Latest update on the ePrivacy Regulation
The draft ePrivacy Regulation (the ‘Regulation’) was first introduced by the European Commission on in 2017 to reinforce ‘trust and security in the Digital Single Market’. The Regulation is designed to replace the Privacy and Electronic Communications Directive (Directive 2002/58/EC), implemented in the UK by the Privacy and Electronic Communications Regulations 2003, and to form a key part of the EU's modernisation of the existing privacy framework which began with the adoption of the General Data Protection Regulation (‘GDPR’).
Last year, proposals of the Regulation were rejected by the EU’s Transport, Telecommunications and Energy Council. A Progress Report issued by the Council of the European Union (‘Council’) in November last year noted that the Regulation continues to divide Member States and, despite having been examined on ten separate occasions over the course of the six months preceding the Progress Report, a compromise has still not been found.
It therefore fell on the incoming Croatian Presidency of the Council to present a revised proposal of the Regulation. On 21 February 2020, the revised text of the Regulation was published by the Council and will be discussed during the Working Party on Telecommunications and Information Society meeting in March.
What does the Regulation govern?
The proposed Regulation focuses on ensuring the privacy and security of all data transferred via electronic means. The subject matter of the Regulation is thus much wider than GDPR. It will govern all ‘electronic communications data’ which encompasses:
- any information concerning the content transmitted
- information exchanged for the purpose of transmitting, distributing or enabling the exchange of electronic communications content, including geographical location data and electronic communications metadata.
The original proposal was that the Regulation would align and work in tandem with GDPR where personal data is processed. Matters concerning the processing of personal data not specifically addressed by the Regulation will be covered by GDPR.
The draft Regulation includes proposals to:
- harmonise e-privacy rules throughout the Digital Single Market
- provide greater protection for both the content and metadata of electronic communications
- ensure 'over-the-top' services such as WhatsApp, Skype and Facebook Messenger subscribe to the same standards as traditional telecoms providers
- simplify and strengthen rules on cookie data
- protect citizens against unsolicited electronic communications
- strengthen regulators’ enforcement powers
The latest text published by the Croatian Presidency further introduced the possibility to justify the processing of metadata for the provision of electronic communications services if requested by end-users or on grounds of legitimate interests.
What is causing the delay to date and what are the next steps?
While member states are largely in agreement as to the overall aims of the Regulation, the methods of achieving those aims are proving to be controversial. The European Council has highlighted the following issues on which consensus is still being sought:
- balancing the aims of the Regulation with the need to prevent serious crime and the dissemination of child abuse imagery
- the way the new Regulation would interact with new technologies (such as IoT and machine learning)
- protecting terminal equipment information
- the role of the European Data Protection Board
- data retention
As the latest revised proposal of the Regulation was only submitted in February 2020, it is unlikely that the Regulation will reach agreed form until 2021 at the earliest. Before the revised Regulation can take effect, it will need to pass through Trilogue negotiations among the European Parliament, European Council and the European Commission, after which a compulsory grace period of a maximum of two years will apply to allow EU Member States to implement the Regulation.
Impact of Brexit
The proposed Regulation is likely to have a significant impact on UK businesses regardless of the UK's future trading relationship with the EU. This is because, like GDPR, it is envisaged that the Regulation will have extra-territorial application. This means that it would not only apply to entities located within the EU, but also to any processing of electronic communications data:
- in connection with electronic communications services provided to end-users within the EU (or the use of such services)
As a result, once enacted, it is likely that a significant number of UK businesses will need to comply with the Regulation even if the UK is no longer a member of the EU by the time the Regulation is implemented. Like GDPR, the UK government may also implement a UK-specific version of the Regulation.