Is there an end in sight for the ePrivacy saga in 2020? For the moment at least, it seems unlikely. The debate over the Council’s draft of the text will continue in 2020 with the Croatian Presidency attempting to break the deadlock. Trilogue negotiations between the Council, Parliament and Commission cannot begin without consensus in the Council, which means that the current outdated rules could apply to digital technologies because of the new European Electronic Communications Code (EECC), with resultant uncertainty and the potential for an increased regulatory burden on all telecoms providers.
The first draft of the ePrivacy Regulation was published in January 2017 and Parliament approved its draft negotiation text in October 2017. However, over the course of six successive Presidencies spanning almost three years, the EU Council failed to reach agreement on its approved text. One of the main sticking points was the use of metadata and content data by electronic communications providers, including for the purposes of detecting, deleting and reporting child abuse imagery. Even if the text had been agreed by the Council, it would have been difficult to reconcile the two very different drafts given that the Parliament provided greater protections for individuals and the Council allowed more scope for processing for providers. The current approach to the ePrivacy Regulation has not just failed to gain traction with the Council, industry bodies have also commented on its lack of cohesion with the GDPR.
With a final version of a new ePrivacy Regulation looking unlikely, the current ePrivacy Directive (ePD) will continue to apply to those caught by its provisions. The ePrivacy Directive contains rules of general applicability, e.g. on cookies and direct marketing, and rules that are specific to providers of electronic communication services and networks. The scope of the ePrivacy rules are therefore in part determined by the EU framework for electronic communications.
The current EU framework for telecommunications is set to be consolidated and replaced by the EECC, which is in the process of implementation in each EU Member State with a transposition deadline of 21 December 2020. Under the EECC, the scope of electronic communication services will be expanded to include over-the-top/online communication services. Therefore, providers of VoIP services and other online communication apps (video, chat, messaging) will be subject to telecoms regulation and by extension the ePrivacy Directive.
For the foreseeable future, those caught by the provisions of the ePD will continue to need to comply, taking into account the interplay with the ever-evolving guidance and case law on the GDPR (e.g. on consent, notice, etc.), which will often apply in the context of the application of the ePD. The ePD rules have not been kept up to date with the latest technological developments and are also not well aligned to the enhanced protections of the GDPR.
It is possible that the European Commission will prepare a new draft of the ePrivacy Regulation in early 2020, but if it this is the case, it will be interesting to see how much of the latest drafts from the Council and Parliament will be incorporated. The Commission may take a different approach in some areas by aligning more with the GDPR or by moving away from the exceptions based approach that has caused so many issues for the EU Council. However, this may prove problematic for the European Parliament if it is seen to compromise the privacy of electronic communications.
Sign up for our monthly Connected newsletter to stay up-to-date with the latest regulatory and public affairs issues.