GDPR has been the talk of the town since it came into force in 2018, but despite the attention it has received it is far from the only legislative act in the data business. There are other directives and regulations that either directly or indirectly regulate the data business, such as the Electronic Communications Code, the Network and Information Systems Directive, the Open Data and Public Sector Information Directive and the ePrivacy Directive which currently is undergoing substantive change to become ePrivacy Regulation.
When you read about the draft ePrivacy Regulation it may appear as though all it does is regulate the use of cookies and manage direct marketing; but the draft ePrivacy Regulation also proposes more regulation of over-the-top (OTT) communications provides, such as Skype or WhatsApp. This is important because neither the eCookies Directive nor the previous European Electronic Communications Code (a new EECC came in force in December 2018) regulated OTT service providers. In effect, this means the eCookies directive was outdated and did not offer legislative protection for communication conducted through OTT providers.
In addition to OTT players, cookies and direct marketing, the proposed ePrivacy draft also regulates the use of tracking technologies in order to manage the out-of-control spamming and profiling of people without their knowledge or consent.
Furthermore, its proposed scope extends beyond personal data, as it covers all data.
Simply put, if the GDPR regulates data protection, then the ePrivacy Regulation regulates the privacy of communications.
The proposed ePrivacy regulation is lex specialis to the GDPR, as it is intended to clarify and complement the electronic communications part and personal data topics not covered by the GDPR. These ‘special rules’ would include, for example, Article 5(3) of the Directive, which requires user consent for storing information, including personal data, in the end user’s device or gaining access to this information (e.g., via cookies) and Article 6, which explicitly limits the conditions under which the traffic data, including personal data, of subscribers and users of a publicly available electronic communications service may be processed.
As mentioned above, there has been significant lobbying around the ePrivacy directive. However, thanks to or despite of this, there is still a fair amount of uncertainty surrounding the proposed regulation; for a start, it is far from clear whether the directive will actually become a regulation. That said, with Finland, a long time proponent of increased market transparency, assuming the European presidency in July this year, it is likely that the directive will indeed become a regulation. This would mean that, like the GDPR, the ePrivacy regulation would be directly applied and would level the playing field for market operators across Europe.
The uncertainty over the content of the proposed ePrivacy regulation has been increased by the fact that the European Union will soon have a new parliament, which may wish to reopen discussions on ePrivacy decisions made by the previous parliament. There is also a question mark over how long the European Council will require to debate the proposals.
It is expected that the regulation will be enforced at the end of the year and businesses will receive the usual 2 year grace period to achieve compliance with the regulation. As an old Latin proverb goes, festina lente or rush slowly with the compliance.
