The new European data protection regime will enter into force in about one year. The General Data Protection Regulation (“GDPR”) will provide the general framework.

Besides the GDPR, the European Commission has adopted a proposal for a Regulation on Privacy and Electronic Communications (“ePrivacy Regulation”) on 10 January 2017. The ePrivacy Regulation will provide specific rules for the online space on cookies, analytics and spamming. It seeks to align the rules for electronic communications with the new standards of the GDPR. We have previously provided a summary of the main provisions of the proposed ePrivacy Regulation here.

The ePrivacy Regulation is currently under review. The Council of the European Union (“Council”) has now provided a report on the examination done so far. The Article 29 Working Party (“WP29”) has previously provided its analysis.

Review by Council

The ePrivacy Regulation shall enter into force 25 May 2018. While many have already questioned the timeline, the Council stated in a Report on the ePrivacy Regulation of 19 May 2017 that the proposed date of application is “unrealistic”.

Some of the most important issues raised by the Council in its review of the ePrivacy Regulation include:

  • A detailed analysis of possible overlaps, duplications or contradictions with other legislation, including the GDPR, is necessary.
  • The impact of the extension of scope of the ePrivacy Regulation to over-the-top players needs clearer explanations.
  • It is unclear if the proposed solution for cookies (consent via browser settings) will achieve its objectives. The impact on online advertising companies must be further analysed.

The Council will continue its analysis until approximately end of June 2017.

Review by WP29

On 4 April 2017, WP29 has also issued an Opinion on the ePrivacy Regulation. WP29 stated that it generally welcomes the ePrivacy Regulation and the approach chosen in the Regulation of broad prohibitions and narrow exceptions, and the targeted application of the concept of consent. However, WP29 also raised concerns that the ePrivacy Regulation would lower the level of protection enjoyed under the GDPR regarding (i) the tracking of location of terminal equipment, (ii) the conditions under which analysis of content and metadata is allowed, (iii) the default settings of terminal equipment, and (iv) tracking walls.

What’s next?

It remains to be seen when the ePrivacy Regulation will enter into force and what its final content will look like. Companies that are getting ready for the new data protection regime – in particular those that use cookies and direct marketing – should continue to follow the developments regarding the ePrivacy Regulation, and review their respective processes.

The new ePrivacy Regulation will be just as important for companies as the GDPR is. A violation could also lead to fines of up to EUR20 million or 4% of the worldwide annual turnover.