Further harmonisation of EU data protection laws: the proposed new e-Privacy Regulation

The European Union is set to replace Directive 2002/58/EC on Privacy and Electronic Communications, commonly known as the e-Privacy Directive or Cookie Directive, with a new e-Privacy Regulation. The change from a directive to a regulation parallels the shift from the Data Protection Directive to the General Data Protection Regulation. Unlike directives, which require EU member states to enact national legislation to implement them, the new regulations will have direct effect throughout the EU, without the need for any national legislation. Consumers and businesses will have the certainty of one single set of rules across the EU, with no variations between member states.

The proposed regulation has a wider scope and broader application to the e-communication environment. The current ePrivacy Directive only applies to traditional telecoms operators, but under the proposed regulation privacy rules will now also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage and Viber, and extend to machine-to-machine communications and certain over-the-top services. The proposed regulation will also affect businesses engaged in online behavioural advertising and internal tracking services. The so called “cookie provision”, which resulted in an overload of consent requests for internet users, will be streamlined and new rules will allow users greater control, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. Like the GDPR, the proposed regulation will apply to all businesses providing services in the EU, irrespective of whether they are based within the EU, and allow for the imposition of an administrative fine of up to EUR 20 million or 4% of the business’s global turnover, whichever is the higher, in case of non-compliance.

The first draft of the proposed regulation was published at the beginning of 2017 and a revised draft was issued on 8 September and approved by the plenary session of the European Parliament on 26 October. However, the proposed regulation is still a long way from being final, with several controversial issues to be resolved by means of informal tripartite meetings attended by representatives of the European Parliament, the European Commission and the Council of the European Union before the Council gives its final approval.

It was initially intended that the e-Privacy Regulation would be in place by May 2018, at the same time as the GDPR. However, given the complexity of the outstanding issues, it is widely expected that the timetable will slip to the summer of 2019.

For further information on this matter please contact Frangeska Lampidoniti or your usual contact at Elias Neocleous & Co LLC.