As those in the know recognise, data protection is not just about GDPR. Many of us have been waiting for GDPR’s EU counterpart, the new ePrivacy Regulation for a very long time.

There’s been a huge amount of debate surrounding when ePrivacy will finally be agreed – it might not be as soon after GDPR as had been anticipated.

What is the ePrivacy Regulation?

The purpose of the ePrivacy Regulation is to modernise the 2002 ePrivacy Directive, which currently sits alongside GDPR, and led to the UK’s 2003 Privacy and Electronic Regulations (PECR). The broad aim of the new Regulation is to create a harmonised and enhanced approach across the EU to communications security, tracking technologies, electronic marketing communications and more. The aim is to also broaden the scope of the current directive to cover new electronic communications technologies, such as social media messaging services (such as WhatsApp, Messenger etc) and what are termed Voice over Internet Protocol providers or VoIPs (such as Skype).

The initial intention was for the ePrivacy Regulation to come into force in tandem with GDPR in May 2018. However, this incredibly complex piece of legislation has proven very difficult to reach agreement on a final text. Since passing the GDPR deadline, there’s been considerable pressure for agreement and adoption of a final text prior to the next Euro elections in May 2019.

However, the most recent developments look likely to cause further delays. Member States, led by France, Poland, Belgium and Germany have recently called for the removal of the current draft text from the agenda of the next Coreper meeting. Coreper is the Permanent Representatives Committee and plays a crucial role in the EU’s decision-making system. The key argument is that many of the provisions in the current proposal still require detailed discussions to facilitate agreed compromises. For example, the following key areas are still causing heated debate:

  • the proposed scope of the Regulation
  • confidentiality v data protection
  • consent
  • browser settings
  • cookie and tracking walls
  • wi-Fi tracking
  • direct marketing

What happens next?

The Austrian presidency are expected to now produce a progress report in early December, summarising the work on ePrivacy undertaken during their six-month EU Presidency. The baton will then be handed to Romania, which takes up the Presidency of the Council of the European Union at the beginning of January 2019.

Many believe it’s now looking increasingly unlikely that agreement will be reached prior to the European Elections in May next year, which could lead to the ePrivacy Regulation being pushed back even further.

Even if the ePrivacy Regulation were to be published early next year prior to the May elections, organisations are likely to given a year (and maybe two) to prepare before the rules are enforced. It seems now that the earliest expectation for enforcement, therefore, is likely to be Spring 2020.

For further information also see the DPN’s previous article in July: ePrivacy Regulation update 

Simon Blanchard, Senior Associate Opt-4