February 16, 2021

    ePrivacy Regulation 2021 Update: 12 Key Takeaways for Businesses

    Finally, there is an ePrivacy Regulation 2021 status update and it comes in the form of the current  EU Council’s new draft proposal published on 10th February 2021.

    Finally, there is an ePrivacy Regulation 2021 status update and it comes in the form of the current  EU Council’s new draft proposal published on 10th February 2021.

    The latest ePrivacy Regulation draft has been proposed by the Portuguese Presidency of the EU Council that began on Jan 1, 2021.  

    An interesting fact is that it is the 14th overall draft tabled for approval.

    Notably, the ePrivacy Regulation 2021 draft proposal makes the text simple and shows significant alignment with the GDPR (General Data Protection Regulation). 

    If approved, the ePrivacy Regulation 2021 draft will establish new data processing requirements in relation to electronic communicationscookies, direct marketing, to name a few. 

    With that in mind, let us take a closer look at what you should expect in case the Portuguese Presidency’s ePrivacy Regulation draft is eventually adopted by the EU.

     Table of Contents

    • What is the Scope of the ePrivacy Regulation? 
    • How does the ePrivacy Regulation 2021 Draft Differ from Previous Proposals?
    • Will the ePrivacy Regulation Come into Force in 2021? 
    • Will the ePrivacy Regulation replace the GDPR?
    • What are the Key Differences between the ePrivacy Directive (EU Cookie Law) and the Proposed ePrivacy Regulation?
    • What is the ePrivacy Regulation 2021 Draft’s Position on Consent and Cookies?
    • What is the ePrivacy Regulation 2021 Draft’s Position on Processing Metadata?
    • What about the ePrivacy Regulation and Browser-Based Opt-Outs?
    • What does the ePrivacy Regulation 2021 Draft say About Direct Marketing Activities?
    • What are the Penalties for Non-compliance with the ePrivacy Regulation? 
    • What does Brexit Mean for the ePrivacy Regulation and UK Businesses?
    • What is the Position of the EDPB on the ePrivacy Regulation 2021 Draft?

    What is the Scope of the ePrivacy Regulation under the 2021 Draft Proposal? 

    The ePrivacy Regulation 2021 draft proposal seeks to protect the right of EU citizens to the confidentiality of their electronic communications content and metadata of that content. 

    The scope of the ePrivacy Regulation as envisaged by the 2021 draft also extends to machine-to-machine data transmitted over a public network. 

    The objective of this is to guarantee the privacy of users’ data when using Internet of Things (IoT) applications, which is still an emerging technology.

    If adopted, the latest draft will apply to the processing of personal data of users by electronic communication service providers and networks. 

    Therefore, you will be subject to the ePrivacy Regulation if you;

    • you process electronic communications content and metadata of EU residents
    • Process terminal equipment information of  EU citizens
    •  Provide a publicly available directory of end-users of electronic communications services; 
    • Send direct marketing communications to EU residents.

    Examples of businesses that will be subject to compliance if the ePrivacy Regulation 2021 draft is adopted include; 

    • Email service providers
    • Internet calling services e.g FaceTime and Whatsapp
    • Phone call service providers
    • Internet access service providers
    • Instant messaging apps e.g iOS Message
    • Personal messaging through social media platforms e.g. Twitter Direct Message

    Electronic communications are considered to contain highly sensitive user data shared. If the current ePrivacy Regulation draft passes, some of the data that you process that will be subject to compliance requirements includes; 

    • Personal experiences
    • Medical data
    • Sexual preference
    • Political views 
    • browsing history
    • call logs
    • Geographical location
    • Electronic communications metadata such as call duration, traffic movements, time of call, or location.

     How does the ePrivacy Regulation 2021 Draft Differ from Previous Proposals?

    Compared to previous proposals, the Portuguese Presidency’s ePrivacy Regulation draft simplifies the text of the law and provides a clear alignment with the GDPR. 

    The standout changes in the ePrivacy Regulation 2021 draft published on 10th February in comparison to previous ones include;

    • Broadening the scope of the regulation to apply to the processing of electronic communications data by businesses outside the European Economic Area (EEA).
    • Defining location data
    • Reintroducing provisions that permit the processing of electronic communications data for purposes that align with the initial purposes for collecting this data. 
    • Adding a requirement for businesses sharing anonymized statistical personal data from electronic communications with third parties to conduct Data Protection Impact Assessments and inform users about their intended data processing activities.
    • Allowing service providers to access personal data on users’ devices for the performance of a contract. The previous version permitted this only where it was technically necessary. The term ‘technically’ has been omitted. 

    Will the ePrivacy Regulation Come into Force in 2021? 

    No one knows yet, but, depending on the outcome of the Council’s talks with the EU Parliament, the ePrivacy Regulation will be adopted within 20 days after it is published in the EU’s Official Journal, followed by a grace period of 2 years before enforcement begins.  

    This is after EU member states agreed on a negotiating mandate for the ePrivacy Regulation 2021 draft proposal on 10th February 2021, which allows the Portuguese Presidency to open talks with the European Parliament. 

    If successful, these talks will pave the way for the drafting of the final text of the law. 

    It is important to remember that the ePrivacy Regulation was meant to come into effect in May 2018 alongside the GDPR, as a replacement for the ePrivacy Directive, also known as the ‘EU Cookie Law,’ which was adopted in 2002.

    However, it has been pushed back a couple of times since then because of significant lobbying from different stakeholders and institutional dialogues that resulted in delays in its implementation. 

    Will the ePrivacy Regulation replace the GDPR?

    No. The ePrivacy Regulation is not meant to be a substitute for the GDPR. It's designed to complement it.

     The GDPR provides an oversight framework for activities involving the processing of personal data. 

    On the other hand, the ePrivacy Regulation focuses on supporting the GDPR’s general requirements by providing specific rules to govern the confidentiality of electronic communications of EU residents. 

    Since the GDPR focuses specifically on personal data while the scope of the ePrivacy Regulation can cover not only personal data, but also B2B data, it is likely that the ePrivacy Regulation may take precedent over the GDPR in instances where both laws are applicable. 

    What are the Key Differences between the ePrivacy Directive (EU Cookie Law) and the Proposed ePrivacy Regulation?

    If the ePrivacy Regulation 2021 draft proposal is adopted, it will expand the 2002 ePrivacy Directive’s scope to incorporate emerging technologies such as;

    • Instant messaging apps and VoIP (Voice over Internet Protocol) platforms, 
    • Machine-to-machine communications such as the IoT (Internet of Things).

    Since the final text is yet to be agreed upon, it is impossible to provide a clear breakdown of how the ePrivacy Directive differs from the ePrivacy Regulation for now. 

    But, we will be sure to keep you updated on the developments with regards to these data protection legislations as they emerge.

    What is the ePrivacy Regulation 2021 Draft’s Position on Consent and Cookies? 

    The ePrivacy Regulation 2021 draft makes it clear that your user’s device whether hardware or software may hold highly sensitive personal data e.g photos or lists of contacts. 

    For this reason, you need the user’s explicit consent before you collect, store, or process this personal data. To achieve this, you must;

    • Give users genuine choice whether to accept cookies and other related tracking technologies or not. 

    This is Secure Privacy’s GDPR compliant cookie banner that allows you to give your users control over their cookie consent choices

    cookie settings

    When it comes to cookie walls, the latest ePrivacy Regulation draft makes it clear that cookie walls are illegal. 

    A cookie wall is a type of cookie banner that denies access to visitor access to a website unless the visitor consents to cookies, and does not provide a mechanism for them to easily withdraw their consent. 

    Below is an example of a website with a cookie wall:

    accept cookies

    However, it appears that the ePrivacy Regulation 2021 draft proposal has an exception for the use of cookie walls; 

    • a cookie wall could be acceptable if you give the user a choice between paying for a service or consenting to cookies so long as you give them clear, simple, and user-friendly information about why you use cookies on your website. 

    Here is an example of an acceptable cookie wall if the ePrivacy Regulation 2021 draft is eventually adopted.

    cookie example eprivacy regulation

    Nonetheless, where it is required, you will be expected to ensure that the cookie consent you obtain is valid. 

    To achieve this the ePrivacy Regulation 2021 draft clearly states that you need to comply with GDPR cookie consent requirements.

    Check out our blog for a detailed breakdown of how to obtain valid GDPR cookie consent.

    You can also watch our simplified video of what valid GDPR cookie consent entails here.

    What is the ePrivacy Regulation 2021 Draft’s Position on Processing Electronic Communications Metadata?

    Being one of the areas that generated significant interest from the previous draft in relation to the applicability of the GDPR data processing legal bases - consent and legitimate interest - it is not any different with the ePrivacy Regulation 2021 draft. 

    If you are an electronic communications network or service provider, you must obtain prior consent from the user before you process their electronic communications metadata.

    One of the exceptions where you do not need consent to process metadata is when you do so in situations that are necessary to provide an electronic communications service because you are bound by either;

    • A contract with the end-user in question, or;
    • Billing the user due to an existing contract

    However, if your processing of a user’s metadata can pose high risks to the confidentiality rights of the user when providing a service;

    •  you must carry out a Data Protection Impact Assessment  (DPIA), and in some cases, consult a Data Protection Authority (DPA) before processing to comply with Articles 35 and 36 of the GDPR. 

    Other exceptions include when; 

    • You process electronic communications metadata to protect an interest which is essential for the life of users e.g for humanitarian emergencies, including  monitoring epidemics and their spread 
    • You process electronic communication metadata for scientific research or statistical purposes, although you must guarantee the privacy of end-users by implementing appropriate data security measures such as anonymization or encryption.
    • where you are subject to EU or member states’ law for the prosecution of criminal offenses or prevention of threats to national security

    What does the ePrivacy Regulation 2021 Draft Say about Browser-Based Opt-Outs?

    If you intend to use tracking cookies in a GDPR compliant way, you need a cookie banner. However, cookie banners are unpopular to some people.

    A cross-section of previous drafts proposed a requirement for browser software companies to explain cookies to their users during the setup process such that users could then block or consent to all tracking cookies by default.

    However, questions were raised since this would create significant challenges for online advertisers. 

    Additionally, it would contradict the GDPR's requirement that consent must be  "specific."

    To address what the ePrivacy Regulation 2021 draft terms as ‘cookie consent fatigue,’ the Portuguese presidency proposes that end-users should be given a mechanism to give or withdraw consent to the use of certain types of cookies by whitelisting one or several providers easily within their browser settings.

    While this means users will manage their cookie consents via their browser settings if the ePrivacy Regulation 2021 draft is adopted, it does not spell doom for the adtech industry as we know it.

    What does the ePrivacy Regulation 2021 Draft say About Direct Marketing Activities?

    According to the ePrivacy Regulation 2021 draft, direct marketing refers to any kind of advertising sent directly to an identifiable user through publicly available electronic communication channels. These channels can be; 

    • Automated calling
    • Instant messaging apps
    • Emails
    • SMS
    • MMS
    • Bluetooth
    • Fax. 
    1. If you rely on any of these communication systems, you will be required to obtain consent from users before sending them any marketing messages.  

    You can send a direct marketing message without a user’s prior consent only if;

    • You already have the user’s contact details from an existing customer relationship, and the purpose of communication is to offer a similar product or service.

    But even with this exception, the ePrivacy Regulation 2021 draft makes it clear that you have to do this in compliance with GDPR requirements. 

    1. If a user gives you consent for direct marketing communications, you should still make it easy for them to withdraw their consent at any time, in a simple process, and at no cost to them. 

    Since they have an absolute right to object to these communications, you must stop immediately once consent is withdrawn

    1. You also need to ensure you give the user your identity, and where applicable, on whose behalf you are sending the marketing message.

     You will be fined if you use;

    • A False identity
    • A False return address
    • A false contact number
    1. Another provision in the ePrivacy Regulation 2021 draft when it comes to direct marketing is the fact that you must give users all the information they need to know. Among other things, you must make them aware of;
    • Their right to object to marketing communications
    • Their right to withdraw consent that they may have given earlier
    • You intend to use their personal information for marketing purposes

    What are the Penalties for Non-compliance with the ePrivacy Regulation? 

    The ePrivacy Regulation 2021 draft proposes similar fines to the ones under the GDPR regime, with a maximum penalty of €20 million or 4% of a non-compliant organization’s global annual revenue, whichever is greater.

    What does Brexit Mean for the ePrivacy Regulation and UK Businesses?

    Well, it is still unclear whether the UK will enforce the ePrivacy Regulation in full or partially after Brexit if the Portuguese Presidency’s draft is adopted. 

    However, there is a possibility Britain will in all likelihood align itself with the EU to accelerate the adequacy decision.

    Learn more about Brexit and what it means for UK Businesses’ compliance with the GDPR in our blog

    What is the Position of the EDPB on the ePrivacy Regulation 2021 Draft?

    In response to the latest ePrivacy Regulation proposal by the Portuguese Presidency, the European Data Protection Board (EPDB) swiftly released a statement expressing concerns. 

    The EDPB underlined the need to further support the guarantees outlined in the ePrivacy Regulation 2021 draft. 

    The proposals brought forth by the EDPB with an eye on bolstering the current ePrivacy Regulation draft are:

    • Permitting the processing of electronic communications metadata without consent only in an anonymized form
    • Making amendments to the GDPR to expand its scope and offer protection for all electronic communications and their confidentiality
    • Instituting a single point of contact for all personal data processing operations subject to the ePrivacy Regulation.
    • Having a single mechanism of oversight by only having authorities created pursuant to the GDPR as responsible for examining the processing of personal data that falls under the scope of the ePrivacy Regulation. 

    If you would like to get all your questions about the ePrivacy Regulation answered by a data privacy legal expert, book a 30-min call and we will be more than happy to help your compliance efforts.

    Secure Privacy dashboard

    Want to try
    Secure Privacy?

    Get your free cookie banner up and running today!

    Blog posts
    That also interest you