The ePrivacy Regulation has been referred to as the EU General Data Protection Regulation’s “sister legislation.” But what kind of sister is it going to be? Will the ePR have an acrimonious love-hate relationship with the GDPR? Or, will it be loyal to the GDPR, satisfied with a pragmatic power-sharing arrangement? Or perhaps, leaving the GDPR behind, will ePR sit out on a revolutionary and bold pursuit of its own goals?
In short: Will the ePrivacy Regulation be a Cersei, Sansa or Daenerys?
Where ePR and GDPR overlap and diverge
In legal terms, specifically, as lex specialis to the GDPR, the purpose of the ePrivacy Regulation is to “particularise” and “complement” the GDPR. As one firm explains, ePR “provides the specific obligations that flesh out the more general provisions of the GDPR.” As another describes it, the ePR is “a complex piece of legislation broadening the scope of another complex piece of legislation.” The GDPR’s Article 95 and Recital 173 also provide some clarity about its relationship with ePR, stating that the GDPR “shall not impose additional obligations” on “natural or legal persons” regarding processing “for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.” Thus, in cases when both laws apply to the same set of processing operations, ePrivacy may provide a more specific rule, which the European Data Protection Board has confirmed will take precedence in accordance with the principle of lex specialis derogate legi generali.
There are several areas where ePrivacy and the GDPR also bear a strong resemblance to one another. For example, Article 4(1)(a) of the ePrivacy proposal explicitly adopts the definitions of the GDPR, including central concepts such as “consent.” Moreover, with regards to the restrictions member states are allowed to implement, the GDPR (Article 23) and the ePrivacy proposal (Article 11) impose nearly identical standards. Similarly, while the GDPR has a broadly defined material and territorial scope, the scope of ePR is also expected to widen. In addition, the ePR carries with it the same upper limit to sanctions for infringement as the GDPR: 4% of global revenue.
One key difference, however, is that, while GDPR only applies to the processing of personal data, ePrivacy regulates electronic communication even if it concerns non-personal data.
Recent changes to the ePR
The initial plans for the ePR were for it to be adopted and ready for implementation simultaneously with the GDPR May 25, 2018. One year on, however, an agreement has still not been reached on the final text.
One reason for the delay is the lack of agreement among member states under various European Council presidencies on key provisions of the legislation. The European Commission adopted the ePrivacy proposal in early January 2017, and the Civil Liberties, Justice and Home Affairs Committee in the European Parliament adopted its report in late October of that year. The council’s examination of the proposal, which has been conducted by the Working Party on Telecommunications and Information Society has been the most time-consuming step in the process, lasting more than a year and a half under the Maltese, Estonian, Bulgarian, Austrian and Romanian presidencies. While diverging views among delegations have led to significant clarifications being added to the text of the proposal, resolving these divergences have also stalled ePR’s progress.
The Romanian presidency’s progress report released May 21 on the current “state of play” in the council, for example, notes that clarifications have been made to several recitals given concerns among delegations about the way the ePR will interact with new technologies, such as internet-of-things devices and artificial intelligence. In particular, in the revised compromise proposal released by the council in February 2019, amendments were made to Recital 21 to exempt IoT devices, such as connected thermostats, from the consent requirements since the types of storage and access involved with them are “necessary and proportionate for the purpose of providing a specific service … requested by the end-user.”
According to the progress report, issues regarding “prevention/detection/reporting of child abuse imagery” have also been subject to disagreement among delegations about how and whether they should be addressed by the ePR. While some member states suggest that these issues be addressed by adding a provision to Article 6 on permitted processing of electronic communications data, others argue that the issue would be best dealt with by a separate legal act vis-a-vis Article 11 on restrictions.
Specifically, Article 11 of the ePR allows member states to limit the scope of obligations and rights outlined in Article 5–8 on the confidentiality of electronic communications data (Article 5), permitted processing of electronic communications data (Article 6), storage and erasure of electronic communications data (Article 7), and protection of end-users’ terminal equipment information (Article 8). As with restrictions imposed by member states on the GDPR’s Articles 12–22, 34, and 5, a restriction imposed by a member state on the ePR’s Articles 5–8 would be permitted only insofar as it “respects the essence of the fundamental rights and freedoms and is a necessary, appropriate and proportionate measure in a democratic society to safeguard one or more of the general public interests referred to in Article 23(1) (c) to (e), (i) and (j) of regulation (EU) 2016/679.”
Specifically, these include public security, the “prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties,” as well as “other important objectives of general public interest of the Union or of a Member State,” such as “monetary, budgetary and taxation matters, public health and social security.”
When will the ePR come into force?
As for now, it does not seem like the council has completely finished its work in amending the text of the ePR. Despite broad approval for the presidency’s compromise text for Article 11 and the accompanying Recital 26, some delegations still “would like to see further changes in the text.” The WP TELE has planned a meeting for June 7, 2019, the agenda of which includes discussion of the latest ePR progress report. Negotiations on the ePrivacy Regulation between the council and Parliament are expected to start after the elections, although it is unlikely to enter into force much earlier than 2021.
For now, it is important for privacy professionals to remember that we are living in a world where the GDPR and the ePrivacy Directive are in effect. Although it is prudent for privacy pros to anticipate the changes the ePR will bring, it is still worth looking closely at the current regime of GDPR/ePrivacy Directive. Further guidance from the EDPB and other regulatory authorities will be important to watch out for until negotiations around the ePrivacy proposal near their end.
Let’s just hope the final version of ePrivacy does not disappoint those of us who have been patiently waiting for its reign to come.
Photo by Mario Caruso on Unsplash