Europe progresses ePrivacy Regulation
On 10 February 2021 the European Council adopted a negotiating mandate for the proposed draft ePrivacy Regulation (ePR). This (somewhat unexpected) development means that the Council will now start trilogue discussions with the European Parliament and Commission which will likely result in the ePrivacy Regulation becoming law later this year, then coming into effect 24 months later (likely late 2023).
The ePrivacy rules complement and specify the general data rules set out in the General Data Protection Regulation (GDPR), and were originally planned to come into force contemporaneously with GDPR. Their delay has lead to ambiguity and uncertainty in areas including the rules for marketing consent, cookies and the handling of telecoms metadata.
The Commission’s 2017 proposal for a revised ePrivacy Regulation explained that as well as ensuring consistency with GDPR the Commission wanted to ensure that over-the-top (OTT) services were appropriately regulated within the same ePrivacy rules that apply to traditional telecoms. That objective has already been achieved by the entry into force of the European Electronic Communications Code (EECC) on 21 December 2020, which expanded the prior definition of ‘electronic communications services‘ to include ‘interpersonal communications service[s]’ – i.e. OTT services.
It is expected that the new ePR will address:
- confidentiality of electronic communications, including OTT services
- the rules and exemptions to consent for the processing of traffic and location data
- solutions for cookie consent – currently addressed by the rather inelegant ‘cookie banners’
What about the UK?
In contrast to Europe, there are no current proposals to update the UK’s equivalent ePrivacy rules.
The legacy EU rules remain in force in the UK by virtue of the:
- Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)
- Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208)
The UK chose not to implement the EECC in full, and in particular did not extend the UK definition of ‘electronic communications services’ to include OTT services. This means that UK ePrivacy law has already diverged from EU law, and unless the UK chooses to implement a UK version of the ePR, UK law will diverge further from EU law when the ePR enters into force in 2023.