Nearly two years after the first draft was published, the EU’s proposed ePrivacy Regulation is still a long way off. Here, we look at the reasons for the delay, likely next steps, and how Brexit might affect the ePrivacy regime for UK businesses.
The EU Commission published its proposal for a new ePrivacy Regulation back in January 2017, seeking to replace the current Directive, which dates back to 2002. These rules deal with matters such as the confidentiality of electronic communications (eg emails and instant messages), use of cookies and other tracking technologies, as well as email marketing. As such, they overlap with and supplement data protection law. The Commission wants to update the rules to reflect the radically evolved technological landscape, and to align them more closely with the GDPR. This includes introducing GDPR-style fines for non-compliance.
What’s causing the delays?
The Commission had hoped to bring the new Regulation into effect at the same time as the GDPR in May this year. But the proposal has been hugely controversial, both within the EU’s various institutions and across a range of industry sectors. The divisions in approach have contributed to significant delays.
The most contentious provisions have been in relation to when providers of voice, email, video and other messaging services will be permitted to use the content and metadata of communications on their services. The EU Parliament has taken a relatively restrictive approach. It argues that, as the Regulation seeks to protect the right of confidentiality of communications (as opposed to individuals’ personal data, which is protected by the GDPR), and as communications data can be highly sensitive, that data should be processed only if the user has given their consent, or if it’s strictly necessary for certain purposes.
This approach is starkly different to that of industry and a number of Member States, which initially sought to truly align this provision with the GDPR and include ‘legitimate interests’ as a ground for processing communications data. While the inclusion of ‘legitimate interests’ has proven untenable politically, the 28 EU Member States (ie the Council) have spent a lot of time deliberating over potential additional processing grounds. The Council’s latest draft, which was discussed by the Member States at a working level on 26 October 2018, seeks to widen the scope to include grounds like ‘compatible further processing’.
The rules governing the placing of cookies and other tracking technologies are also being strongly contested. The outcome of the negotiations will have major implications for sectors like technology, digital advertising and publishing, and may ultimately impact on the business models of many organisations.
What’s next?
With the Parliament having adopted its position in October 2017, all eyes have been focused on the Council. The Council must also adopt a common position before the ‘trilogue’ negotiations, where the Commission, Parliament and Council will agree the final text.
The Commission and the Parliament are pushing strongly on the Council to adopt its position before the end of this year, but there are very few Member States that are keen to do so. With the Parliament elections in May 2019 (meaning that there will be a reshuffle in both the Parliament and the Commission), the two institutions are under pressure to get this proposal adopted as soon as possible. The Council, on the other hand, will continue operating as usual during this period and can spend time further refining its position (and possibly wait for new, more flexible, MEPs to take over the file next year).
In an attempt to stick to the Commission and Parliament’s timeline, Austria (currently leading the Council’s six month rotating Presidency and responsible for driving the legislative agenda) recently decided to bring discussions on ePrivacy out of the technical level (attachés) and call for guidance from the political level (ambassadors and/or EU28 Ministers). This decision was met by strong opposition by a number of Member States and Austria has since re-evaluated its ambition, opting to present a ‘progress report’ instead of a new compromise draft at the meeting of the EU28 Telecommunications Ministers on 4 December.
This progress report will, it is believed, ask Ministers to consider whether “the most recent work undertaken in Council has moved the text in a good direction in terms of achieving a high level of data and privacy protection and at the same time facilitating legitimate business opportunities in the digital era? In this respect, what are the main outstanding issues that still have to be addressed before entering into negotiations with the European Parliament?” Unless clear guidance is received from the political level on 4 December, it is very unlikely that a Council position will be reached before the end of the year.
Even if the Council does indeed adopt its position by the end of 2018, a final agreement between the three institutions before the Parliament elections is not guaranteed, as ‘trilogue’ negotiations may end up getting stuck due to the considerable differences between the three positions.
How will Brexit impact the position in the UK?
Any eventual ePrivacy reforms may still directly become part of UK law. But whether they do currently depends on the timing of the ePrivacy negotiations, and on the ratification of the EU-UK Withdrawal Agreement.
Assuming the Withdrawal Agreement is ratified…
The Withdrawal Agreement currently sets out a 21-month Brexit transition period is proposed (running from 29 March 2019 to 31 December 2020), with the option of extending if sufficient progress is not made on the future EU-UK relationship by 1 July 2020. Under the UK government’s current published plans, new EU regulations will continue to automatically become part of UK law during that transition period. If the ePrivacy Regulation is finalised before the EU Parliament elections in May 2019, it will likely form part of UK law post-Brexit. This is because it will probably first apply in the EU shortly before the 31 December 2020 cut-off, following its own implementation period of around 12-18 months from agreement of the text.
If the ePrivacy negotiations spill into 2020, however, the ePrivacy Regulation may well miss that cut-off date (unless the transition period has been extended). If the UK takes no other action, the UK would instead retain its current rules, the Privacy and Electronic Communications Regulations (PECR), based on the current EU Directive.
On a no deal Brexit…
If the Withdrawal Agreement is not ratified by Brexit day, then under the EU Withdrawal Act in its current form, the ePrivacy reforms would probably come too late to form part of UK law post-Brexit, even if agreed fairly quickly. If the UK takes no other action, the UK would instead retain its current rules, the PECR.
Deal or no deal, ePrivacy will affect the UK
However, in any scenario, the reforms will still affect the UK post-Brexit, for two main reasons.
Firstly, the proposed ePrivacy Regulation has extraterritorial effect, applying to the provision and use of electronic communications services to end users in the EU, regardless of where the business providing those services is located.
Secondly, the EU reforms will shape future UK regulation in this area, as the UK will likely seek to align itself with the ultimate EU position as part of its attempt to obtain ‘adequacy’ status, to ensure the free flow of personal data from the EU to the UK under the GDPR. UK businesses should continue to watch this space.