The e-Privacy Regulation: latest delays leave important questions unanswered
Published on 3rd Dec 2019
The most recent text of the proposed Regulation on Privacy and Electronic Communications (the e-Privacy Regulation) – which was due to replace the e-Privacy Directive 2002/58/EC – was rejected by the Council of the European Union on 27 November 2019. This latest setback for legislators means there will be no regulatory change for the foreseeable future, which will be welcomed by some, but leaves businesses needing to contend with a number of challenges in relation to the existing regime.
What is happening?
The current E-Privacy Directive (and the EU Member State laws that implement it) covers electronic marketing, the use of cookies (and similar technologies) and privacy and confidentiality in electronic communications. The EU has been looking to reform the law in these areas for some time (for more on what the e-Privacy Regulation is trying to achieve, see here).
The original intention was for the e-Privacy Regulation to come into effect at the same time as the General Data Protection Regulation (GDPR), in May 2018. However, it has been subject to numerous delays.
Under the Finnish Presidency of the EU – which has been in office since July this year – the Council's Working Party on Telecommunications and Information Society has reviewed the proposals 10 times. The most recent text was due to be presented to the Transport, Telecommunications and Energy Council on 3 December 2019 to adopt a general approach. However, that approach did not receive sufficient support in the European Economic and Social Committee. That means it's back to the drawing board in 2020 under the Croatian presidency.
What is causing the delay?
One of the main goals of the e-Privacy Regulation is to future-proof the law for developments in machine-to-machine communications and the internet of things (areas in which the 2002 Directive is already outdated). However, significant concerns were raised with exactly how the new e-Privacy Regulation would interact with these new technologies.
There are a number of other areas of concern which are proving difficult to resolve, including in relation to:
- the processing of electronic communications data for the purposes of prevention of child abuse imagery;
- the protection of information stored on a device (such as a mobile phone); particularly in the context of ad-financed websites and whether, in those circumstances, GDPR-grade consent should be required for the use of advertising cookies or whether some kind of "acceptance" should suffice;
- the processing of electronic communications data for the prevention of serious crimes (including counter-terrorism measures); and
- data retention.
What does this mean for businesses?
On the one hand, no change is good for business. Provided that a business's practices comply with current laws and regulations, there is no need to do anything.
On the other hand, the continued failed attempts to agree the e-Privacy Regulation leave businesses to contend with significant challenges:
- the e-Privacy Directive is hugely outdated: applying its provisions to certain sectors (such as adtech) and technologies (such as the internet of things, AI and connected and autonomous vehicles) is often fraught with ambiguity;
- some of the inconsistencies between the e-Privacy Directive and the GDPR are difficult to resolve (in particular around the use of cookies and other similar technologies); and
- the lack of harmonisation across EU Member States makes complying with rules on direct marketing and the use of cookies (and similar technologies) particularly difficult for any business operating in more than one EU Member State.
So, while many will be breathing a sigh of relief at this latest delay, it is not all good news.
If you have any questions on anything covered in this article, please get in touch with one of our experts.
Written by Emily Barwell and Georgina Graham.