The other privacy regulation

The entry into force of the General Data Protection Regulation (GDPR) on May 25 2018 did not go unnoticed by the world. The GDPR is now recognized as law across the EU, and whilst this is certainly a milestone within the world of privacy, we are not quite there yet. On the same date, another important piece of the EU privacy jigsaw was supposed to enter into force, namely the ePrivacy Regulation (ePR). Evidently, this was not realized. In fact, the question remains where we currently stand with the ePR, and what precisely it will add to the EU privacy law puzzle?

Blog part I

In order to provide our readers with a more valuable insight into these questions, we have divided our blog into three parts. Whilst this week’s post touches upon what the ePR entails and its relationship with the GDPR, the following posts will provide you with a more thorough analyses of the extensive lobbying process as well as of the content of the ePR.

What does the ePR entail?

The ePR is intended to be an update of the existing Directive on Privacy and Electronic Communications (Directive 2002/58/EC and the 2009 update Directive 2009/136, ePrivacy Directive). The ePrivacy Directive became known as the cookie law, and has since been to various degrees implemented within domestic law across the EU. Just like the GDPR however, the ePR is a regulation. This means that upon adoption, it will become legally binding across the EU without requiring domestic law to enact the regulation.

Whilst the ePrivacy Directive is often referred to as the cookie law, it focuses on the privacy of individuals as it relates to electronic communications as a whole. This indeed involves cookies, spam and direct marketing, but also the Internet of Things, telephones as well as the phenomenon Over-the-Top communication (electronic communications such as instant messaging and Voice Over IP that companies such as Skype and WhatsApp use).

The relationship between the ePR and GDPR

The ePR aims to further enhance certain areas of the GDPR, in particular the areas concerning unsolicited marketing, cookies and confidentiality. Since the ePR complements and particularizes the GDPR, the definitions of privacy and data under the ePR are equal to the definitions adopted under the GDPR. It is expected that the ePR will function as a lex specialis to the GDPR, meaning that the ePR will override the GDPR with regard to the mentioned specific areas.

Other touchpoints between the two regulations include the fines for non-compliance, which are the same under the ePR as they are under the GDPR (20 million euros or 4% of annual global turnover, whichever is the highest). Both the GDPR and the ePR have been introduced to align data privacy laws across the EU (in addition to The Regulation on the free flow of non-personal data). The territorial scope of the regulations are also the same; they apply to the protection of personal data of individuals within the EU. Therefore, if you do business in the EU, regardless of whether or not you are based in the EU, the regulations may apply to your business.

When can we expect this Regulation to actually enter into force?

Whilst the ePR was intended to enter into force on the same date as the GDPR (May 25 2018), the draft text was only published by the European Commission (EC) on January 10 2017. The draft ePR has since been subject to tremendous lobbying. More recently (12 March 2019), the European Data Protection Board (EDPB) provided its opinion on the interplay between the ePR and the GDPR in which it reiterated its position that the EC, Parliament and Council ought to work together to ensure a swift adoption of the ePR.