It’s hard to think of something going on longer than Brexit, but the ePrivacy rules might just be it.
What is the ePrivacy regulation?
The existing 2002 ePrivacy regulation covers electronic communications. This means email marketing, cookies on websites, and privacy in electronic communications. The existing one was meant to be updated and implemented with GDPR in May 2018, but… it hasn’t happened.
The goal of a new ePrivacy regulation is to develop a regulatory framework for machine-to-machine communications and the internet of things.
What’s the latest?
The different parts of the EU haven’t been able to reach an agreement about what the new ePrivacy regulation should do. The current Finnish Presidency of the EU has tried 10 times to broker a deal to advance the new rules, but it failed to get out of committee.
Croatia will take over the rotating presidency of the EU in 2020 and it will be back to the drawing board to try again.
What’s it meant to do?
Despite the lack of progress, there are a few general areas the new ePrivacy regulation seeks to address.
- The Internet of Things (IoT) devices and their territorial application
- The processing of electronic communications data including content and metadata and the requirements for consent
- Rules around obtaining end-users’ consent to cookies requiring browser providers to provide built-in privacy settings (and so remove cookie banners from websites)
- Extending direct marketing rules to instant messaging and in-app notification, therefore requiring opt-in consent
- Bring in GDPR-style fines of €20 million or 4% of annual turnover for breaches
- Ensure consistency with GDPR and ensure consistent regulation and enforcement at an EU level
What are the main sticking points?
There are some inconsistencies between the existing ePrivacy regulation and GDPR, particularly when it comes to cookies on websites and there’s no general agreement on how that should be dealt with. Plus, certain sectors such as AdTech, AI, and autonomous vehicles lack a strong set of specific regulations, thereby relying on the ambiguous rules which can differ widely across EU member states. Those industries have been strongly lobbying the EU to ensure any new rules are favourable to them.
Back to the negotiating table. The EU legislative machinery requires many different parts to agree to new rules.
Since ePrivacy is a regulation, similar to GDPR, it doesn’t require national legislation to give it effect. Once the EU agrees, a date will be set for the new regulation to become law throughout the EU.