ePrivacy Regulation vs GDPR: 4 Key Differences

The ePrivacy Regulation was set to come into force alongside the GDPR on May 25, 2018, but delays in the approval phase meant its implementation was delayed. 

Since then there have been 13 different drafts of the ePrivacy Regulation all of which have failed to get the green light for implementation. 

However, there is hope that the ePrivacy Regulation 2021 draft prepared by the Portuguese Presidency of the EU Council will eventually go one step better than the previous ones. 

You can read our blog post about the ePrivacy Regulation 2021 Draft Update.

Earmarked to replace the ePrivacy Directive (EU Cookie Law), the ePrivacy Regulation is concerned with the privacy of data business collect from EU residents just like the GDPR. 

But, specifically, the ePrivacy Regulation aims to protect the privacy of EU residents’ electronic communications content and its metadata. 

What this means is that the scope of the ePrivacy Regulation goes beyond personal data and it can include non-personal data such as Business-to-business communications (B2B). 

In contrast, the scope of the GDPR is limited to personal data. But, make no mistake, the two data privacy laws are not meant to work against each other. Instead, the ePrivacy Regulation is meant to complement the GDPR. 

In this article, we explore how the ePrivacy Regulation compares with the General Data Protection Regulation. 

Table of Contents

• What is the ePrivacy Regulation? 
• What is GDPR? 
• ePrivacy Regulation vs GDPR
  

What is the ePrivacy Regulation? 

The ePrivacy Regulation is a draft data protection legislation aimed to regulate the processing of EU residents’ personal data and metadata by electronic communications service providers.

Published on January 10, 2017, and intended to come into effect alongside the GDPR, the ePrivacy Regulation is intended to replace, and at the same time, expand the scope of the current ePrivacy Directive (adopted in 2002 and amended in 2009)  to include machine-to-machine data.

It applies to categories of data such as; 

• Personal experiences
• Medical data
• Sexual preference
• Political views 
• browsing history
• call logs
• Geographical location
• Electronic communications metadata such as call duration, traffic movements, time of call, or location.

What is the GDPR? 

The GDPR is the EU’s pioneer data privacy law meant adopted to protect the privacy rights of EU residents in relation to the collection, processing, or sharing of their personal data. 

The GDPR came into effect on May 25, 2018, and set the precedent for global data protection regulations that has seen other countries and jurisdictions adopt similar privacy laws. 

Notable ones include California’s CCPA and CPRA, Brazil’s LGPD, Virginia’s CDPA (CDPA for Marketers), as well as Thailand’s PDPA (Available in Thai),  but the list does not end here, more regulations are on the way.  Read our Thailand PDPA Summary. and the differences between GDPR and PDPA.

Examples of personal data you need to process in a GDPR-compliant way include; 

• a name and surname;
• a home address;
• an email address
• an ID card number;
• location data (for example the location data function on a mobile phone)*;
• an Internet Protocol (IP) address;
• a cookie ID;
• Medical records that can uniquely identify a person.

You can read more about the other global data privacy laws here.

Although ISO 27001 and GDPR are fundamentally different frameworks, but they share a lot of common principles in relation to data protection. Read about ISO 27001 Data Protection .

ePrivacy Regulation vs GDPR

1. Legal Basis

One of the core differences in the ePrivacy v GDPR discussion is the legal contexts of both regulations. 

On the one hand, the legal basis of the GDPR is to secure the fundamental rights and freedoms of EU citizens in relation to the right to the privacy of their personal data and facilitate legitimate personal data transfers in the Union.  Read all about the EDPB Schrems II Guidance on transferring data outside the EU.

In contrast, the ePrivacy Regulation, if adopted,  is founded on the need to streamline national regulations necessary to guarantee a standard level of protection of EU citizens’ fundamental rights and freedoms regarding the confidentiality of electronic communications content, metadata, and machine-to-machine data they share in their online interactions on platforms such as Skype, Slack, and Whatsapp.

2. Scope

 If the ePrivacy Regulation eventually becomes law, you will be expected to comply if; 

• You provide an electronic communications service 
• The service you offer is delivered over an electronic communications network 
• Your service and network are available publicly
• You offer the service and network within the EU 

Therefore, if your activities fall outside these conditions, you will not be expected to comply with the ePrivacy Directive. 

Example:  If you have a company network only accessible to your members of staff for work-related reasons, it does not count as being a “publicly available” electronic communications service. As such it falls outside the material scope of the ePrivacy Regulation.

On the other hand, the material scope of the GDPR extends to any kind of processing of EU residents’ personal data, irrespective of the kind of technology you rely on for this purpose. 

Therefore, you will not be expected to comply with the GDPR if;

• You do not process any personal data such as email address, phone number, and credit card information. 
• Your data processing activities are outside EU territory

3. Enforcement 

Who is responsible for compliance is one of the areas in the ePrivacy Regulation vs the GDPR debate that has generated significant interest from different stakeholders in the sector. 

In principle, the GDPR specifically gives the legal mandate of enforcing its provisions to independent national Data Protection Authorities (DPAs) within the EU if you are found to violate compliance requirements. 

This is not the case with the ePrivacy Regulation 2021 draft, which does not cite the cooperation and consistency mechanism as is the case with Chapter VII of the GDPR when it comes to enforcement. 

In fact, this issue was cited by the EDPB as potentially problematic for electronic communication service providers when it comes to compliance because you may be required to address up to 27 supervisory authorities if the current draft is adopted as is. 

Here is the full EDPB statement on the ePrivacy Regulation  2021 draft 

4. Cookie Walls

Simply put, it is illegal to have a cookie wall on your website under both the GDPR and ePrivacy Regulation draft 2021 

A cookie wall is a type of cookie banner that denies access to visitor access to a website unless the visitor consents to cookies, and does not give an easy way for them to easily withdraw their consent. 

Below is an example of a website with a cookie wall:

However, it appears that the ePrivacy Regulation 2021 draft proposal has an exception for the use of cookie walls;

A cookie wall could be acceptable if you give the user a choice between paying for a service or consenting to cookies so long as you give them clear, simple, and user-friendly information about why you use cookies on your website.

Example of an acceptable cookie wall if ePrivacy Regulation is adopted; 

ePrivacy Regulation, GDPR, and Secure Privacy

It is still unclear whether the ePrivacy Regulation will come into force in 2021, but talks are ongoing between the EU Council and the EU Parliament after a negotiating mandate for the current draft was agreed on 10th February 2021. 

If successful, these talks will pave the way for the drafting of the final text of the law. We will definitely be keeping an eye on that one and keep you updated as details emerge.

If you are looking to comply with GDPR, Secure Privacy offers a complete automation solution trusted by several leading companies that will help meet you all the compliance requirements in less than 1 week.

Alternatively, If you would like to have our data protection expert carry out a quick ‘check-up’ of your website, cookie consent banner, or your cookie policy, book a 30-min call today.

Read ePrivacy Regulation Latests Blog Posts