ePrivacy Reg­u­la­tion 2022

The European Union, for years, has been trying to establish a stand­ard­ised online privacy policy to protect users and rights owners. In this context, the EU ePrivacy Reg­u­la­tion continues to be a hotly debated topic. With this, the European Union wants to formulate binding data privacy reg­u­la­tions with EU-wide ap­plic­a­tions. These policies will not have any direct effect on internet services operating within the United Kingdom but are important to know for anybody looking to operate their online practices within the borders of the EU. It hasn’t yet been de­term­ined, though, when the EU’s ePrivacy Act will come into force and which re­quire­ments it will bring with it for the digital industry. And though the UK has made a com­mit­ment to improve its digital privacy policies, it’s not entirely clear whether the reg­u­la­tion still affects the UK since Brexit took place and the UK has come up with its own version of the ePrivacy Reg­u­la­tion, known as PECR (Privacy and Elec­tron­ic Com­mu­nic­a­tions Reg­u­la­tions 2003).

With the ePrivacy Reg­u­la­tion (of­fi­cially: Reg­u­la­tion of the European Par­lia­ment and of the Council con­cern­ing the respect for private life and the pro­tec­tion of personal data in elec­tron­ic com­mu­nic­a­tions and repealing Directive 2002/58/EC), the European Union wants to strengthen the privacy of citizens in online com­mu­nic­a­tion and in­tens­ively regulate data pro­tec­tion in the EU. Basically, it’s concerned with restoring people’s trust in digital com­mu­nic­a­tion channels. The ePrivacy Reg­u­la­tion, which has not yet entered into force, is the third and pre­sum­ably final measure in an ini­ti­at­ive for binding rules and reg­u­la­tions on European data pro­tec­tion, following the first Data Pro­tec­tion Directive (Directive 95/46/EC) and the ePrivacy Directive (2002/58/EC). In short, the EU's planned ePrivacy is intended to ensure that privacy and data pro­tec­tion will no longer be re­stric­ted by national borders in the future (at least within the EU).

With this ini­ti­at­ive, the EU has set out necessary reg­u­la­tions: The Internet knows no borders. But what exactly does the European authority an­ti­cip­ate with the ePrivacy Reg­u­la­tion? It’s important to first establish that the ePrivacy Reg­u­la­tion will affect more companies than any previous data pro­tec­tion policy. The re­quire­ments are aimed spe­cific­ally website owners and software providers, for example, Meta (formerly Facebook), Google and Zoom – basically at the entire online industry.

One major change is set to affect the use of cookies. Rejecting cookies that are not necessary should become simpler for web users and for example be regulated via browser settings. Website operators may only use cookies if users ex­pli­citly agree to it or they are ‘tech­nic­ally necessary cookies’ that enable the proper func­tion­ing of a website (e.g., login cookies). Even if the user doesn’t agree, all content should still be displayed to them in the future. Instead of an opt-out, a  double opt-in would be required.

To implement these policies, browser man­u­fac­tur­ers could also be put under certain ob­lig­a­tions. According to drafts of the policy, web browsers should offer users the pos­sib­il­ity to fun­da­ment­ally regulate how operators track them. They must be allowed to answer questions such as: Is anybody allowed to use cookies on me? And if so, are they only direct providers, or also third-party providers? Among other things, there’s con­tro­versy as to exactly how the default setting should look – i.e., whether the user has to become active them­selves in order to protect their privacy. The GDPR at least assumes ‘Privacy by Default’: Data pro­tec­tion settings should be as strict as possible directly following in­stall­a­tion, and then can only be weakened by the user af­ter­wards. In general, tracking services should only be allowed without per­mis­sion by the user if they serve a purely stat­ist­ic­al purpose.

The draft for ePrivacy also includes machine-to-machine com­mu­nic­a­tion. This is the EU’s response to the chal­lenges of the Internet of Things. For these types of data transfer, the same should apply for such instances where users are directly involved. The plan is that devices will only transfer personal data if the user has agreed to it. This could apply to GPS data for smart­phones, for example. In general, users must be informed about which data is being collected about them and for what purpose. Therefore, it shouldn’t be possible to hide an agreement in the GTCs or link it to another service. For example, if user data needs to be trans­ferred for online shopping – as it always does – this is allowed. It should not be allowed, though, to use this data for ad­vert­ising purposes at the same time. For this, a new, specific agreement would be required.

The ePrivacy Reg­u­la­tion shouldn’t be limited to the tapping of personal data by companies, though. Gov­ern­ment in­ter­ven­tion should also be strongly regulated by ePrivacy. An end-to-end en­cryp­tion should become ob­lig­at­ory. This means that all data trans­mis­sions should be fully encrypted and not viewable by gov­ern­ments. The in­tro­duc­tion of backdoors is also to be forbidden. Backdoors that the producer built to grant access for gov­ern­ment would be illegal.

ePrivacy shifts away from the internet when it comes to direct marketing. While nothing changes in the principle of email marketing, the reg­u­la­tion intends to regulate telephone marketing in par­tic­u­lar more strongly. The proposal states that telephone calls for so­li­cit­a­tion purposes should only be allowed if the caller reveals their telephone number or if they use an in­teg­rated code to indicate that it’s an ad­vert­ising call.

ePrivacy shifts away from the internet when it comes to direct marketing. While nothing changes in the principle of e-mail marketing, the reg­u­la­tion intends to more strongly regulate telephone marketing in par­tic­u­lar. The proposal states that telephone calls for so­li­cit­a­tion purposes should only be allowed if the caller reveals their telephone number or if they use an in­teg­rated code to indicate that it’s an ad­vert­ising call.

The ePrivacy Reg­u­la­tion partially exists to replace the old ePrivacy guidelines and partially to sup­ple­ment the GDPR. The old reg­u­la­tions have existed since 2002 and were expanded in 2009. However, a European community guideline is not directly effective and binding law, but instead dir­ect­ives have to be converted into national law. As a result, in­di­vidu­al nations are afforded a longer trans­ition period. In the case of the ePrivacy Reg­u­la­tion, the situation is different. As with the GDPR, it’s an EU-wide law that’s binding for all countries and would come into effect im­me­di­ately. The law can grant a trans­ition­al period.

The in­tro­duc­tion of the GDPR has created even more confusion for busi­nesses wondering what rules they’re going to have to adhere to now. As soon as the ePrivacy Reg­u­la­tion also takes effect, the answer is simple: busi­nesses need to stick to both. The plan is that the reg­u­la­tions in ePrivacy will make the GDPR more concrete. The ePR (as the new reg­u­la­tions will be called) should be a lex specialis. This means that it has priority over the basic data pro­tec­tion reg­u­la­tion – a lex generalis. The GDPR is more general and should be made clearer by the ePR through specific points with definite rules. The data pro­tec­tion reg­u­la­tion is not spe­cific­ally tailored to the internet. ePrivacy will better protect this area.

The ePR should also contain the opening clauses: local reg­u­la­tions should be able to influence certain sections of the reg­u­la­tion when it comes to im­ple­ment­a­tion details. In­di­vidu­al lawmakers must change or adapt points that are in­con­sist­ent with EU laws, however.

The ePrivacy Reg­u­la­tion has been discussed since April 2016 but has not yet come to a binding con­clu­sion. In January 2017, the European Com­mis­sion published its first draft. Sub­sequently, multiple com­mit­tees issued responses to the Com­mis­sion’s proposals, which even­tu­ally led to the EU Par­lia­ment’s own draft in October 2017 (the GDPR had already been decided at this time). Almost one month later, the EU Council Pres­id­ency published an as­sess­ment report, in which the current state of things was sum­mar­ised.

Ori­gin­ally, it was planned that ePrivacy and the GDPR would take effect at the same time. This plan has long since been abandoned. For years, the EU member states haven’t been able to agree on a common policy. But there is hope. In February 2021, the EU Council of Ministers agreed on a common version – the starting signal for the so-called trialogue. This means that current rep­res­ent­at­ives of the three bodies involved in the EU le­gis­lat­ive process, i.e., the EU Com­mis­sion, Par­lia­ment and Council of Ministers, are ne­go­ti­at­ing with each other.

Since a year-long trans­ition period is also predicted for the ePrivacy Reg­u­la­tion, there won’t be any need to reckon with an immediate im­ple­ment­a­tion of the draft signed off by all par­ti­cip­at­ing countries. To which extent the draft will still be changed can’t yet be predicted. However, it’s fairly likely that this won’t remain as the final version. For 2022, France will assume the Council Pres­id­ency, taking over from Portugal and Germany, whose proposals failed.

Cuts made by an ePrivacy Reg­u­la­tion such as the one currently under ne­go­ti­ation affect operators of internet services and the online marketing industry, in par­tic­u­lar (in addition to citizens whose privacy is to be protected). So, it’s not very sur­pris­ing that the greatest criticism is drawn from these areas. The ad­vert­ising industry finds fault with the EU project.

• More effort for users: The industry expects that users in the future will be over­whelmed by the number of approvals that would be required by the ePR. This is assuming that for each in­di­vidu­al trans­mis­sion, a specific approval would have to be given.
• Financing for online media at risk: The biggest point of criticism is that ad-financed online media are in danger. At the moment, there are in­di­vidu­al blogs, newspaper websites, and other media in our business model that are dependent upon pop-up ads. Users don’t pay with monetary value, but instead through ad con­sump­tion. The number of pop-ups is based for the most part on data that’s collected by ad­vert­isers through tracking. If the ePrivacy Reg­u­la­tion takes effect in its current form, then such ad­vert­ise­ments would only be possible when paired with explicit approvals that most users probably would not give. Parts of the online marketing industry are ap­pre­hens­ive that the free avail­ab­il­ity of in­form­a­tion on the internet could be prevented.
• No coherence with GDPR: There are con­tra­dic­tions visible with the GDPR. For this reason, the concerned or­gan­isa­tions assume that the new reg­u­la­tion won’t bring more clarity in data pro­tec­tion for online com­mu­nic­a­tion, as envisaged by the European Com­mis­sion, but rather lead to more legal un­cer­tainty. Some are afraid that changes in the business model being made now for the GDPR will be changed even further in the future

The trans­ition period lasted until December 2020, and until then, all adopted EU reg­u­la­tions continued to apply in the UK. The UK left the EU in January 2021 and since then, PECR (Privacy and Elec­tron­ic Com­mu­nic­a­tions Reg­u­la­tions 2003) is the UK’s national im­ple­ment­a­tion of the European ePrivacy Directive. It deals with the pro­tec­tion of personal data in relation to elec­tron­ic com­mu­nic­a­tions, spe­cific­ally cookies and online marketing com­mu­nic­a­tions. It isn’t yet known whether the ePrivacy Reg­u­la­tion may still apply in part because UK companies are likely to continue to do business in EU countries, so it makes sense for busi­nesses on both sides to adhere to the same privacy reg­u­la­tions.

Please note the legal dis­claim­er relating to this article.