Update on the new draft E-Privacy Regulation

Legal Alert – 11 December 2019

Progress on the draft E-Privacy Regulation has stalled yet again in Brussels. The Regulation will update the law across the EU on issues such the use of cookies and electronic direct marketing and would have a fundamental effect on digital advertising.

E-Privacy is a fundamental part of the online advertising industry. The current law applicable to E-Privacy in the EU is contained in the European Privacy and Electronic Communications Directive 2002 (the E-Privacy Directive). The E-Privacy Directive was implemented into UK law by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (otherwise known as PECR).

The EU Commission wanted to update E-Privacy law to better reflect the existence of new technologies and, in particular, to harmonise the law across the EU. It therefore decided to introduce a new Regulation, rather than simply update the E-Privacy Directive, to sit alongside the GDPR. As with the GDPR, since it is a Regulation rather than a Directive, a new E-Privacy Regulation will be directly applicable in all EU member states without the need for each country to transpose it into their own law. This should lead to greater consistency than under the current situation with the E-Privacy Directive.

What would the new Regulation do?

While the GDPR applies to the processing of personal data, the E-Privacy Directive contains specific rules on the use of cookies, electronic direct marketing such as email, SMS, telephone and fax, as well telecommunications-related rules concerning location data and traffic data, among others.

Key areas dealt with in the draft Regulation also include cookies and electronic direct marketing, and additional issues such as over-the-top (OTT) services and machine-to-machine communications, as well as extra-territorial scope and GDPR-style fines.

When will the new Regulation come into force?

The EU Commission had originally intended the new Regulation to come into force on 25 May 2018, to coincide with the GDPR. However, as of today, the Regulation has still not been agreed between the EU institutions. The Finnish Presidency of the EU Council, whose term ends at the end of this year, failed to gain support for its compromise text. It now looks likely that the Commission will present a revised proposal as part of the Croatian Presidency next year.

Whenever the draft Regulation is finalised – and it now looks unlikely that it will be agreed in early 2020 as had recently been expected - there will likely then be a two-year transition period before it comes into force. Although the UK may no longer be part of the EU by then, given the proposed extra-territorial scope of the draft Regulation, it is likely to remain relevant to many businesses in the UK, and the UK may decide to copy its provisions into UK law anyway.

In the meantime, the Information Commissioner’s Office’s has produced guidance on the use of cookies, giving a very narrow interpretation of the current cookie law.

Please get in touch with Richard Lindsay, Director of Legal & Public Affairs, if you need more information.