Greetings from Brussels!

Just back from Dublin, where I was speaking at the Sunday Business Post’s GDPR conference at Croke Park. A sellout event, there was a good deal of discussion around GDPR implementation but also a growing voice on the ePrivacy Regulation, which is coming on the heels of the GDPR. Consternation for some, folks are now concerned that while they prepare for GDPR, they are faced with assessing the dual impact of the ePrivacy Regulation where applicable. There are some in privacy circles who think ePrivacy will present even more compliance difficulty than the GDPR and could be more disruptive to business models and plans. Be aware, it would be easy to think that the GDPR is the only game in town — not so.

The IAPP publications team has been told that there may well be a draft put before the European Parliament’s LIBE committee in the last week of October. Additionally, it is rumored that the trilogue process will only commence somewhere in the autumn of 2018, so if we extrapolate the timeline, we may see a final draft voted by Parliament as of spring of 2019. Although this is likely to be a best-case scenario, the road to adoption may well be a long one, possibly several years. 

This week, in an effort to move forward with the ePrivacy Regulation, the Council of the European Union has offered up its first revisions of the text via the Working Party on Telecommunications and Information Society meetings based on the written comments provided by national delegations to date. The relevant communication can be viewed here.

There is still some confusion over the ePrivacy Regulation, so it may be helpful to provide some background. This particular regulatory proposal will replace the ePrivacy (Cookie) Directive, the rule that currently regulates the data protection aspects of the electronic communications sector. The ePrivacy Directive complements the EU Data Protection Directive, which will be replaced by the GDPR come 25 May 2018. Like the GDPR, the proposal is a regulation. Unlike a directive that needs to be transposed into national laws, the regulation — once it goes into force — will apply directly in all EU member states (with some derogations likely) with the stated objective to improve the harmonization of electronic communication rules across the EU. As with its GDPR sibling, the ePrivacy proposal will apply to both EU and non-EU organizations providing services in the EU and, likewise, will be backed up with substantial enforcement powers as provisioned under the GDPR. In what concerns the rules of this proposal in relation to electronic communications issues, they would override and supersede the provisions as in the GDPR.

Much of the hue and cry over the new proposal is linked to what some see as an overreliance on consent and the regulation's broad scope, which some say will undermine the GDPR, as well as legitimate, necessary and beneficial processing of data and business practices. Essentially, the new rules would require devices and browsers to let users make a single decision about how their data is used, applying to all websites and apps. IAB Europe, which speaks on behalf of the digital advertising ecosystem, said that such an approach would not distinguish between different types of sites that use data in different ways and is likely to result in the majority of users declining to consent to their data being used.

New analysis from the independent financial research company IHS Markit shows digital advertising contributing 526 billion euros to the EU’s annual GDP, both directly and through the growth it enables for EU businesses. However, it is being suggested that up to half of the digital advertising market could disappear if proposed restrictions on the use of data in advertising come into force. The analysis also suggests that 6 million jobs could be threatened.

The ePrivacy debate continues to gather more momentum, and it is certainly worth keeping a close eye on as it develops. It is likely to have at least equal impact as the GDPR on all companies doing business in the EU.