The new EU ePrivacy Regulation: what you need to know

Everything you need to know about the upcoming EU ePrivacy Regulation on the Respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC, with updates as they occur.

While quite some organizations are investing in personal data protection and privacy measures to – more or less – attain GDPR compliance and others are still in the stage of GDPR awareness, trying to get their heads around their duties as data controllers (and processors) or figuring out how to guarantee the exercise of data subject rights under the GDPR, another EU Regulation requires your attention: the new EU ePrivacy Regulation.

The enforcement of the confidentiality rules in the Regulation will be the responsibility of national data protection authorities.

On this page, which continues to be updated until – and probably after – the final ePrivacy Regulation is published in the Official Journal of the European Union and, next, applies (which is not the same as being published and, in case of a grace period, not the same as enterered into force), you find everything you need to know on the state, essence and evolutions of the EU ePrivacy Regulation.

The new ePrivacy Regulation, which in January 2017 was published as a proposal text, aims to be an update of the EU’s existing ePrivacy legal framework, more specifically the EU ePrivacy Directive which goes back to 2002 and was revised in 2009, requiring prior consent regarding cookies.

Since then the Directive on Privacy and Electronic Communications (Directive 2002/58/EC and the 2009 update, Directive 2009/136) often was called the cookie law by the marketers and Internet professionals among us (and is the reason why you see cookie consent popups on many websites, including ours) since it became national law in EU countries with a gradual implementation, national differences and, let’s say relatively inconsistent enforcement across these countries. Indeed, just as was the case with the pre-decessor of the GDPR or General Data Protetion Regulation.

EU ePrivacy Regulation - new electronic communication rules 2018 - impact and changes

Attention though: the ePrivacy Directive and Regulation isn’t just about cookies. It concerns electronic communications and the right of confidentiality, data/privacy protection and more. In other words: again personal data protection.

Electronic communications means that it includes the Web, the Internet (email, apps, you name it), telephone, instant messaging and so on. So we are also talking about spam, direct marketing, telecommunication firms, mobile app developers, online advertising networks and, often overlooked, the IoT (Internet  of Things), among many many others. A look at the text, the impact, the challenges and the evolutions.

EU ePrivacy: from a Directive to a Regulation

Why is this coming new ePrivacy Regulation important, why is it needed and how is it different?

First of all note the difference in the terms: whereas now we have an ePrivacy Directive, the newcomer is called an ePrivacy Regulation. This means that the new ePrivacy Regulation is self-executing and becomes legally binding across the EU, whereas its predecessor, the ePrivacy Directive, required local regulations for implementation with the mentioned inconsistent enforcement as one consequence. Again, just like the GDPR.

Consent for non-privacy intrusive cookies which improve the Internet experience of the user soon is not needed anymore

Secondly, the current ePrivacy Directive came as a complement of the EU’s Data Protection Directive. It’s exactly this Data Protection Directive that is being replaced by the General Data Protection Regulation or GDPR. As a consequence but also to ‘improve’ the current so-called ‘cookie law’ and, among others, include new forms of electronic communications (IoT and more), the new ePrivacy Regulation complements the GDPR and in pretty much the same way strives towards uniformity across the single digital market as a Regulation instead of a Directive.

As a matter of fact there are more touchpoints between the GDPR and the ePrivacy Regulation:

  1. The ePrivacy Regulation is lex specialis to the GDPR. That’s a legal principle, in full ‘principe lex specialis derogat legi generali’, which essentially means that the lex specialis, in this case the ePrivacy Regulation, overrides the lex generalis, in this case the GDPR (personal data protection in general), with the ePrivacy Regulation covering the mentioned specific areas.
  2. Both the GDPR and the ePrivacy Regulation are part of the reform of the EU data protection framework, which also includes a new set of rules governing the free flow of NON-personal data in the EU, which the European Commission proposed in September 2017.

New stipulations and consequences of the coming ePrivacy Regulation

Is that all? No. The new ePrivacy Regulation of the EU also goes several steps further than the current laws which exist as a result of the current Directive.

Taking into account that 1) the amended proposed text has been approved in the plenary of the EU Parliament end October 2017 as part of the so-called Lauristin report and 2) that there are different opinions in several areas between this EU Parliament draft ‘as it is approved’ and the version of the EU Council (representing member states), we don’t know the date when the ePrivacy Regulation will be published nor applied but don’t expect it to happen before 2019, even if the original intent was to have the GDPR and EU ePrivacy Regulation apply at the same time (check further updates at the bottom of this page).

Below are some key new stipulations and consequences regarding the use of cookies and other impacts on the Internet and electronic communications services and providers as mentioned in the proposal text and in the amended text as it was approved by the LIBE Committee on October 19th, 2017 and, next by the EU Parliament in plenary session.

The EU ePrivacy Regulation and cookies

Although the ePrivacy Directive has become known as the cookie law to some, as said it’s about more than just cookies.

But cookies and cookie consent are among the most visible aspects and there is also quite a bit that is poised to change in this regard.

According to the draft text of the new ePrivacy Regulation under certain conditions cookies consent is not needed anymoreThe ePrivacy Regulation AIMS to simplify the rules regarding cookies and streamline cookie consent in a more ‘user-friendly’ way. As such that is great news. In practice it, among others means that EU websites and websites with EU visitors, will not need to show those cookie consent pop-ups anymore. Hurray, that is indeed more user-friendly and less of a hassle for website owners (for us it’s another plug-in that can go).

Easier cookie rules: yes and no

HOWEVER, the current proposal says that browser settings will enable website visitors to accept – or refuse – cookies, as well as other ‘identifiers’. In case the GDPR and term ‘identifiers’ is a mystery, read more about personal data and identifiers.

Using browser settings for cookie consent/refusal de facto means that you’ll see more and more websites that show pop-ups saying “sorry, no visit if no cookies” as we already see with adblockers. So, it seems that one pop-up is indeed being replaced by another one, on a site level (unless the site doesn’t care about cookies which is not really the case for publishers nowadays). This is one of the most heard concerns from delegations and food for discussions as you can read below: the fact that the suggested cookie method will simply miss its goal. However, the lawmakers have explicitly tackled this issue with decisions that are probably the most debated in the online media industry.

For some cookies there is good news. In the proposal it is also foreseen that consent is not needed for “non-privacy intrusive cookies” which improve the Internet experience of the user.

Examples include e-commerce cookies, remembering shopping cart histories and cookies for Google Analytics and the many others. It’s not very likely that cookies for online advertising will be interpreted as improving the Internet experience, although opinions will obviously differ.

Advertising and marketing cookies: not simple at all

Now, all is not said yet and of course work had been done to prepare the draft text, including discussions with various stakeholders, also in the advertising space.

In the 432-pages report made by Deloitte for the European Commission you can read the reasoning on the pros and cons of first-party and of course third-party cookies (“the backbone of digital advertising”). A link to it and all other sources below.

We don’t have to tell you that with all the marketing automation, audience measurement (on online media properties), connected databases of third-party cookies (for instance, enabling retargeting to name something still relatively simple), social network cookies, analytics cookies and so forth there is a whole lot of cookies going on. In the so-called ‘Cookie Sweep’ in 2014, it turned out that on average there were about 28.9 cookies on the analyzed media, public sector and e-commerce sites (in the EU), 70% being third-party cookies as the Deloitte report also mentions.

Infographic - the new EU ePrivacy Regulation - attention the infographic is based upon the draft text which will be adapted before it becomes a Regulation - source
Infographic – the new EU ePrivacy Regulation. Attention!!! The infographic is based upon the draft text which will be adapted before it becomes a Regulation – source (PDF opens)

While the sophisticated networks of cookies, as advertising and media bodies always say, make it possible for Internet users to get (increasingly partial) access to ‘free content’ (paid by the ads), and there is a case for ‘relevance’ of the ads in the context of the Internet user by better targeting, at the same time it’s also pretty well-known that for the average Internet user it’s far from clear how he/she is tracked across networks. We’ve rarely seen a website where those 28.9 cookies and trackers on average are mentioned nor read a cookie policy that’s understandable or makes it clear for an Internet user what really happens in the background with all those connected networks and sites and so forth when visiting a site or using some app.

Cookies beware: major fines

Even if we deduct the ones where consent won’t be needed anymore it’s still a lot and we don’t think this debate is over. It is – to say the least – complex and changes quite some things.

While the Commission finally acknowledged the important role of advertising for funding free content online, it does so at the same time as presenting a law that as a practical matter would undeniably damage the advertising business model – without achieving any real benefits for users from a privacy and data protection point of view (IAB Europe CEO Townsend Feehan expressing the IAB’s dismay about the ePrivacy Regulation proposal text)

Moreover, the stakes are high: did we mention that the same rules as in the GDPR fines apply? Indeed, you read that right. High fines and little margin for error in a heck of a difficult context.

It probably won’t come as a surprise that the IAB (Interactive Advertising Bureau) Europe rapidly responded as soon as the draft text was leaked, stating that it was “dismayed by the European Commission’s proposal for a new ePrivacy Regulation, the next iteration of the infamous cookie law”. Yet, so did other delegations.

From the draft text: “Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software enabling the retrieval and presentation of information on the internet should have an obligation to configure the software so that it offers the option to prevent third parties from storing information on the terminal equipment; this is often presented as ‘reject third party cookies’. End-users should be offered a set of privacy setting options, ranging from higher (for example, ‘never accept cookies’) to lower (for example, ‘always accept cookies’) and intermediate (for example, ‘reject third party cookies’ or ‘only accept first party cookies’). Such privacy settings should be presented in a an easily visible and intelligible manner”.

The ePrivacy Regulation and the Internet of Things

From cookies we jump to something entirely different: the Internet of Things (IoT). By now we suppose people know what it is (and it’s not an it or thing but that’s another topic).

The principle of confidentiality should apply to current and future means of communication

Before we start: do note that the Internet of Things is also tackled in the GDPR where, for instance, RFID tags, fall under the category of so-called online identifiers.

In a European context we can say that the IoT is part of the backbone of Industry 4.0 and, not unimportant, in the coming years (until 2020) growth in the consumer segment of the Internet of Things is expected to be high in Western-Europe. As a matter of fact, by 2020 consumer IoT spend will jump to the third spot of IoT spend globally (until then, the market is led by respectively IoT spend in manufacturing or Industry 4.0, IoT spend in transportation and IoT spend in utilities, three segments of the Industrial Internet of Things).

Benefits for citizens and business of the new EU ePrivacy Regulation according to the European Commission factsheet infographic - source
Benefits for citizens and business of the new EU ePrivacy Regulation according to the European Commission factsheet infographic – source (PDF opens)

However, in Western-Europe, consumer IoT already will rank second from an IoT spending perspective in 2020.

So, it’s probably noteworthy that in the proposal text of the ePrivacy Regulation, the Internet of Things is specifically mentioned and that “the principle of confidentiality which is enshrined in the Regulation should also apply to the transmission of machine-to-machine communications”. The text also calls for specific safeguards under sectorial legislation.

In the introduction, mentioning that principle of confidentiality the IoT is not specifically included but beware: it is mentioned further (and you can see it as part of ‘the current and future means on communication”).

From the introduction text: “Confidentiality of electronic communications ensures that information exchanged between parties and the external elements of such communication, including when the information has been sent, from where, to whom, is not to be revealed to anyone other than to the parties involved in a communication. The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, e-mail, internet phone calls and personal messaging provided through social media”.

The rules regarding to machine-to-machine communications are another concern of delegations and are and will be discussed.

IoT regulation: GDPR, ePrivacy and more

The ePrivacy Regulation and Over-the-Top communication services

Have you ever heard about Over-the-Top communication services or OTTs? In all honesty: we hadn’t.

Privacy rules will now also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber (PR EU)

Just as the Internet of Things is included, these new ways of communication are also subject to the ePrivacy Regulation. OK, but what are they? When we say Skype, Facebook Messenger and WhatsApp it’s probably clear enough.

So, in the new Regulation, the privacy and confidentiality and data protection rules of any company offering electronic communications services will apply to them as well: Voice over IP, instant messaging and anything else really.

Here as well, delegations asked the the Council’s Working Party on Telecommunications and Information Society to review the text.

The ePrivacy Regulation, direct marketing and email marketing

Like its predecessor, the ePrivacy Directive, the upcoming Regulation foresees various rules on spam and unsolicited electronic communications by other means such as SMS.

92% of Europeans say it is important that their emails and online messages remain confidential. However, the current ePrivacy Directive only applies to traditional telecoms operators (EU PR)

While spam and unsolicited electronic communications obviously aren’t marketing, we mention it under that umbrella as we know a few publishers and others that will be in for some serious surprises as they seem to keep sending “marketing” messages, even if you unsubscribed a gazillion times. Identifying other spammers is obviously another ball game.

Direct marketing also means calls and here there is something we really really like: marketing callers will need to show their phone numbers or use a prefix which indicates the call is a marketing call.

Nowadays those numbers are virtually always hidden. As a result we stopped picking them up but now and then a customer uses them as well. So, when we do pick them up and for the 694th time need to say we don’t want a subscription to a magazine that’s pretty uncool.

When OneTrust announced its new OneTrust consent management platform in March 2018, the company stated that driven by the proposed text of a new ePrivacy Regulation, which would make consent the sole legal basis for processing in most marketing scenarios, paired with public statements made by various European regulators encouraging consent, many organisations are moving towards implementing a consent-based GDPR compliance strategy for marketing activities.

The impact of the correlation with the GDPR

We touched upon it previously but can’t emphasize it enough: the new ePrivacy Regulation is one single set of rules concerning all EU citizens and companies but it also ‘inherits’ several principles and stipulations from the GDPR.

The ePrivacy Regulation is lex specialis with regard to GDPR: it covers specific processing of personal data in the field of electronic communications and prevails on GDPR in case of conflict (Johan Vandendriessche, see SlideShare)

Undoubtedly one that will make many people concerned (from website owners to instant messaging developers, advertisers and – hopefully – spammers) are the fines.

Two different ‘sets’ of fines exist in the proposal’s text:

  • “Infringements of the principle of confidentiality of communications, permitted processing of electronic communications data and time limits for erasure”: the up to 20 Million Euros or, in the case of an undertaking, up to 4 percent of worldwide annual turnover, whichever is the highest, as we know it from the GDPR.
  • “Infringements regarding obligations of legal or natural persons who process electronic communications data, the obligations of providers of publicly available directories and/or the obligations of legal/natural persons who use electronic communications services: up to 10 Million Euros or, in the case of an undertaking, up to 2 percent of worldwide annual turnover, whichever is the highest.

The further details regarding these obligations can be found in the articles 5, 6 and 7, and paragraph 1 of the text for the first set of infringements and in articles 8, 10, 15 and 16 for the second set of infringements.

(Tele)communications content and metadata

As the summary of the Regulation draft text states, privacy is guaranteed for communications content itself and for the metadata of the content.

The metadata needs to be anonymized or deleted in case there is no consent with one exception; when it’s needed for billing.

Finally the summary also states that telecommunication firms can develop new services by leveraging content and/or metadata (but see the previous statement on anonymization) when consent is given for processing. This enables them and organizations to develop new services in a Big Data scope.

Examples of this already exist in the EU, whereby whomever is interested can gain insights in data from telecommunications providers and leverage them, for instance to detect patterns and heat maps showing the location of (mobile) users.

When will the new EU ePrivacy Regulation come into action?

Originally, the ambitious intention was to let the new ePrivacy Regulation apply on May 25th, 2018 (the same date as the GDPR).

“With regard to confidentiality of electronic communications data some delegations are concerned about differences between the new provision and the current Directive, and some consider the provision too broad and general” (Interinstitutional File, 19 May 2017, see below)

That timeline wasn’t just ambitious but also turned out to be impossible, given the fact that the draft text was published so late (January 10th, 2017), the many comments and criticism from delegations since it was published (with tremendous lobbying) and the fact that after the final vote in plenary session end October 2017 on the Lauristin report, including the amended text, in the European Parliament, it is clear that there are still things to be discussed before an agreement between the Council and Parliament is reached.

The Council of the European Union responded a first time to comments on May 19 with a so-called interinstitutional file (2017/0003, PDF opens) which states that the delegations which took part in the discussion in the Council’s Working Party on Telecommunications and Information Society consider the date unrealistic.

More work was needed with several concerns to tackle and the goal was to finalize the first examination of the proposal by the end of the Maltese Presidency in June 2017. This in turn should be a ‘solid base for future progress’. As you can read in a January 2018 update below in the Council has published an overview of its work done so far in December 2017 and, again, there is still work to be done.

In other words: the EU ePrivacy Regulation text will not be published, enter into force or be applied on the same day as the GDPR.

In the meantime obviously the current ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector) remains in place, which is a matter of national legislation.

It remains key to include online data and identifiers such as cookies and many others in your GDPR strategy as, regardless of where and how the text will be adapted according to discussions as a result of concerns raised by delegations (the extension to OTT companies, the machine-to-machine communications stipulations, the lack of clarity in some areas, the mentioned possibility that the suggested solution for cookies will not achieve what it aims to, the overlap with other regulations and legislation and so forth), the scope remains.

Moreover, some delegations point to the legal grounds which are available in the GDPR to tackle several of the EU Privacy Regulation’s original text, among others including the permitted processing.

October 19, 2017: LIBE Committee votes in favor of amended ePrivacy Regulation texts

On October 19th, 2017, the European Parliament Committee on on Civil Liberties, Justice and Home Affairs, a.k.a. LIBE Committee, has voted on a report, the Lauristin report, which includes amendments to the ePrivacy Regulation draft.

A victory for advocates of strict privacy and data protection rules

Despite tremendous lobbying and the far-reaching consequences of the amended ePrivacy Regulation draft texts, the law makers in the European Parliament who went for a strong and clear vote ‘no’ to the lobbying groups won the vote. In other words: a victory for the advocates of strict privacy and data protection rules and a major blowback for the several lobby groups

Now that the amendments and report with MEP Marju Lauristin as rapporteur (hence also the Lauristin report) has been approved by the LIBE Committee the next step is a vote in the plenary session of the EU Parliament end October. The ePrivacy Regulation is not a fact yet but as it stands now, the lobbying will certainly increase as the vote isn’t good news for the several industries that have been demanding for changes on many levels.

These lobby groups include the marketing, advertising and media industry but also other groups that have come to understand that “the vote on the Respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC” as the EU calls it on its ePrivacy update page isn’t just a vote about cookies and electronic communications as we have known  it so far but that, as previously mentioned also a range of new ‘channels’ and technologies, including IoT and the likes of WhatsApp and Skype are included.

Just as was and still is the case with the GDPR (where preparations of companies to become as GDPR compliant lag behind and are often not approached from the overall risk and personal data protection perspective), it is amazing how it took so long before the extent of the new “Regulation on Privacy and Electronic Communications” became clear. That wasn’t the case for the advertising and media industries or the telecommunications industry given the fact that they already knew the current relation with cookies but it certainly is with, among others, the inclusion of IoT, a topic we write about very often but whereby we see very little reference to the IoT and the ePrivacy Regulation, let alone GDPR.

A blow to European publishing, media and advertising industries 

Anyway, the vote has been a clear victory for the advocates of strict and clear privacy and data protection rules and a major hit for the several lobby groups, including those from the mentioned industries.

Only little over a week before the vote eight associations, representing parties from the European publishing, media and advertising industries sent an open letter to the MEPS in a warning that specific amendments to the ePrivacy Regulation text, which as the vote has shown are supported by several MEPS, are a threat to the advertising and media business models.

More specifically they asked that the ePrivacy Regulation would support the right of online services which essentially means that publishers have the right to restrict full access to their services to those online users who have not consented to the data processing which is deemed necessary to monetize a service through data-driven advertising, without forcing publishers to adopt an alternative payments-based business model without data-driven advertising as the IAB Europe puts it.

October 26, 2017: EP votes in favor of amended version and Lauristin report in plenary despite criticism of lobby groups and political differences

After the vote of the LIBE Committee, a.k.a. the Justice Committee of the European Parliament (EP), members of the EP voted in favor of the so-called Lauristin report in plenary session.

The vote is in fact on the decision to enter the negotiations, one of the final stages in the EU policy-making process with the Parliament, Commission and Council (representing member states). This means that the report drafted by MEP and rapporteur Marju Lauristin as it is in the SlideShare above also has been said yes to by the majority of MEPs in the EP’s plenary which, as said was the next step to get to the next step. Of the 618 voting MEPs, 318 voted for, 280 against and there were 20 abstentions.

It’s the second blow in a row for whomever wanted changes in the ePrivacy Regulation and a second victory for pro-privacy advocates in a row. With the Parliament having given the green light for the negotiations with the Commission and Council it’s up to the next steps.

ePrivacy Regulation updates January 2018

While the GDPR becomes applicable on the date everyone knows we can’t emphasize enough that this will not be the case for the ePrivacy Regulation as we read now and then.

The so-called Lauristin report which the European Parliament adopted end October 2017 in plenary session as mentioned consists of the “draft European Parliament legislative resolution on the proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC “ (which is the ePrivacy Regulation or Regulation on Privacy and Electronic Communications), a brief explanatory statement, a list of ‘entities’ having given input to rapporteur Lauristin, opinions and more.

The consolidated version of the European Council and further ePrivacy Regulation topics to analyze 

Early December 2017, as part of the next steps in which the European Council plays a role, that European Council published “Interinstitutional File 2017/0003 (COD)”.

This is essentially a consolidation as the Council works towards its final position. As the document (PDF opens) puts it: “In order to facilitate future work on this file, the Presidency has put together a full text of the proposal, consolidating the work done in the second half of 2017”.

The document also states that further analysis is necessary with regards to articles 6, 7 and 8 and processing grounds, as they are in the above embedded Lauristin report (European Parliament) and are in the draft ePrivacy Regulation text as consolidated in the December 2017 document of the European Council. So, further analysis.

Next steps and WHEN the ePrivacy Regulation might be applied (which is not the same as entering into force)

Then it’s up to the European Council to come up with the final version of the “Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC”, so the final proposal and the position of the Council in the trilogue process with the Commission and Council involved.

This will not happen before the date the GDPR enters into force. Moreover, once that final  proposal is done it still can require further discussions between the European Commission, European Council and European Parliament if there are disagreements on the amendments (in the Lauristin report) which were adopted by the European Parliament, along with this Lauristin report (since they are part of it) in October 2017.

A bit of context on the whole process perhaps: in the trilogue process with the Parliament, Council and Commission we’re in, once the European Council has finalized its position, the Council and European Parliament can agree at a first reading (there are, however, still differences and as we have entered 2018 the Council isn’t done with its so-called ‘General Approach’ yet). If there is no agreement at a first reading (whereby the European Parliament and the Council, representing member state ministers with the Council’s work being prepared and coordinated by the Permanent Representatives Committee, supported by working parties, in this case for instance the Article 29 Working Party which becomes the European Data Protection Board, are ‘equal’ so to say), a second reading takes place. If there still isn’t an agreement then, conciliation comes in the picture (which happened until now for about 10 percent of EU legislation).

As the European Commission made clear in the scope of the progress of EU member states with the GDPR, all focus is on the GDPR at this time and it is pretty sure that the ePrivacy Regulation will NOT enter into force before 2019 and even most probably the second half of 2019.

And then it is not done yet! Do note there is a difference between entering into force and being applied.

That’s where a so-called grace period can come in. By way of comparison: as its Article 99 stipulates the GDPR entered into force the twentieth day following that of its publication in the Official Journal of the European Union. However, it applies from 25 May 2018. The ePrivacy Regulation by far is not in the Official Journal of the European Union and will almost certainly not be before end 2019.

Next in regulations and compliance: EU DORA Digital Operational Resilience Act

Top image: Shutterstock – Copyright: one photo – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for the ePrivacy Regulation as soon as it is final.