ePrivacy Regulation: What the Recent Delays Mean for Businesses
In November 2019, the ePrivacy Regulation's latest draft proposal, which is earmarked to replace the ePrivacy Directive was rejected by the EU council.
In November 2019, the ePrivacy Regulation's latest draft proposal, which is earmarked to replace the ePrivacy Directive was rejected by the EU council.
The latest rejection of the ePrivacy Regulation draft proposal implies that this regulation may not come into effect in 2020 (see ePrivacy Regulation 2021 Draft Update and our 2022 ePrivacy Regulation update) as it was widely anticipated.
While opponents of this regulation will be pleased by November’s outcome, businesses are left in a position where they need to deal with various challenges connected to the current setup.
What is the Current Status of the ePrivacy Regulation?
The existing ePrivacy Directive, which is reinforced by the EU Member State regulations that enforce it deals with digital marketing, the utilization of cookies and other tracking technologies, as well as the privacy in electronic communications. As such, the EU’s efforts to replace the ePrivacy Directive have been focused on these key areas.
Essentially, if the ePrivacy Regulation is approved, it is expected to reform the following areas;
- The scope and territorial application
- The use of cookies and other related tracking technologies
- New guidelines for the management of electronic communications data
- Penalties
- Direct Marketing
The Scope and Territorial Enforcement
The current draft proposal of the ePrivacy Regulation would expand the reach of the existing ePrivacy Directive to cover Over-the-Top communication services (OTTs) as well as communications between the Internet of Things (IoT) gadgets.
Similarly, the ePrivacy Regulation would expand the territorial application of the ePrivacy Directive in that it will be directly enforceable in every EU member state and will not need national laws for its enforcement.
The Use of Cookies and Related Tracking Technologies
The draft proposes a different tact to gaining end-users’ consent to the storage of cookies. Essentially, it suggests that providers of browsers and related software provide a range of privacy configurations at the point of installation.
If approved, this requirement may eliminate the need for cookie banners. More importantly, it would mean that a smaller number of cookies will need consent.
Primarily, they would include those that are strictly necessary, as well as those that are used for purposes such as form filling, language preferences, and shopping cart functionalities.
New Guidelines for the Management of Electronic Communications Data
Apart from a limited set of legally-defined circumstances, the interception of electronic communications information will be illegal without the consent of the consumer involved.
It is important to note that electronic communications information comprises both content and metadata.
Penalties
If passed, the ePrivacy Regulation will reinforce GDPR’s stringent fines that are characterized by penalties of up to 20 million Euros or 4% of a company’s global revenue for specific violations.
Furthermore, the regulation would offer consumers the opportunity to file compensation lawsuits.
Direct Marketing
The ePrivacy Regulation also seeks to expand direct marketing oversight guidelines by looking to introduce opt-in consent to OTTs such as instant messaging and in-app alerts.
The initial objective was to have the ePrivacy Regulation introduced alongside the General Data Protection Regulation (GDPR). However, this aim was not realized as the draft proposals have been subjected to several delays.
For instance, under the Finnish Presidency of the EU, the proposal has been reviewed 10 times. In fact, the most recent draft was due to be tabled in the Transport, Telecommunications, and Energy Council on December 3, 2019.
Nonetheless, this move failed to garner adequate support in the European Economic and Social Committee. For this reason, it is back to the drawing board in 2020 under the Croatian presidency.
Why is the Adoption of the ePrivacy Regulation being Delayed?
One of the core objectives of this law is to provide a futuristic regulation to cover for the advancements in machine-to-machine communications and the Internet of Things (IoT), which are areas beyond the scope of the existing ePrivacy Directive.
Nonetheless, several issues were lodged with precisely how the ePrivacy Regulation would work with these emerging technologies.
Other areas of concern that are creating resolution challenges include;
- The protection of data stored in a gadget such as a cellphone, especially in the context of ad-supported web platforms, and whether, in this setting, GDPR-level consent (ePrivacy Regulation vs GDPR) is necessary for the utilization of promotional cookies or whether some kind of acceptance is enough
- The handling of electronic communications data for the purposes of prevention of child abuse imagery
- Data retention
- The processing of information from electronic communications for the mitigation of heinous crimes including terror-prevention strategies
How are Businesses affected by the ePrivacy Regulation’s Delays?
Characteristically, no change is good for business. Granted that your corporate practices are compliant with current laws and regulations, you are on the safe side.
Nonetheless, the sustained failed attempts to reach consensus over the ePrivacy Regulation leaves companies in a precarious position.
Essentially;
- The ePrivacy Directive is significantly obsolete in that applying its requirements to specific sectors such as ad tech and emerging technologies such as IoT and AI is often characterized by significant ambiguities.
- The failure to find harmonized enforcement across EU member states makes compliance with regulations on direct marketing and the utilization of cookies challenging for businesses, especially those that operate in more than a single EU member state.
- Some of the ambiguities between the ePrivacy Directive and the GDPR create resolution challenges, especially in relation to the use of cookies and other tracking technologies as illustrated by the Planet49 case.
If you have any questions or concerns regarding the ePrivacy Regulation, book a call with us today and get tailored support for your business from a data privacy law expert.
Additional Resources;
Get all your FAQs about the ePrivacy Regulation answered with our comprehensive guide
Download your free ePrivacy Regulation e-book today
Data Privacy and Responsible AI: A Guide for DPOs
Learn how to implement responsible AI while ensuring data privacy compliance. Discover practical strategies for Privacy by Design in AI systems, data minimization, and navigating privacy regulations. Essential reading for Data Protection Officers.
- Legal & News
Vietnam's Personal Data Protection Decree: Key Insights on Data Law
Explore Vietnam's new data privacy law, Decree 13/2023, which introduces strict regulations on personal data handling and cross-border transfers.
- Data Protection
Navigating Israel’s Data Protection Landscape: Key Compliance Insights for Businesses
Learn how Israel's Privacy Protection Law affects your business, including compliance requirements, data transfer rules, and key obligations.