Whatever happened to the privacy of electronic communications legislation we were promised?

Published: Fri, 01/17/20

It’s hard to think of something going on longer than Brexit, but the ePrivacy rules might just be it.

A new ePrivacy regulation was meant to come into force along with GDPR back in May 2018. But that never happened, because the EU was unable to agree to a new text. The Finnish Presidency of the EU tried and failed 10 times in the second half of 2019 to reach an agreement, and the Croatian Presidency in the first half of 2020 will try once again.

What is the ePrivacy regulation?

The existing 2002 ePrivacy regulation covers electronic communications. This means email marketing, cookies on websites, and privacy in electronic communications. The existing one was meant to be updated and implemented with GDPR in May 2018, but… it hasn’t happened.

The goal of a new ePrivacy regulation is to develop a regulatory framework for machine-to-machine communications and the internet of things.

What’s it meant to do?

Despite the lack of progress, there are a few general areas the new ePrivacy regulation seeks to address.

The Internet of Things (IoT) devices and their territorial application
The processing of electronic communications data including content and metadata and the requirements for consent
Rules around obtaining end-users’ consent to cookies requiring browser providers to provide built-in privacy settings (and so remove cookie banners from websites)
Extending direct marketing rules to instant messaging and in-app notification, therefore requiring opt-in consent
Bring in GDPR-style fines of €20 million or 4% of annual turnover for breaches
Ensure consistency with GDPR and ensure consistent regulation and enforcement at an EU level

What are the main sticking points?

There are some inconsistencies between the existing ePrivacy regulation and GDPR, particularly when it comes to cookies on websites and there’s no general agreement on how that should be dealt with. Plus, certain sectors such as AdTech, AI, and autonomous vehicles lack a strong set of specific regulations, thereby relying on the ambiguous rules which can differ widely across EU member states. Those industries have been strongly lobbying the EU to ensure any new rules are favourable to them.

What next?

Back to the negotiating table. The EU legislative machinery requires many different parts to agree to new rules.

Since ePrivacy is a regulation, similar to GDPR, it doesn’t require national legislation to give it effect. During the transition period, from the day the UK leaves the EU and until a new trading agreement is reached, the UK is supposed to implement all new EU laws. Depending on the date of implementation of the ePrivacy regulation, the UK may not have to apply it. If the ePrivacy regulation is implemented during this period, thereby technically requiring the UK to implement it as well, the government could decide to delay it, ignore it, revoke it, or stick to it.

In the meantime we have 18 year old law during which time technology has moved on considerably.

Noel Guilford