On 8 September 2017, the European Council published its first revisions (“Revised Draft”) to the draft EU ePrivacy Regulation (version COM(2017) 10 of 10 January 2017, “ePrivacy Regulation”). The Revised Draft is based on the discussions held in previous meetings of the European Union’s Working Party for Telecommunications and Information Society (“WP TELE”), and on comments provided by delegations.

The Revised Draft

The Revised Draft aims for clarifications compared with the previous draft by the European Commission, and outlines issues to be discussed in further WP TELE meetings. The Revised Draft does not make changes to the general scope addressed by the ePrivacy Regulation. It tries, however, to be clearer about the territorial scope of applicability of the ePrivacy Regulation, and also about excluding legal entities from the definition of data subjects. Even in the form of the Revised Draft, the ePrivacy Regulation seems like an “elephant” that hampers innovation in Europe.

In terms of tracking technologies and commercial communications, the proposed amendments include, inter alia, the following elements:

Tracking Technologies

As under the ePrivacy Regulation, use of cookies and other tracking tools is only permitted if either such use is necessary to provide the service requested by the user, or if the user has consented. The Revised Draft upholds the idea that users can consent via browser settings (Article 4a (2) of the Revised Draft). It clarifies that users may be asked to consent upon installation or first usage of the software (Article 10 (2) of the Revised Draft). As a key change to the first draft of the ePrivacy Regulation, the Revised Draft requires organizations to provide in a clear manner “easy ways” for users to change their consent preferences at any time (Article 10 (2a) of the Revised Draft). The Revised Draft does not provide further clarity on the permissions to further use the tracked data, e.g., for marketing or analytics purposes. Likely, therefore, a second “GDPR-consent” will be required to permit such use. Asking users for two consents is far away from practical life.

The ePrivacy Regulation already included the obligation to remind users of their possibility to withdraw the consent. However, the Revised Draft extends the time period for the reminder from six to 12 months (Article 4a (3) of the Revised Draft).

Marketing Communications

Regarding direct marketing communications (e.g., email or push notification marketing), the Revised Draft does not suggest substantial changes to the ePrivacy Regulation. The general consent requirement remains unaffected – for B2C and also for B2B communications.

The Revised Draft clarifies that the scope of the direct marketing provision should cover all kinds of direct marketing messages. Therefore, the wording of the provision now includes any direct marketing communications that are sent or presented to end-users, including push messages and similar technologies (Article 16 of the Revised Draft).

Class Actions

The Revised Draft has also introduced a new possibility of class actions for end-users who are natural persons. This shall ensure consistency with the GDPR (Article 21 (1a) of the Revised Draft).

Next Steps

The European Council pointed out that the Revised Draft is only a first draft, focussing on the main part of the regulation, and will be followed by an examination of the recitals at a later date. An important topic still to be further explored is, e.g., the “lex specialis” relation of the ePrivacy Regulation to the General Data Protection Regulation (“GDPR”). Additional WP TELE meetings are being held until 25 September 2017. The next step will then be the release of a draft proposal of the European Parliament. Afterwards, the European Commission, the European Council and the European Parliament will debate all proposals in trilogue discussions.

Comment

The ePrivacy Regulation is still not sufficiently innovation-friendly and certainly in some passages too far away from real life (e.g., tracking consent or B2B commercial mailings). As there are still many steps to take, it is unlikely that the ePrivacy Regulation will enter into force by the ambitious deadline of 25 May 2018, in tandem with the GDPR. We expect a final text by the end of this year at the earliest, followed by a 12-month grace period for organizations to get ready.

The final version of the ePrivacy Regulation will affect similar processing activities as the GDPR which will enter into force by 25 May 2018. Organizations must have in mind the upcoming ePrivacy Regulation when getting ready for GDPR. However, very likely, organizations will have to go through a second wave of getting ready for EU-privacy rules once the final text of the ePrivacy Regulation is available.