholding high standards of data protection.
Ultimately we’ll have to wait and see what stance the UK takes. Either way, a new EU Regulation would still impact, for example, on organisations that send electronic communications to EU citizens.
What else has been happening?
In an attempt to keep pace with the rapidly evolving tech landscape, the EU has already started to implement elements of the ePrivacy Regulation into other laws.
For example, since December 2020 the European Electronic Communications Code has required EU Member States to amend their telecommunications laws by expanding the definition of “”Electronic Communications Services” in to include so-called “Over-the-Top-Services” such as messaging services – such as WhatsApp or Zoom.
What are the next steps?
The Council of the EU, the European Parliament and the European Commission will now start trialogue negotiations to agree the final text.
Philippa Donn, February 2021
Data protection team over-stretched? Find out how we can support you with our no-nonsense, practical and flexible Privacy Manager Service.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.