This post is part of a series on ePrivacy. You can read our introduction to the series here.

The EU Council has reached a compromise agreement on its position on the new ePrivacy Regulation. This involved coming to agreement on various issues, including: processing data for further compatible purposes, extending the scope to cover machine-to-machine data transmitted via a public network, specifying the conditions for allowing processing on end-users’ terminal equipment without consent, and providing that end-users can consent to certain types of cookies by whitelisting.

From a UK perspective, while there is no immediate legal effect, this update is important to keep on the radar. The ePrivacy Regulation, when it is finally agreed and implemented, will not automatically form part of UK law, given the expiry of the Brexit transition period. Instead, the UK’s ePrivacy regime will continue to be governed by the Privacy and Electronic Communications Regulations (PECR). The PECR implemented the 2002 EU ePrivacy Directive that the ePrivacy Regulation seeks to update. The PECR cover several areas, including: electronic marketing, the use of cookies, security of public electronic communications services, and privacy of customers using these services with regards to traffic and location data, itemised billing, caller ID, and directory listings.

It is conceivable, however, that the UK will consider alignment with the updated EU laws for two reasons:

  1. The ePrivacy Regulation has been a cornerstone of EU-wide privacy rules, along with the General Data Protection Regulation (GDPR). The relationship between the GDPR and the UK’s data protection rules is a timely topic, given on 19 February 2021, the European Commission issued its draft adequacy decision that would allow EU-to-UK data transfers. While the ePrivacy Regulation is not strictly relevant to the UK’s continued adequacy status, alignment on ePrivacy rules would likely be viewed positively by the EU institutions, which could prompt the UK to update its laws in line with the new EU regime.
  2. UK businesses who operate in the EU will feel the effects of the ePrivacy Regulation once it is enacted, as it will directly apply in all EU Member States. Additionally, the Regulation will have extra-territorial effect, similar to the GDPR. This means it will apply to any processing of electronic communications services, content, and metadata, and any e-marketing or storing of cookies, where the end-user is based in the EU.

As a result, UK businesses with EU custom would be smart to keep an eye on developments in the ePrivacy saga – and we will continue to provide updates when they happen.