The proposal for a Regulation on Privacy and Electronic Communications, also known as The ePrivacy Regulation, is a law in the making by the EU Commission.
Its purpose is to ensure the “respect for private life, confidentiality of communications and the protection of personal data in the electronic communications sector” in the EU.
Once applied, the ePrivacy Regulation will replace the ePrivacy Directive from 2002.
Many might know the ePrivacy Directive by its nickname, “The Cookie Law”, (one of its most noticeable impacts being the cookie consent pop-ups, that made their appearance on most websites in its wake).
Once the ePrivacy Directive is replaced by the ePrivacy Regulation, the legislation will automatically apply in all EU nations.
That, in fact, is the key difference between a regulation and a directive: Whereas regulations automatically become legally binding throughout the EU on the date they take effect, directives must be incorporated into national law by EU countries.
With a directive, the countries are required to achieve a certain result, but are free to choose how to do so. However, the Regulation is not simply a stronger version of the Directive.
The proposed Regulation is based on a thorough evaluation of the Directive, and addresses shortcomings in the Directive on the one hand, and digital and legislative developments (such as the GDPR) that have occurred since its last revision in 2009, on the other.
National governments in all 28 European countries (including the UK) have had the opportunity to react to the proposed Regulation.
Currently, the EU Commission, the EU Parliament and the EU Council are discussing in so called “trialogue negotiations”, what will become the finalized and official Regulation text.
The ePrivacy Regulation, originally planned to be approved simultaneously with the enforcement of the GDPR, will probably be finalized sometime in 2019.
Thereafter, a period of adaptation will follow, before the ePrivacy Regulation is actually enforced as EU law.
Just like the GDPR, which was approved upon on 14 April 2016, and enforced two years later, on 25 May 2018.
Cookies are an important matter - and a matter of dispute - in the negotiations concerning the final phrasing of the ePrivacy Regulation.
The proposed Regulation attempts to address the “consent fatigue” caused by the Cookie Law.
The problem with consent in the ePrivacy Directive being, that it has been interpreted in most countries as a requirement for a simple consent banner like the following:
This has proved to be highly ineffective, because:
The Regulation is therefore attempting to make changes to the way in which trackers may ask for consent for setting cookies and tracking users.
The evaluation of the Directive concludes that the current consent rule is both over-inclusive and under-inclusive:
However, here is a list of requirements for cookies and online tracking from the latest draft.
Those readers familiar with the requirements in the GDPR will notice redundancies. In fact, many of the rules in the ePrivacy Regulation are similar to the ones described by the GDPR.
In fact, as we describe later in this article, the ePrivacy Regulation will, once enforced, complement (and override!) the GDPR when it comes to cases within the electronic communications sector.
The ePrivacy Regulation was originally aimed to be approved in the EU together with the implementation of the GDPR, on 25 May 2018.
However, this schedule quickly proved to be too ambitious.
At the last notice, the Regulation will be finalized sometime in 2019.
Thereafter, a period of adaptation will follow, before the regulation is applied.
If we dare to take the process of the GDPR as an example, one might guess that the ePrivacy Regulation will enter into force in 2021.
However, indications are that the ePrivacy Regulation will be even more encompassing and restrictive than the GDPR when it comes to preventing tracking and protecting personal data on the internet.
It is therefore being met by strong voices of criticism for counteracting the internet economy and crippling entire sectors, such as the publishers’ and digital media.
10 January 2017: Presentation of first draft by the EU Commission
The first official draft of the new ePrivacy Regulation is presented by the EU Commission. The proposed Regulation should replace the ePrivacy Directive (Directive 2009/136/EC) and clarify and supplement the GDPR, with regard to personal electronic communications data. This draft of the planned ePrivacy Regulation is forwarded to the EU Parliament and Council.
19 October 2017: Adoption of draft in the EU Parliament
After lengthy negotiations, the LIBE Committee responsible for the ePrivacy Regulation in the EU Parliament votes on the draft. Much to the surprise of the online industry, the draft, virtually unchanged, is adopted by the EU Parliament one week later. At the same time, the EU Council also discusses the draft in a working group. Member States are invited to submit their opinions by 14 August 2017.
2018: Trialogue negotiations between the Commission, Parliament and the Council
With the adoption of the draft by the EU Parliament, the mandate for the next procedural step - the EU Parliament's negotiations with the EU Council - is given.
In 2018, the so-called trialogue negotiations between the Commission, Parliament and the Council are to be concluded.
The negotiations are a complex and lengthy matter with many voices.
To get a picture of some of the agents and their draft proposals, the law firm Linklaters have written a good overview.
The Commission has renounced to keep its target date of 25 May 2018, and experts expect implementation in 2019.
The official draft of the ePrivacy Regulation and its annexes can be found on the homepage of the European Commission.
On this page of the regulation-work-in-progress, you can see
The ePrivacy Regulation is a lex specialis to the General Data Protection Regulation, meaning that it complements the GDPR with specific rules that apply specifically to the electronic communications sector.
As lex specialis, it overrides the GDPR in the specific areas that it covers.
There are two laws because they are derived from two different rights in the European Charter of Human Rights:
The GDPR covers the right to protection of personal data, while the ePrivacy Regulation encompasses a person’s right to a private life, including confidentiality.
The GDPR is focused on defining and protecting personal data, e.g. health data, whether paper-based or electronic. The ePrivacy Regulation, on the other hand, particularizes GDPR for electronic communications and focuses on devices, processing techniques, storage, browsers etc.