The ePrivacy Regulation: latest developments and the impact on UK businesses

Disagreements and concerns about the ePrivacy Regulation has postponed its adoption several times. On 10th February 2021, the EU Member States agreed on the EU Council’s negotiating mandate for the draft ePrivacy Regulation. This will allow the EU Council to start negotiations with the European Parliament on the final version of the ePrivacy Regulation, which is to replace the ePrivacy Directive (2002/58/EC).

What is the ePrivacy Regulation?

With the ePrivacy Regulation, sometimes called ‘EU Cookie Law’, the EU wants to formulate binding data privacy regulations with EU-wide applications. It clarifies how website operators should handle the use of cookies and complement the GDPR in these aspects.

The Regulation (officially: Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications) was first introduced by the European Commission in 2017 to reinforce “trust and security in the Digital Single Market”. It is designed to replace the ePrivacy Directive (the Privacy and Electronic Communications Directive (Directive 2002/58/EC), which was implemented in the UK by the Privacy and Electronic Communications Regulation (PECR) in 2003.

The ePrivacy Regulation is seen as a crucial part of the EU’s modernisation of EU-wide privacy rules, together with the General Data Protection Regulation (GDPR).

Generally speaking, the ePrivacy Regulation focusses on ensuring the privacy and security of all data transferred via electronic means. Thus, the subject matter of the ePrivacy Regulation is broader than that of the GDPR and aims to govern all “electronic communications data”, including:

  • any information concerning the content transmitted, and
  • information exchanged to transmit, distribute or enable the exchange of electronic communications content, such as geographical location data and electronic communications metadata.

Development and relevance of the ePrivacy Regulation

The journey of the ePrivacy Regulation goes back several years and is still under discussion. The EU Commission already presented the first proposal in January 2017, which was followed by heated discussions. Initially, the EU intended the ePrivacy Regulation to be enforced together with the GDPR in 2018, but failed. In November 2019, a proposal brought by the Finnish Council Presidency was rejected by the Permanent Representatives Committee of the Council of the European Union (COREPER) due to strong disagreements on the right balance between user privacy rights and economic interests. Also, under the German Council Presidency, a draft proposed on 4 November 2020 was subsequently rejected.

With the EU member states’ agreed negotiation mandate, a milestone is reached as the Portuguese presidency can now start talks with the European Parliament on the final text. The revised rules on the protection of privacy and confidentiality in the use of electronic communications services may therefore eventually be agreed upon, and the outdated ePrivacy Directive from 2002 can be replaced.

An update on privacy rules is necessary to provide effective rules for new technological and market developments, such as voice over IP, web-based email and messaging services, and especially the emergence of new techniques for tracking users’ online behaviour.

Proposed key changes

The EU Council’s Press Release sets out the key highlights of the draft ePrivacy Regulation:

  • End-users: The proposed rules will apply when end-users are in the EU. This also means that cases where the processing takes place outside the EU or the service provider is established outside the EU are covered.
  • Metadata: The proposed draft will cover electronic communications content transmitted using publicly available services and networks, as well as metadata related to communication, such as location information and time and recipient data. The latter may be processed, for instance, for billing purposes, for detecting and fighting fraud, and to protect the users’ vital interests, which can include monitoring the spread of epidemics and pandemics, such as the current Corona-pandemic, or in natural or man-made disasters. Under limited circumstances, metadata may also be processed for a purpose other than that for which it was collected (even without the data subject’s consent or legal basis). However, that purpose be compatible with the initial purpose, and strong specific safeguards must be in place.
  • Confidentiality of electronic communications data: Accordingly, any interference, including listening to, monitoring or other processing of data by anyone other than the parties involved in the communication, is prohibited (unless explicitly permitted by the ePrivacy Regulation).
  • Permitted processing: Processing of electronic communications data without the consent of the user includes, for instance:
    • Ensuring the integrity of communications services
    • Checking for the presence of malware or viruses
    • If the service provider is bound by EU or member states’ law for the prosecution of criminal offences or prevention of threats to public security.
  • Terminal equipment: A user’s terminal equipment, including both hardware and software, may store highly personal information (such as contact lists, photos, etc.). Therefore, the use of processing and storage capabilities and the collection of information from the device will only be allowed with the user’s consent or for other specific and transparent purposes as laid down in the regulation.
  • Cookies: There has been much debate on how to obtain valid consent for cookies. The EDPB published an update on its Guidelines on consent, a useful guidance to ensure that consent for cookies is validly obtained. The proposed ePrivacy rules reinforce the need for users to have a genuine choice to decide whether or not to accept cookies or similar identifiers. For instance, making access to a website dependent on consent to the use of cookies for additional purposes as an alternative to a paywall will be allowed if the user can choose between that offer and an equivalent offer by the same provider that does not involve consenting to cookies.

Relevance for the UK

The UK PECR rules, which are derived from the implementation of the ePrivacy Directive, is the applicable UK law covering matters related to marketing, cookies and electronic communications and will continue to fully apply to UK businesses after the UK leaves the EU. UK businesses are reminded that although the ePrivacy Regulation will be EU law and thus will not have any direct influence on the UK, the developments are still relevant. Once the ePrivacy Regulation is enacted, it will be directly applicable in all EU member states. Therefore, as a majority of UK companies continue to do business with the EU, a significant number of UK businesses will need to comply with the privacy rules even if the UK is no longer part of the EU.

Furthermore, the ePrivacy Regulation will have extra-territorial effect, which means that it would apply not only to entities located within the EU but also to any processing of electronic communications data:

  • in connection with electronic communications services provided to end-users within the EU, and
  • related to the terminal equipment of end-users located in the EU, for instance, any use of cookies or similar monitoring or tracking applications on the end user’s devices.

Keep up-to-date

The draft text proposes a transition period of two years, starting twenty days after the ePrivacy Regulation is published. Therefore, for data controllers, there is no imminent need for updates. Data controllers should already make sure their processes are in compliance with the above-mentioned key highlights of the ePrivacy Regulation and closely follow the developments of the negotiations in the European Parliament.

Make data protection your competitive advantage

Our UK data protection support will help you!