What is the ePrivacy Regulation?
The proposed EU Regulation on Privacy and Electronic Communications (commonly known as the ePrivacy Regulation or ePR) will replace the 2002 ePrivacy Directive (the ‘cookie law’) and all member state laws that implement it, including the UK’s PECR (Privacy and Electronic Communications (EU Directive) Regulations 2003).
When will the ePrivacy Regulation take effect?
The ePrivacy Regulation was proposed by the European Commission in January 2017 and was intended to take effect alongside the EU GDPR (General Data Protection Regulation) on 25 May 2018.
However, the Council of the European Union is yet to confirm its position, let alone begin ‘trilogue’ negotiations with the Commission and Parliament, so the Regulation’s final text is far from being agreed.
With further delays caused by the 2019 EU elections, and the latest draft specifying a 24-month transition period, the ePrivacy Regulation might not take effect until 2022 at the earliest.
You can follow the ePrivacy Regulation’s progress and read all drafts on the EU’s EUR-Lex website
Brexit and the ePrivacy Regulation
It’s not yet known whether the UK will implement the ePrivacy Regulation in full or in part after Brexit, although the UK will in all likelihood align itself with the EU in an attempt to hasten an adequacy decision.
Learn more about UK data protection law after Brexit
How are the ePrivacy Regulation and GDPR linked?
The ePrivacy Regulation will complement the GDPR’s general rules on personal data processing by providing specific rules governing electronic communications.
As such, the ePrivacy Regulation will take precedent over the GDPR in situations where both laws apply.
Note that, unlike the GDPR, the ePrivacy Regulation does not apply to just personal data. It also affects, for instance, B2B marketing.
The scope of the ePrivacy Regulation
The latest (18 September 2019) draft from the Council differs slightly from the Commission’s 2017 proposal and recommends that the ePrivacy Regulation apply to:
- The processing of electronic communications content and of metadata carried out in connection with the provision and use of electronic communications services;
- End users’ terminal equipment information;
- The offering of a publicly available directory of end users of electronic communications services; and/or
- The sending of direct marketing communications to end users.
Whatever the Regulation’s final wording, it will have the same territorial scope as the GDPR and apply directly in all EU member states as well as having extraterritorial reach to non-EEA organisations that:
- Process EU residents’ electronic communications content and/or metadata;
- Process EU residents’ terminal equipment information;
- Offer publicly available directories of EU residents; or
- Send direct marketing communications to EU residents.
Organisations that fall within the ePrivacy Regulation’s scope but are not based in the EU must designate a representative in an EU member state where their end users are based.
Organisations that have already appointed an EU representative to meet their GDPR obligations could appoint the same representative to comply with the ePrivacy Regulation.
Learn more about EU GDPR representatives
What are the main differences between the 2002 ePrivacy Directive/PECR and the proposed ePrivacy Regulation?
The ePrivacy Regulation will expand the 2002 Directive’s scope to cover newer technologies like instant messaging apps and VoIP (Voice over Internet Protocol) platforms, and machine-to-machine communications such as the IoT (Internet of Things).
As the Regulation’s final text is yet to be agreed, it is impossible to provide a detailed commentary on how it differs from the Directive. However, there are certain areas that are worth examining.
The ePrivacy Directive was nicknamed ‘the cookie law’ as it prompted many organisations to introduce cookie walls and consent mechanisms that prevented end users from accessing websites unless they blindly accepted cookies.
The ePrivacy Regulation is meant to eliminate issues such as these, while still giving people online privacy and protecting the confidentiality of their terminal equipment.
The Commission’s proposal states that cookies that are used only to process information anonymously should no longer require end-user consent. This should mean fewer cookie walls and banners for end users.
Many other exemptions from consent are retained in the proposal, including cookies necessary for:
- Transmitting a communication;
- Billing or collecting payments; or
- Detecting or stopping fraud.
However, even though there are fewer restrictions about how you can collect the electronic communications data, the ePrivacy Regulation sets out rules about how that data must be stored, protected and erased.However, in October 2019 the European Court of Justice ruled that users must actively consent to companies storing any cookies on their equipment, irrespective of “whether or not the information stored or accessed on the user’s equipment is personal data”. We should expect to see this reflected in the final draft of the Regulation.
Where consent is required, the GDPR’s standard for consent applies.
For more information on the GDPR’s standard for consent, read our blog ‘GDPR: lawful bases for processing, with examples’
Processing electronic communications content and/or metadata
The proposed use of legitimate interests as a lawful basis for processing electronic communications metadata is also proving contentious.
On 25 May 2018, the EDPB (European Data Protection Board) released its Statement on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications, which recommends that:
“User consent should be obtained systematically in a technically viable and enforceable manner before processing electronic communications data or before using the storage or processing capabilities of a user’s terminal equipment. There should be no exceptions to process this data based on the ‘legitimate interest’ of the data controller, or on the general purpose of the performance of a contract.”
Article 16 of the Commission’s draft states that end users may not be sent direct marketing communications unless they have given their consent.
It then provides a number of exemptions, including marketing to existing customers, and sets out rules for marketers, including the obligation to reveal their identity and provide the opportunity for recipients to opt out of further marketing communications.
The Council’s latest draft amends Article 16 to refer to ‘unsolicited’ as well as direct marketing communications, and adds the option for member states to set a time limit after which organisations may not send marketing communications to their customers.
Note that, although the GDPR states in Recital 47 that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”, the ePrivacy Regulation, as ‘lex specialis’ to the GDPR’s ‘lex generalis’, will overrule the GDPR, so if the final version requires consent, legitimate interests will not be valid for direct marketing even though the GDPR says they are.
End users will also have the absolute right to object, in which case you must stop marketing to them as soon as possible, but certainly within one month. You must also inform them of that right, as well as the fact that you intend to use their data for direct marketing purposes.
Fines for non-compliance
The ePrivacy Regulation is expected to carry an identical penalty regime to the GDPR, with maximum fines of €20 million (about €17.5 million) or 4% of a non-compliant organisation’s global annual turnover, whichever is greater.
In the UK, the ICO (Information Commissioner’s Office) will be responsible for enforcing the ePrivacy Regulation.
End users who suffer “material or non-material damage” as a result of infringement of the ePrivacy Regulation also have the right to receive compensation from the infringer.
We will update this page when the final text of the ePrivacy Regulation has been agreed.
Meanwhile, UK organisations should continue to comply with the PECR.
How IT Governance can help you comply
Understand your level of PECR compliance with our independent PECR Audit service, which assesses:
- Organisation-wide awareness of the PECR;
- How risks are managed and the accompanying documentation;
- The security procedures in place such as access limitation;
- Handling of data subjects’ rights and privacy notices;
- Staff training;
- Data transfer mechanisms and third-party processors;
- Your ISMS (information security management system), including testing and frameworks; and
- Your breach response processes.
We will identify areas of non-compliance and deliver a report to help you take remedial action.
Find out more