Only a few minutes into his session at the IAPP Privacy. Security. Risk. conference in Austin, Texas, WilmerHale Cybersecurity and Privacy Practice Group Co-Chair Reed Freeman, CIPP/US, did not mince words on the current status of the ePrivacy Regulation.
"The ePrivacy Regulation is a giant mess, it’s a bigger mess than the [California Consumer Privacy Act of 2018]," he said. "There is so much uncertainty about whether it is needed, what is required and what is the process for all of this. Nevertheless it is out there, and it might happen."
At the heart of the ePrivacy Regulation's issues is the matter of consent, but before Freeman broke down that problem, he offered attendees of his breakout session a recap of a trio of texts from European Union bodies.
The European Union published their draft on ePrivacy Jan. 10, 2017. The European Parliament followed up with their report Oct. 20, 2017 The final piece of note was the Austrian presidency's draft of the regulation, which came out Sept. 20, 2018.
These are three reports that eventually need to become one, but consent has become one of the biggest questions surrounding where the ePrivacy Regulation winds up.
Freeman explained the Commission and Parliament believe consent is the only lawful way to process personal communications, largely leaving out legitimate interest. The Council's report breaks away from the other two EU bodies, as it comes closest to including legitimate interest.
Freeman has read plenty of text and heard plenty of speeches on the ePrivacy Regulations, and no professional yet has been able to understand why the European Commission in particular wants to place electronic communications under a stricter set of rules than other personal information, or for that data to be regulated under a different set of standards from everything else in the EU General Data Protection Regulation.
Should the Commission and Parliament get their way, and consent becomes the only way to process electronic communications data, Freeman believes a lot of companies will be in a tough spot.
"Advertisers who have access to the data can get consent because they can get access to data from publishers," Freeman said. "First party ad tech companies can get consent because they have a direct relationship with consumer. The problem, as with CCPA, is that it leaves the third-party ecosystem in precarious situation, where consent is the only way to process electronic communication," said Freeman. "I just don’t know how third party ad tech companies will get that consent."
A consent-centric model to data processing is one Freeman notes would violate the European Commission's message on competition. Hundreds of third parties, he argued, would not be able to do business should Parliament and the Commission get their way.
Freeman notes, however, that not all hope is lost. The sense Freeman gets from the Council is that the body is in no rush to finalize their report and make the ePrivacy Regulation a reality. Of course, that would lead to another set of questions altogether, such as whether the GDPR should be amended in the absence of the legislation. Should the Parliament and Commission want to make ePrivacy happen, Freeman believes the Council may have some leverage to get them to move off of their stance on consent.
Just don't expect any of this to happen any time soon.
"It will be a while before we see a final ePrivacy Regulation," said Freeman. "When I proposed to speak on this topic, I had supposed that by now we would be in trilogue negotiations and there would be some clarity. The message today is there is no clarity."