The long-awaited adoption of the ePrivacy Regulation could pick up speed again through the German EU Council Presidency. What will change for UK companies if the EU eventually enacts the ePrivacy Regulation, and what impact does Brexit have on that?
What is the ePrivacy Regulation?
The Regulation (officially: Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications) was first introduced by the European Commission in 2017 to reinforce “trust and security in the Digital Single Market” and is designed to replace the ePrivacy Directive (the Privacy and Electronic Communications Directive (Directive 2002/58/EC), which was implemented in the UK by the Privacy and Electronic Communications Regulation (PECR) in 2003.
The ePrivacy Regulation is seen as a crucial part of the EU’s modernisation of EU-wide privacy rules, together with the General Data Protection Regulation (GDPR).
Generally speaking, the ePrivacy Regulation focusses on ensuring the privacy and security of all data transferred via electronic means. Thus, the subject matter of the ePrivacy Regulation is broader than of the GDPR and aims to govern all “electronic communications data”, including:
- any information concerning the content transmitted, and
- information exchanged to transmit, distribute or enable the exchange of electronic communications content, such as geographical location data and electronic communications metadata.
The previous failure of the ePrivacy Regulation
Initially, the European Union intended the ePrivacy Regulation to enter into force together with the GDPR in 2018. In November 2019, a proposal brought by the Finnish Council Presidency was rejected by the Permanent Representatives Committee of the Council of the European Union (COREPER) due to strong disagreements on the right balance between user privacy rights and economic interests.
On 1 July 2020, Germany commenced its EU Council Presidency and will strive to re-draft the proposal in a new attempt to get sufficient support for it.
What is causing the delays?
There is joint agreement on the overall aims of the ePrivacy Regulation, including harmonisation of privacy rules and better protection of user privacy. However, the methods and degrees of achieving those plans are controversial. Some Member States favour more robust protection mechanisms for user data, whereas others are concerned about economic aspects and interests if the rules become too strict.
Criticism especially concerns the operators of internet services and the online marketing industry, in addition to the protection of citizens’ privacy rights. Companies are concerned that if consent for tracking users and placing cookies becomes mandatory, they will not be able to advertise due to a constrained availability of online information. Agreement on the right balance has not yet been found even after years of negotiation.
Germany announced that it would bring forward a new proposal at the beginning of its EU Council Presidency, which began on 1 July 2020. It is not entirely clear if Germany is likely to take a pro-data protection or pro-economic interests approach.
What is the impact on UK businesses?
UK businesses are reminded that the ePrivacy Regulation is not the same as the GDPR, which is in effect in the EU and the UK. During the transition period until 31 December 2020, the GDPR will be fully applicable to UK businesses.
Art. 71 of the Brexit Withdrawal Agreement provides that after the end of this transition period, personal data from individuals in the UK or the EU will be processed following the GDPR until the EU reaches an adequacy decision. If no adequacy decision is reached, the UK will become a so-called third country and personal data will no longer flow uninterruptedly between the EU and the UK (for more information read our guide on Brexit and GDPR).
The UK PECR rules, which are derived from the implementation of the ePrivacy Directive, is UK law covering matters related to marketing, cookies and electronic communications and will continue to fully apply to UK businesses after the UK leaves the EU. As mentioned above, the EU is currently still working on replacing and updating these rules with the ePrivacy Regulation. As the ePrivacy Regulation was not finalised before Brexit, the new rules will have no direct influence on UK law.
Even if a proposed ePrivacy Regulation would come into effect soon and although it is an EU-law that is binding for all EU member states and would be immediately effective, a transitional period would be expected. As all signs lead to the Brexit transition period ending 31 December 2020, without extension, the UK will not be directly affected by the ePrivacy Regulation.
Once the ePrivacy Regulation is enacted, it will be directly applicable in all EU member states. Therefore, as a majority of UK companies are expected to continue to do business with the EU after Brexit, it is likely that a significant number of UK businesses will need to comply with the privacy rules even if the UK is no longer part of the EU by the time the Regulation is implemented.
Furthermore, the ePrivacy Regulation will have extra-territorial effect, which means that it would apply not only to entities located within the EU but also to any processing of electronic communications data:
- in connection with electronic communications services provided to end-users within the EU, and
Therefore, Germany’s announcement to use the EU Council Presidency from July to December 2020 to further advance the ePrivacy Regulation is still highly relevant to the UK.
Make data protection your competitive advantage. Our UK data protection support will help you!