Privacy in space | Privacy | Risk Advisory | Deloitte Netherlands

Blog

Next step after the GDPR: the ePrivacy Regulation

Will 2020 become the year of the ePrivacy Regulation?

The GDPR has had great impact on privacy and data protection: individuals and organizations globally were affected. It seems that organizations realize they must take measures to stay in control. It is important to realize that in addition to the GDPR, the ePrivacy Regulation (“ePR”) will come into effect. This blog explains the basic principles of the ePR and points out a few specific details to focus on regarding the upcoming ePR.

By Diderik Bierens de Haan & Gianna Hendriks

Background

The ePR aims to update the existing European legal framework applicable to electronic communications. It will substitute local privacy laws and particularize and complement the GDPR. The ePR will be a regulation rather than a directive, which will have impact on its applicability. Additionally, it will be a so-called “lex specialis”, which means it focusses on a subset of data protection, namely confidentiality of electronic communication, whereas the GDPR as a “lex generalis” concerns a broader scope of data protection in general.

The ePR is currently in draft, which means there is no consensus on the final text and that it is unclear when it will be finalized. The European legislator is still in the process of discussing the draft. We do know that the requirements in the ePR aren’t completely new. Many of the requirements in the ePR are already part of the ePrivacy Directive (“Directive”), which came into effect in 1995 and is still in effect today (albeit in an updated version). In the Netherlands, the Directive is implemented in the Telecommunication Act (“Telecommunicatiewet”). The UK equivalent is called the Privacy and Electronic Communications Regulations or “PECR”. These national laws are commonly known as “cookie laws”, which is a misleading name, since the Directive covers much more than cookies alone.

Key elements of the draft EPR

Article 5 forms the core of the ePR. It constitutes that electronic communications data shall be confidential, and that any interference shall be prohibited. The ePR provides a number of exceptions to this prohibition. In other words: third parties cannot interfere with (personal) electronic communication between individuals, unless an exception applies.

Since the ePR concerns a draft that is subject to change, it is unclear which elements will and will not be included in the final version. At this point, the key elements of the ePR are:

(a) Regulation vs directive: the new law will be a regulation with direct effect in all EU member states, which means it does not require implementation into national law. The current law is a directive, which does not have direct effect. The main advantage of a regulation is that it harmonizes e-privacy laws throughout the EU. As a result, e-privacy laws will in principle be the same in each member state.

(b) Scope:
data and metadata: the ePR will apply to “electronic communications data” and to “electronic communications metadata”. The scope of the ePR is therefore broader than the GDPR. Firstly, because electronic communications data is not limited to information relating to a natural person. Electronic communications data may, for example, also reveal information concerning legal entities. Secondly, it includes metadata: information such as location of the end user, and the date, time, duration and the type of communication.

(c) Scope:
OTT: the ePR will also apply to so-called “over the top” (“OTT”) service providers, whereas the Directive only applies to “traditional” service providers (e.g. fixed line telephony, and SMS). OTT service providers include services such as Skype, web-based email and social media communication channels (WhatsApp, Facebook messenger, et cetera). As a result, individuals using OTT services will be equally protected, and OTT service providers will have to comply with the same rules as traditional service providers, creating a “level playing field”.

(d) Cookies:
the European Commission acknowledged that the rules in the Directive regarding cookies have been ineffective, resulting in “cookie-consent fatigue”. It therefore aims to update the cookie-rules. However, this is an issue that is heavily debated. It is uncertain whether or not browser settings will allow to accept all cookies, and if cookie-walls will be allowed or not.

(e) Enforcement:
the Dutch Data Protection Authority (“AP”) will be the supervisory authority responsible for monitoring the application of the ePR. Under the Directive, the Dutch Authority for Consumers & Markets (“ACM”) is responsible. Combining the authority to monitor both the GDPR and the ePR means that enforcement of privacy laws is centralized. At the same time, fines under the ePR will be the same as under the GDPR: maximum of EUR 20 million or 4% of the total worldwide annual turnover.

2019 or 2020?

It is unclear when the ePR will come into force. The most recent draft has been published by the Council of the European Union in October 2018. Negotiations with the Parliament are likely to start after the European Parliament elections in May 2019. An optimistic estimate would be that the text will be finalized late 2019. After a one year implementation term, it will then come into effect late 2020.

Conclusion

Based on the current draft of the ePR, it is clear that it can have major impact on organizations involved with electronic communications with customers. It would benefit both organizations and individuals if the European legislator informs them on the timelines and content of the final draft. If the ePR comes into effect in 2020, this should leave plenty of time to assess if your organization is “ePR-compliant”, and (if necessary) to take steps to prepare for the ePR. We will of course keep you posted on major changes through our blogs.

Sign-up for the Privacy email alert

We will write a range of articles providing you with a more in depth view on how to handle privacy and crisis situations. From data breaches to cyber security issues. Please sign up for the Privacy email alert, and receive the latest Privacy articles.

Privacy email alert

Receive the latest Privacy insights.

Sign-up

More information

Do you want to know more on ePrivacy? Please contact Annika Sponselee or Nicole Vreeman via the contact details below.

Did you find this useful?