The latest ePrivacy Regulation: when will it come, what will change, and how can companies get prepared?
Table of contents
One thing is certain, we are all looking forward to the end of the back and forth chain surrounding ePrivacy Regulations. After all, the discussions regarding a uniform European regulation on electronic communication have been with us for a long time. But the wheels are starting to turn: European Council has recently (mid-February 2021) adopted a new draft. This will now be discussed in the next steps at the European Parliament, where we expect a final regulation text to be adopted in the coming future.
The initial impulse of many marketers is to simply wait and see. Find out here whether this is the appropriate course of action this time around, as well as which novelties could cause a lot of turmoil.
In addition, find all information on:
- Current status and possible future developments
- Main differences between the GDPR and the ePrivacy Directive
- Important preparations companies can make now
ePrivacy Regulation: current status and development
++ NEWS ++ The current proposal and what data privacy officers have to say about it
If the new draft were to enter into force as it stands, this would be a bitter blow for data privacy experts. For example, the BfDI argues that this would mean the reintroduction of data retention as well as making so-called “cookie walls” permissible again. In addition, the possibility for users to revoke their consent to the processing of their personal data at any time would be eliminated – and the data protection impact assessment would also be removed. Furthermore, an article is missing from the drafts of the Commission and Parliament that should allow consent management via the browser and thus make privacy protection the default setting. It also excludes reference to the provisions of the General Data Protection Regulation (GDPR). Last but not least, this version of the ePrivacy Regulation would allow personal data to be further processed for other purposes without explicit user consent – a serious infringement of the fundamental rights of European citizens.
Food for thought: Germany and Austria withheld their support for the draft, according to a report by the magazine politico.eu. The broad majority of EU states, however, supported the Portuguese proposal.
The fact of the matter is that the ePrivacy Regulation has yet to come into force (current status as of early 2021). European member states disagree on the exact structure, even though there has been some movement recently due to the new draft.
Let’s take a look back: originally, the regulation was supposed to have taken effect parallel to the start of the GDPR in 2018. This of course means that it would already have had to be adopted in 2016.
Since then, the road to full privacy has been quite bumpy. The launch of the ePrivacy Regulation has been postponed again and again, and at the end of 2019, it was even on the verge of being cancelled. The reason: lack of coordination between the EU states, for example, over rules on user tracking, cookies and the handling of connection and location information.
Now it’s the beginning of 2021, and the regulation is still up in the air. The Portuguese Council Presidency, chaired by Augusto Santos Silva, presented a new draft of the ePrivacy Regulation shortly after taking office in January 2021, which was chosen by the EU Council.
However, even if the draft were to pass all EU bodies and be incorporated into a regulation, it will still take time for the ePrivacy Regulation to take effect.
The ePrivacy Regulation as an extension of the GDPR: differences & similarities
Initially, the ePrivacy Regulation was to enter into force in tandem with the GDPR on 25 May 2018. It was intended to address aspects that were not comprehensively explored in the GDPR. However, fast forward to 2021 and the ePrivacy Regulation is still being discussed as a draft. What unites GDPR and ePrivacy? Well for starters, they are both regulations.
Regulations apply equally and directly to all member states. They do not have to be re-implemented into national law. They therefore serve to standardise rules in all European states. Regulations form a strong contrast to directives, where the individual nation states can determine independently how they implement and execute the EU rules.
Another overlap is the focus on data protection, although this is also where the biggest difference lies: While the GDPR applies to all areas of everyday life, the ePrivacy Regulation is exclusively limited to the digital space.
Let’s compare: GDPR and ePrivacy Directive
|Legal Field||Data Privacy||Data Privacy|
|Applicable Field||online as well as offline||Exclusively online/electronic communication|
|In Effect||Yes, as of May. 25. 2018||No|
|Online Version||L_2016119DE.01000101.xml (europa.eu)||current draft:
(as of 10. Februar 2021)
ePrivacy Regulation vs ePrivacy Directive
Currently, the ePrivacy Directive from 2002 is applicable, which is often also referred to as the “EU Cookie Law” and translated as the “ePrivacy Directive”
In 2009, the Directive was extended to include the supplementary “cookie” paragraph (Directive 2009/136/EC). One of the new additions is the section (Art. 5 Abs. 3) requiring informed consent for the processing of user information:
“Member States ensure that the storage of information or access to information already stored in the terminal equipment of a subscriber or user is only allowed if the subscriber or user concerned has given his or her consent on the basis of clear and comprehensive information provided to him or her in accordance with Directive 95/46/EC, inter alia, regarding the purposes of the processing.”
In principle, both regulations should lead to compliance with data protection within electronic communications.
However, unlike regulations, directives cannot be integrated into national law on a one-to-one basis. Therefore, member state interpretations can differ significantly – as the term directive already suggests. The consequence? Legal uncertainties arise for companies that offer their services across differing national borders.
In Germany, for example, the ePrivacy Directive is enacted through the Telecommunications Telemedia Data Protection Act (TTDSG), which was recently passed by the cabinet and revised.
What is the difference between the ePrivacy Regulation and the Directive?
Generally speaking, the regulation is intended to provide up-to-date regulation, for instance for the increasingly popular messenger services such as WhatsApp – and to do so uniformly throughout the EU. While the directive is already in force, the regulation has yet to be enacted. The plan is for the ePrivacy Regulation to replace the ePrivacy Directive.
Let’s compare: ePrivacy Directive and ePrivacy Regulation
|ePrivacy Directive||ePrivacy Regulation|
|Legal Field||Data Privacy||Data Privacy|
|Applicable Field||Exclusively online/electronic communication||Exclusively online/electronic communication|
|In Effect||Yes, as of 2002 or 2009 (in expanded form);
Divergently implemented across the nation-states
|Online Version||EU: Link
Telemedia Data Protection Act: 04 GE TTDSG (bmwi.de)
(as of February.10. 2021)
What preparations should companies undertake for the ePrivacy Regulation?
As there are always some changes to the drafts of the ePrivacy Regulation, certain aspects are dropped or new content is added making this an ever more difficult task.
According to experts, the current February draft contains passages that leave “invasive tracking” open. Earlier drafts had already provided much stricter rules in this regard. Therefore, we think that it does not make much sense for small and medium-sized enterprises to deal with all the changes in detail. Here, it is sufficient to look at the state of the art in general – and the following points:
- User tracking & cookies
- Connection and location data
- Dealing with metadata
Given that the regulation is not yet set in stone, there is plenty of time to deal with these three aspects. In any case, there is a two-year transitional period to give market players the opportunity to implement and “directly” incorporate the regulation into national laws. Assuming that the ePrivacy Regulation is adopted in mid-2021, it would only take effect in 2023.
And despite the long wait. As soon as the ePrivacy Regulation has been adopted, companies should prepare in a timely manner for its implementation, in order to avoid a “last-minute panic” a few weeks before the deadline, similar to the one that occurred when the GDPR came into force.
Find out how this can best be achieved in our guide:
Online Marketing | 2021 ohne Cookies? 3 DSGVO-konforme Strategien (usercentrics.com)