The draft E-Privacy Regulation (the "Regulation") was published on 10 January 2017 by the European Commission (the "Commission"). This legislation is intended to replace the current E-Privacy Directive (2002/58/EC) across the EU and seeks to increase harmonisation between the member states by being directly applicable. The Regulation will introduce more stringent privacy rules in respect of all electronic communications.
It was originally expected that the Regulation would come into force on 25 May 2018, to coincide with the General Data Protection Regulation ((EU) 2016/679) (“GDPR”). However, the EU Council discussions on the draft have made slow progress and it has been confirmed that the final Regulation will not apply from that date.
There are a number of areas of uncertainty and some of these might see a substantial departure from the current position. We keenly await the outcome of discussions, in particular on the following areas:
Exact scope of the Regulation – it will be interesting to see the extent to which the Regulation is broadened to include areas that are not currently covered, for example "ancillary services" and "content data". We also hope for clarity on the types of processing which will be within scope.
Clearer and simpler rules on cookies – there is likely to be a new approach to consents and notifications regarding cookies, which it is hoped will be more user-friendly and streamlined to reduce the endless consent buttons and pop-ups with which internet users are currently faced.
Distinction between ‘individual’ and ‘corporate’ subscribers – at the moment, the position under the UK’s Privacy and Electronic Communications (EC Directive) Regulations 2003, is that electronic marketing communications to ‘individual’ subscribers require consent yet where it is a ‘corporate’ subscriber (not including partnerships and sole traders), you can send electronic marketing communications without obtaining their consent. Some discussion around the draft has considered removing this distinction. If reflected in the final draft of the Regulation, removing the distinction between natural and legal persons could result in a burdensome requirement to also obtain consent before sending electronic marketing communications to ‘corporate’ subscribers.
Marketing of ‘similar’ products or services to existing customers – the ability to send electronic marketing communications where you have obtained electronic contact details in the context of the sale of a product or a service might be broadened. One suggestion is to remove the limitation on only providing information about ‘similar’ products and services. This would be particularly beneficial to retailers who could, after an individual has purchased products or services from them, advertise their full range, including unrelated products and services.
Interaction of the Regulation with GDPR – clarity on when the GDPR will apply and when the E-Privacy Regulation will apply is welcomed. It will be important to see how the two pieces of legislation are intended to operate together and whether they will be exclusive or cumulative.
The delay poses a particular challenge here as businesses prepare for GDPR without full understanding the potential implications of the Regulation on their work practices and policies. Importantly, businesses who are on track for GDPR compliance projects may find themselves later down the line faced with undertaking further review of, and having to make additional adjustments to their approach to privacy in relation to the above. In the meantime, we will be closely following the progress of discussions on the Regulation.