ePrivacy Regulation: What the Recent Delays Mean for Businesses
In November 2019, the ePrivacy Regulation's latest draft proposal, which is earmarked to replace the ePrivacy Directive was rejected by the EU council.
In November 2019, the ePrivacy Regulation's latest draft proposal, which is earmarked to replace the ePrivacy Directive was rejected by the EU council.
The latest rejection of the ePrivacy Regulation draft proposal implies that this regulation may not come into effect in 2020 (see ePrivacy Regulation 2021 Draft Update and our 2022 ePrivacy Regulation update) as it was widely anticipated.
While opponents of this regulation will be pleased by November’s outcome, businesses are left in a position where they need to deal with various challenges connected to the current setup.
What is the Current Status of the ePrivacy Regulation?
The existing ePrivacy Directive, which is reinforced by the EU Member State regulations that enforce it deals with digital marketing, the utilization of cookies and other tracking technologies, as well as the privacy in electronic communications. As such, the EU’s efforts to replace the ePrivacy Directive have been focused on these key areas.
Essentially, if the ePrivacy Regulation is approved, it is expected to reform the following areas;
- The scope and territorial application
- The use of cookies and other related tracking technologies
- New guidelines for the management of electronic communications data
- Penalties
- Direct Marketing
The Scope and Territorial Enforcement
The current draft proposal of the ePrivacy Regulation would expand the reach of the existing ePrivacy Directive to cover Over-the-Top communication services (OTTs) as well as communications between the Internet of Things (IoT) gadgets.
Similarly, the ePrivacy Regulation would expand the territorial application of the ePrivacy Directive in that it will be directly enforceable in every EU member state and will not need national laws for its enforcement.
The Use of Cookies and Related Tracking Technologies
The draft proposes a different tact to gaining end-users’ consent to the storage of cookies. Essentially, it suggests that providers of browsers and related software provide a range of privacy configurations at the point of installation.
If approved, this requirement may eliminate the need for cookie banners. More importantly, it would mean that a smaller number of cookies will need consent.
Primarily, they would include those that are strictly necessary, as well as those that are used for purposes such as form filling, language preferences, and shopping cart functionalities.
New Guidelines for the Management of Electronic Communications Data
Apart from a limited set of legally-defined circumstances, the interception of electronic communications information will be illegal without the consent of the consumer involved.
It is important to note that electronic communications information comprises both content and metadata.
Penalties
If passed, the ePrivacy Regulation will reinforce GDPR’s stringent fines that are characterized by penalties of up to 20 million Euros or 4% of a company’s global revenue for specific violations.
Furthermore, the regulation would offer consumers the opportunity to file compensation lawsuits.
Direct Marketing
The ePrivacy Regulation also seeks to expand direct marketing oversight guidelines by looking to introduce opt-in consent to OTTs such as instant messaging and in-app alerts.
The initial objective was to have the ePrivacy Regulation introduced alongside the General Data Protection Regulation (GDPR). However, this aim was not realized as the draft proposals have been subjected to several delays.
For instance, under the Finnish Presidency of the EU, the proposal has been reviewed 10 times. In fact, the most recent draft was due to be tabled in the Transport, Telecommunications, and Energy Council on December 3, 2019.
Nonetheless, this move failed to garner adequate support in the European Economic and Social Committee. For this reason, it is back to the drawing board in 2020 under the Croatian presidency.
Why is the Adoption of the ePrivacy Regulation being Delayed?
One of the core objectives of this law is to provide a futuristic regulation to cover for the advancements in machine-to-machine communications and the Internet of Things (IoT), which are areas beyond the scope of the existing ePrivacy Directive.
Nonetheless, several issues were lodged with precisely how the ePrivacy Regulation would work with these emerging technologies.
Other areas of concern that are creating resolution challenges include;
- The protection of data stored in a gadget such as a cellphone, especially in the context of ad-supported web platforms, and whether, in this setting, GDPR-level consent (ePrivacy Regulation vs GDPR) is necessary for the utilization of promotional cookies or whether some kind of acceptance is enough
- The handling of electronic communications data for the purposes of prevention of child abuse imagery
- Data retention
- The processing of information from electronic communications for the mitigation of heinous crimes including terror-prevention strategies
How are Businesses affected by the ePrivacy Regulation’s Delays?
Characteristically, no change is good for business. Granted that your corporate practices are compliant with current laws and regulations, you are on the safe side.
Nonetheless, the sustained failed attempts to reach consensus over the ePrivacy Regulation leaves companies in a precarious position.
Essentially;
- The ePrivacy Directive is significantly obsolete in that applying its requirements to specific sectors such as ad tech and emerging technologies such as IoT and AI is often characterized by significant ambiguities.
- The failure to find harmonized enforcement across EU member states makes compliance with regulations on direct marketing and the utilization of cookies challenging for businesses, especially those that operate in more than a single EU member state.
- Some of the ambiguities between the ePrivacy Directive and the GDPR create resolution challenges, especially in relation to the use of cookies and other tracking technologies as illustrated by the Planet49 case.
If you have any questions or concerns regarding the ePrivacy Regulation, book a call with us today and get tailored support for your business from a data privacy law expert.
Additional Resources;
Get all your FAQs about the ePrivacy Regulation answered with our comprehensive guide
Download your free ePrivacy Regulation e-book today
The American Privacy Rights Act: The Federal US Data Privacy Bill's Essentials
Discover the ins and outs of the American Privacy Rights Act (APRA), a proposed federal privacy law in the US. Learn about its implications for businesses, compliance obligations, consumer rights, and how it compares to existing regulations.
- USA
Understanding the New Zealand Privacy Act 2020 and Its Information Privacy Principles
Explore the intricacies of the New Zealand Privacy Act 2020, its Information Privacy Principles, and their impact on businesses. Learn about compliance requirements, consumer rights, and enforcement mechanisms.
EDPB Opinion on Meta "Pay or Okay" and What It Means for Your Operations in the EU
Dive into the European Data Protection Board's (EDPB) opinion on Meta's 'Pay or Okay' model and its ramifications for businesses in the EU. Understand the requirements, alternatives, and potential impacts on large online platforms and media publishing businesses.
- Europe GDPR