Written by Daniel Felz
About this time last January, the European Parliament released its proposal for a new ePrivacy Regulation. The intent of the ePrivacy Regulation is to replace the current ePrivacy regime – which consists of an ePrivacy Directive and a patchwork of local implementing legislation – with a uniform set of directly-applicable EU-wide rules. Since the Parliament released its ePrivacy Regulation draft, both the European Council and the European Parliament have reviewed it and released their own revised drafts.
The ePrivacy Regulation contains a number of important rules for companies. Traditionally, many companies encounter ePrivacy rules when they evaluate (a) EU rules surrounding Internet cookies, web beacons, or other user tracking, or (b) EU direct-marketing and anti-spam rules. ePrivacy Regulation drafts both maintain and strengthen cookie and anti-spam rules, but also significantly expand ePrivacy rules’ scope beyond its traditional remit. At least one of the three ePrivacy drafts to date have contained rules relating to:
- Over-the-Top (OTT) communications services;
- Communications secrecy and wiretapping rules;
- Internet-of-Things (IoT) data transmissions, i.e. machine-to-machine communications;
- Marketing on emergent channels, such as MMS and social media;
- Device pinging, people-counting, and other novel uses of mobile data; and
- Obligations to consult with EU Data Protection Authorities (DPAs) prior to certain uses of electronic communications information.
Recently, the European Parliament voted to enter into trilogue negotiations with the European Council and the European Commission. The purpose of trilogue negotiations will be for the three European institutions to agree on a finalized text that can be passed by the European Parliament to enter into force. During ePrivacy drafting, some EU institutions expressed hope that a text could be finalized quickly, and that the ePrivacy Regulation could be passed as a law and enter into force contemporaneously with the General Data Protection Regulation (GPDR) on May 25, 2018.
Today, however, it was indicated that the timeline for finalizing the ePrivacy Regulation may be more extended than initially hoped. At a conference sponsored by the German Federal Society for Data Protection, a spokeswoman from Germany’s Economic Ministry was reported as stating that trilogue negotiations will not begin until the fall of 2018. Apparently, EU Member States are still discussing a number of open questions regarding ePrivacy Regulation issues.
This would likely mean that a final ePrivacy Regulation text will not be agreed upon until near the end of 2018, or in 2019. And if the ePrivacy Regulation – like the GDPR before it – contains a grace period for companies to bring their systems into compliance, it could be 2020 before the ePrivacy Regulation enters into force.
Alston & Bird and its Brussels-based EU Privacy Team is closely following ePrivacy Regulation drafting. For more information, contact Jim Harvey, David Keating, Jan Dhont, or Daniel Felz.