ePrivacy Regulation and its shadow! What to expect

The European Union, for years, has been trying to establish a standardised online privacy policy to protect users and rights owners. In this context, the EU ePrivacy Regulation continues to be a hotly debated topic. With this, the European Union wants to formulate binding data privacy regulations with EU-wide applications. These policies will not have any direct effect on internet services operating within the United Kingdom but are important to know for anybody looking to operate their online practices within the borders of the EU. It hasn’t yet been determined, though, when the EU’s ePrivacy Act will come into force and which requirements it will bring with it for the digital industry. And though the UK has made a commitment to improve its digital privacy policies, it’s not entirely clear whether the regulation still affects the UK since Brexit took place and the UK has come up with its own version of the ePrivacy Regulation, known as PECR (Privacy and Electronic Communications Regulations 2003).

With the ePrivacy Regulation (officially: Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC), the European Union wants to strengthen the privacy of citizens in online communicationand intensively regulate data protection in the EU. Basically, it’s concerned with restoring people’s trust in digital communication channels. The ePrivacy Regulation, which has not yet entered into force, is the third and presumably final measure in an initiative for binding rules and regulations on European data protection, following the first Data Protection Directive (Directive 95/46/EC) and the ePrivacy Directive (2002/58/EC). In short, the EU's planned ePrivacy is intended to ensure that privacy and data protection will no longer be restricted by national borders in the future (at least within the EU).

With this initiative, the EU has set out necessary regulations: The Internet knows no borders. But what exactly does the European authority anticipate with the ePrivacy Regulation? It’s important to first establish that the ePrivacy Regulation will affect more companies than any previous data protection policy. The requirements are aimed specifically website owners and software providers, for example, Meta (formerly Facebook), Google and Zoom – basically at the entire online industry.

One major change is set to affect the use of cookies. Rejecting cookies that are not necessary should become simpler for web users and for example be regulated via browser settings. Website operators may only use cookies if users explicitly agree to it or they are ‘technically necessary cookies’ that enable the proper functioning of a website (e.g., login cookies). Even if the user doesn’t agree, all content should still be displayed to them in the future. Instead of an opt-out, a  double opt-in would be required.

To implement these policies, browser manufacturers could also be put under certain obligations. According to drafts of the policy, web browsers should offer users the possibility to fundamentally regulate how operators track them. They must be allowed to answer questions such as: Is anybody allowed to use cookies on me? And if so, are they only direct providers, or also third-party providers? Among other things, there’s controversy as to exactly how the default setting should look – i.e., whether the user has to become active themselves in order to protect their privacy. The GDPR at least assumes ‘Privacy by Default’: Data protection settings should be as strict as possible directly following installation, and then can only be weakened by the user afterwards. In general, tracking services should only be allowed without permission by the user if they serve a purely statistical purpose.

The draft for ePrivacy also includes machine-to-machine communication. This is the EU’s response to the challenges of the Internet of Things. For these types of data transfer, the same should apply for such instances where users are directly involved. The plan is that devices will only transfer personal data if the user has agreed to it. This could apply to GPS data for smartphones, for example. In general, users must be informed about which data is being collected about them and for what purpose. Therefore, it shouldn’t be possible to hide an agreement in the GTCs or link it to another service. For example, if user data needs to be transferred for online shopping – as it always does – this is allowed. It should not be allowed, though, to use this data for advertising purposes at the same time. For this, a new, specific agreement would be required.

The ePrivacy Regulation shouldn’t be limited to the tapping of personal data by companies, though. Government intervention should also be strongly regulated by ePrivacy. An end-to-end encryption should become obligatory. This means that all data transmissions should be fully encrypted and not viewable by governments. The introduction of backdoors is also to be forbidden. Backdoors that the producer built to grant access for government would be illegal.

ePrivacy shifts away from the internet when it comes to direct marketing. While nothing changes in the principle of email marketing, the regulation intends to regulate telephone marketing in particular more strongly. The proposal states that telephone calls for solicitation purposes should only be allowed if the caller reveals their telephone number or if they use an integrated code to indicate that it’s an advertising call.

ePrivacy shifts away from the internet when it comes to direct marketing. While nothing changes in the principle of e-mail marketing, the regulation intends to more strongly regulate telephone marketing in particular. The proposal states that telephone calls for solicitation purposes should only be allowed if the caller reveals their telephone number or if they use an integrated code to indicate that it’s an advertising call.

The ePrivacy Regulation partially exists to replace the old ePrivacy guidelines and partially to supplement the GDPR. The old regulations have existed since 2002 and were expanded in 2009. However, a European community guideline is not directly effective and binding law, but instead directives have to be converted into national law. As a result, individual nations are afforded a longer transition period. In the case of the ePrivacy Regulation, the situation is different. As with the GDPR, it’s an EU-wide law that’s binding for all countries and would come into effect immediately. The law can grant a transitional period.

The introduction of the GDPR has created even more confusion for businesses wondering what rules they’re going to have to adhere to now. As soon as the ePrivacy Regulation also takes effect, the answer is simple: businesses need to stick to both. The plan is that the regulations in ePrivacy will make the GDPR more concrete. The ePR (as the new regulations will be called) should be a lex specialis. This means that it has priority over the basic data protection regulation – a lex generalis. The GDPR is more general and should be made clearer by the ePR through specific points with definite rules. The data protection regulation is not specifically tailored to the internet. ePrivacy will better protect this area.

The ePR should also contain the opening clauses: local regulations should be able to influence certain sections of the regulation when it comes to implementation details. Individual lawmakers must change or adapt points that are inconsistent with EU laws, however.

The ePrivacy Regulation has been discussed since April 2016 but has not yet come to a binding conclusion. In January 2017, the European Commission published its first draft. Subsequently, multiple committees issued responses to the Commission’s proposals, which eventually led to the EU Parliament’s own draft in October 2017 (the GDPR had already been decided at this time). Almost one month later, the EU Council Presidency published an assessment report, in which the current state of things was summarised.

Originally, it was planned that ePrivacy and the GDPR would take effect at the same time. This plan has long since been abandoned. For years, the EU member states haven’t been able to agree on a common policy. But there is hope. In February 2021, the EU Council of Ministers agreed on a common version – the starting signal for the so-called trialogue. This means that current representatives of the three bodies involved in the EU legislative process, i.e., the EU Commission, Parliament and Council of Ministers, are negotiating with each other.

Since a year-long transition period is also predicted for the ePrivacy Regulation, there won’t be any need to reckon with an immediate implementation of the draft signed off by all participating countries. To which extent the draft will still be changed can’t yet be predicted. However, it’s fairly likely that this won’t remain as the final version. For 2022, France will assume the Council Presidency, taking over from Portugal and Germany, whose proposals failed.

Cuts made by an ePrivacy Regulation such as the one currently under negotiation affect operators of internet services and the online marketing industry, in particular (in addition to citizens whose privacy is to be protected). So, it’s not very surprising that the greatest criticism is drawn from these areas. The advertising industry finds fault with the EU project.

• More effort for users: The industry expects that users in the future will be overwhelmed by the number of approvals that would be required by the ePR. This is assuming that for each individual transmission, a specific approval would have to be given.
• Financing for online media at risk: The biggest point of criticism is that ad-financed online media are in danger. At the moment, there are individual blogs, newspaper websites, and other media in our business model that are dependent upon pop-up ads. Users don’t pay with monetary value, but instead through ad consumption. The number of pop-ups is based for the most part on data that’s collected by advertisers through tracking. If the ePrivacy Regulation takes effect in its current form, then such advertisements would only be possible when paired with explicit approvals that most users probably would not give. Parts of the online marketing industry are apprehensive that the free availability of information on the internet could be prevented.
• No coherence with GDPR: There are contradictions visible with the GDPR. For this reason, the concerned organisations assume that the new regulation won’t bring more clarity in data protection for online communication, as envisaged by the European Commission, but rather lead to more legal uncertainty. Some are afraid that changes in the business model being made now for the GDPR will be changed even further in the future

The transition period lasted until December 2020, and until then, all adopted EU regulations continued to apply in the UK. The UK left the EU in January 2021 and since then, PECR (Privacy and Electronic Communications Regulations 2003) is the UK’s national implementation of the European ePrivacy Directive. It deals with the protection of personal data in relation to electronic communications, specifically cookies and online marketing communications. It isn’t yet known whether the ePrivacy Regulation may still apply in part because UK companies are likely to continue to do business in EU countries, so it makes sense for businesses on both sides to adhere to the same privacy regulations.

Please note the legal disclaimer relating to this article.