Right behind the General Data Protection Regulation (GDPR), another EU law on personal privacy and data protection is in the making. The ePrivacy Regulation, which originally should have been finalized on the date of the enforcement of the GDPR, 25 May 2018, is now due to be approved sometime in 2019, with the implementation date yet to be seen.
What is the ePrivacy Regulation? I Definition
The proposal for a Regulation on Privacy and Electronic Communications, also known as The ePrivacy Regulation, is a law in the making by the EU Commission.
Its purpose is to ensure the “respect for private life, confidentiality of communications and the protection of personal data in the electronic communications sector” in the EU.
Once applied, the ePrivacy Regulation will replace the ePrivacy Directive from 2002.
Many might know the ePrivacy Directive by its nickname, “The Cookie Law”, (one of its most noticeable impacts being the cookie consent pop-ups, that made their appearance on most websites in its wake).
Once the ePrivacy Directive is replaced by the ePrivacy Regulation, the legislation will automatically apply in all EU nations.
That, in fact, is the key difference between a regulation and a directive: Whereas regulations automatically become legally binding throughout the EU on the date they take effect, directives must be incorporated into national law by EU countries.
With a directive, the countries are required to achieve a certain result, but are free to choose how to do so. However, the Regulation is not simply a stronger version of the Directive.
The proposed Regulation is based on a thorough evaluation of the Directive, and addresses shortcomings in the Directive on the one hand, and digital and legislative developments (such as the GDPR) that have occurred since its last revision in 2009, on the other.
National governments in all 28 European countries (including the UK) have had the opportunity to react to the proposed Regulation.
Currently, the EU Commission, the EU Parliament and the EU Council are discussing in so called “trialogue negotiations”, what will become the finalized and official Regulation text.
The ePrivacy Regulation, originally planned to be approved simultaneously with the enforcement of the GDPR, will probably be finalized sometime in 2019.
Thereafter, a period of adaptation will follow, before the ePrivacy Regulation is actually enforced as EU law.
Just like the GDPR, which was approved upon on 14 April 2016, and enforced two years later, on 25 May 2018.
Cookies are an important matter - and a matter of dispute - in the negotiations concerning the final phrasing of the ePrivacy Regulation.
The proposed Regulation attempts to address the “consent fatigue” caused by the Cookie Law.
The problem with consent in the ePrivacy Directive being, that it has been interpreted in most countries as a requirement for a simple consent banner like the following:
This has proved to be highly ineffective, because:
- Most people don’t know what they are agreeing to when they tick the box.
- Too many requests for consent annoy and overwhelm users, that end up ignoring the requests or just accept without thinking.
- No response is interpreted as consent.
The Regulation is therefore attempting to make changes to the way in which trackers may ask for consent for setting cookies and tracking users.
The evaluation of the Directive concludes that the current consent rule is both over-inclusive and under-inclusive:
- over-inclusive, because it also covers non-privacy intrusive practices, and
- under-inclusive, because it does not clearly cover some tracking techniques (e.g. device fingerprinting) which may not entail access/storage in the device.
Cookie requirements: How can I prepare for the ePrivacy Regulation?
However, here is a list of requirements for cookies and online tracking from the latest draft.
Those readers familiar with the requirements in the GDPR will notice redundancies. In fact, many of the rules in the ePrivacy Regulation are similar to the ones described by the GDPR.
In fact, as we describe later in this article, the ePrivacy Regulation will, once enforced, complement (and override!) the GDPR when it comes to cases within the electronic communications sector.
- Prior consent. Consent must be obtained prior to the setting of any cookies but the strictly necessary.
- Clear and comprehensive language. Just as the GDPR, the ePrivacy Regulation requires that the information on the cookies and what the consent is being given to must be communicated in a plain and understandable language, free of legalese.
- Browser fingerprinting should be subject to the requirements. The rules on cookies should also apply to browser fingerprinting, a process that seeks to uniquely identify users based on their browser configuration (without actually setting a cookie on that browser).
- Cookies for purely analytic purposes should be exempted from the rule. Recognising that they don’t intrude on personal privacy, the Regulation proposes that cookies for website analytics should be exempted from the requirement for consent. However, the proposition only encompasses first party cookies. It is yet unclear, whether external services such as Google Analytics will benefit from this exemption.
- New requirements for browsers. Browsers must contain cookie controls and users must choose those settings as part of the installation process. In theory, these settings could demonstrate consent to certain cookies, though there appears to be little appetite from regulators to accept browser settings as sufficient.
When will the ePrivacy regulation be enforced?
The ePrivacy Regulation was originally aimed to be approved in the EU together with the implementation of the GDPR, on 25 May 2018.
However, this schedule quickly proved to be too ambitious.
At the last notice, the Regulation will be finalized sometime in 2019.
Thereafter, a period of adaptation will follow, before the regulation is applied.
If we dare to take the process of the GDPR as an example, one might guess that the ePrivacy Regulation will enter into force in 2021.
However, indications are that the ePrivacy Regulation will be even more encompassing and restrictive than the GDPR when it comes to preventing tracking and protecting personal data on the internet.
It is therefore being met by strong voices of criticism for counteracting the internet economy and crippling entire sectors, such as the publishers’ and digital media.
Timeline and update: What is the status of the ePrivacy Regulation?
10 January 2017: Presentation of first draft by the EU Commission
The first official draft of the new ePrivacy Regulation is presented by the EU Commission. The proposed Regulation should replace the ePrivacy Directive (Directive 2009/136/EC) and clarify and supplement the GDPR, with regard to personal electronic communications data. This draft of the planned ePrivacy Regulation is forwarded to the EU Parliament and Council.
19 October 2017: Adoption of draft in the EU Parliament
After lengthy negotiations, the LIBE Committee responsible for the ePrivacy Regulation in the EU Parliament votes on the draft. Much to the surprise of the online industry, the draft, virtually unchanged, is adopted by the EU Parliament one week later. At the same time, the EU Council also discusses the draft in a working group. Member States are invited to submit their opinions by 14 August 2017.
2018: Trialogue negotiations between the Commission, Parliament and the Council
With the adoption of the draft by the EU Parliament, the mandate for the next procedural step - the EU Parliament's negotiations with the EU Council - is given.
In 2018, the so-called trialogue negotiations between the Commission, Parliament and the Council are to be concluded.
The negotiations are a complex and lengthy matter with many voices.
To get a picture of some of the agents and their draft proposals, the law firm Linklaters have written a good overview.
The Commission has renounced to keep its target date of 25 May 2018, and experts expect implementation in 2019.
Text: Where can I find the latest draft of the ePrivacy Regulation?
The official draft of the ePrivacy Regulation and its annexes can be found on the homepage of the European Commission.
On this page of the regulation-work-in-progress, you can see
- The latest draft of the actual proposal
- the evaluation of the ePrivacy Directive
- the impact assessment documents, and
- translations to the various EU languages.
What is the difference between the ePrivacy Regulation and the GDPR?
The ePrivacy Regulation is a lex specialis to the General Data Protection Regulation, meaning that it complements the GDPR with specific rules that apply specifically to the electronic communications sector.
As lex specialis, it overrides the GDPR in the specific areas that it covers.
There are two laws because they are derived from two different rights in the European Charter of Human Rights:
The GDPR covers the right to protection of personal data, while the ePrivacy Regulation encompasses a person’s right to a private life, including confidentiality.
What is the scope of the ePrivacy Regulation vs the GDPR?
The GDPR is focused on defining and protecting personal data, e.g. health data, whether paper-based or electronic. The ePrivacy Regulation, on the other hand, particularizes GDPR for electronic communications and focuses on devices, processing techniques, storage, browsers etc.