03 May 2021
The European Council delivered its negotiating mandate of the ePrivacy Regulation in February. This document has been a long time coming and gives us the best impression yet of how this important law will look once passed.
Your compliance with the General Data Protection Regulation (GDPR) probably took up a lot of time and resources. Complying with the ePrivacy Regulation might require just as much effort, depending on how the law applies to your business.
This article will take a detailed overview of the draft law and consider how the final version might look.
Here's a breakdown of the basics: what the ePrivacy Regulation covers, who has to comply, and where it applies.
The ePrivacy Regulation is an update to the ePrivacy Directive, first passed back in 2002. What's the difference?
A directive is a law directed at EU Member States. The directive requires Member States to create national laws that give it effect. So, for example, the UK implemented the ePrivacy Directive as the Privacy and Electronic Communications Regulations (PECR).There is usually some variation between Member State laws implementing directives.
Unlike a directive, a regulation immediately becomes law in each Member State once it comes into effect at EU level. There's no need for Member States to create national laws to give the regulation effect. There will be less variation among how the law applies across Member States.
Right now there are three documents relevant to the ePrivacy Regulation, proposed by three different EU bodies:
There's also an opinion on the Council's mandate by the European Data Protection Board (EDPB) published in March 2021.
We'll be looking at the Council mandate in this article because it's the most recent version. However, this version still has to be approved following the inter-institutional negotiating process. Therefore, it could change before coming into force.
The ePrivacy Regulation is about protecting two main things:
Together, these two things are known as "electronic communications data." You send them via an "electronic message" using "e-mail, SMS, MMS and functionally equivalent applications and techniques" (Article 4.3 (e)).
It's important to remember that electronic communications data is not the same as "personal data," about which the GDPR is principally concerned.
Electronic communications data might contain personal data, or it might not. This doesn't affect the rules under the ePrivacy Regulation.
Here's an example of why this matters in practice. Some cookies collect personal data. Some don't. This isn't a relevant consideration under the ePrivacy Regulation. The rules apply to cookies regardless of whether they collect personal data.
Check out our free tools for website owners:
However, where electronic communications data does contain personal information, it falls under the scope of the GDPR as well as the ePrivacy Regulation.
The ePrivacy Regulations set rules about:
The ePrivacy Regulation will apply to anyone carrying out the activities in the section above. Broadly speaking, this means:
Providers of electronic communications services, including:
One of the big changes about the ePrivacy Regulation is that, like the GDPR, it will apply extraterritorially, meaning that people outside of the EU will need to comply with the Regulation under certain conditions.
Article 3 of the ePrivacy Regulation draft sets out the "territorial scope" of the law. It's a little messy in its current form (at page 44):
The rules are actually quite simple. You'll need to comply with the ePrivacy Regulation, regardless of where you're based, if you do any of the following:
Note that the countries in the European Economic Area (EEA), which consists of the EU Member States plus Iceland, Liechtenstein, and Norway, will also be party to the ePrivacy Regulation. This means the rules will also apply to people in those countries.
The short answer is "no," the ePrivacy Regulation will not apply in the UK. The Regulation will be an EU law, and the UK is no longer an EU Member State, nor is it part of the EEA.
However, the UK is seeking an adequacy decision from the EU, which would allow for easier cross-border data flows between the two jurisdictions.
Obtaining and maintaining an adequacy decision will require the UK to maintain EU-equivalent data protection and privacy standards. This means that, in order to achieve "data adequacy," the UK may adopt many of the ePrivacy Regulation's legal requirements into its own law.
Also, bear in mind that many businesses in the UK will be required to abide by the ePrivacy Regulation whenever they are dealing with end-users in the EU. Therefore, whether or not the Regulation is adopted into UK law, an understanding of the ePrivacy Regulation's requirements will be essential for many UK businesses.
The draft ePrivacy Regulation sets a system of fines very similar to that present in the GDPR, namely:
These fines will be imposed (or prosecuted in court) by the EU's Data Protection Authorities (DPAs). A range of non-financial penalties will also be available.
Now let's look at some of the rules imposed under the draft ePrivacy Regulation.
The basic rule imposed by the ePrivacy Regulation is that all communications must be confidential. This means providers of communications services must not "eavesdrop" on communications.
However, the Regulation provides for exceptions where electronic communications data may be intercepted or accessed.
Providers of electronic communications services may process communications data where it is necessary to:
Such interference with communications must always be proportionate and subject to a full assessment of people's rights and freedoms.
The Regulation is more liberal with the processing of communications metadata, which can be processed where it is necessary to:
There are certain conditions under which you may process communications metadata for scientific or historical research or statistical purposes. These rules are set out at Article 6b.1 (e)-(f) and Article 6b.2a-2.
In the case of communications location metadata, such processing is permitted if the data has been pseudonymized, if:
Such metadata may also be processed for producing "official national European statistics.
Under the draft ePrivacy Regulation, the basic rules on cookies remain in place from the ePrivacy Directive. Here's the relevant section of that law, at Article 5:
Under the ePrivacy Directive, you must request GDPR-compliant consent for all cookies, except for those that are:
Some of the following activities might necessitate these types of cookies:
You don't need to get consent for these types of cookies. There are strict caveats here, however: The cookies in question must be limited in duration and fulfilling a specific purpose.
The recitals of the ePrivacy Regulation provide some interesting insights into how the types of cookies requiring consent might change.
For example, Recital 21a refers to cookies used "in assessing the effectiveness of... website design and advertising" or by "helping to measure the numbers of end-users visiting a website" as being "a legitimate and useful tool."
The ePrivacy Regulation contrasts these types of cookies with those "used to determine the nature of who is using the site," which "always require the consent of the end-user."
This suggests that counting unique page visits or ad impressions may not require consent under the ePrivacy Regulation.
The draft ePrivacy Regulation would allow for "cookie walls" under certain conditions.
A cookie wall is a cookie banner that won't let you access a website or service until you agree to cookies. The difficulty with this is that this doesn't meet the GDPR's definition of "consent," which refers to a "freely given" action.
Court rulings, data protection authority decisions, and May 2020 EDPB guidelines all make it clear that cookie walls are not allowed under the ePrivacy Directive and the GDPR. Access to services cannot be made conditional on consent to cookies.
This could change under the ePrivacy Regulation, which proposes the legalization of "cookie paywalls."
Recital 20aaaa (yes, that's 20 followed by four "a"'s) envisions a model whereby access to a website could be made conditional on consent to cookies, if there is "equivalent offer by the same provider that does not involve consenting to data use for additional purposes," which may require monetary payment.
The Washington Post already operates such a "cookie paywall" model:
While the Post's consent solution is problematic under the current rules, it appears that it would be allowed under the draft ePrivacy Regulation.
The ePrivacy Regulation deals with the issue of "cookie fatigue," a phenomenon that can lead to people frivolously agreeing to cookies because they are asked to do so with such frequency. As Recital 20a of the Regulation says: "This can lead to a situation where consent request information is no longer read and the protection offered by consent is undermined."
To attempt to resolve this, the draft ePrivacy Regulation seeks to allow users to provide consent en-masse, by "whitelisting one or several providers for their specified purposes" in their browser or device.
This arguably undermines the GDPR's requirement that consent is "specific," but it will likely be popular among those users feeling "fatigued" by cookie consent banners.
The ePrivacy Regulation specifically addresses IoT devices, providing a few basic rules and principles about their development and deployment:
The "use of the processing and storage capacities" of an IoT device and "access to information stored therein" should not require consent if "such use or access is necessary for the provision of the service requested by the end-user" (Recital 21).
The Regulation gives the example of a smart meter: you need to access information stored on the device for the purpose of maintaining the "stability or security of the energy network" and for the "billing the end-users' energy consumption."
To use or access information stored on IoT devices for any purposes that are not "necessary for the provision of the service requested by the end-user," you'll need to obtain consent.
The ePrivacy Regulation would:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.