Late bloomer ePrivacy Regulation: EU consensus not yet in sight

The ePrivacy Regulation was actually supposed to enter into force on May 25, 2018 jointly with the EU General Data Protection Regulation. Now it is expected to go into effect in 2019 at the earliest. It has new provisions in store, particularly for online marketing.

The ePrivacy Regulation is intended to replace the current European ePrivacy Directive (2002/58/EC) and the Cookie Directive (2009/136/EC). In terms of content, it is meant to be complimentary to the GDPR, which has been applicable since May 25, 2018, and is intended to govern a key part of the processing of personal data – the processing of communications across electronic networks – as a more specific law.

The ePrivacy Regulation will not only apply to the use of conventional telecommunications services such as phone, email, or texting, but also to “over-the-top services” such as WhatsApp or Skype. It will govern the processing of electronic communication content, including the metadata for such communications.

As far as online marketing is concerned, the draft regulation clarifies that tracking and profiling of users with the help of cookies or similar technologies is only permitted with user consent. Cookies that do not affect user privacy continue to be permitted without consent. These include, for example, cookies required to provide services (such as the shopping cart function in online stores) or cookies used for statistical analysis of website use. Cookies used to recognize users may only be used with user consent, however. The existing opt-out solution for creating pseudonymous user profiles in accordance with Section 15 German Telemedia Act, already called into question by the German data protection supervisory authorities, will then definitively no longer apply.

In addition to the consent requirement, Article 6 of the original draft regulation also provided for a prohibition of coupling: Use of a service should not be made dependent on consent to the use of cookies or tracking tools.

The draft met with massive criticism, including due to the fact that it endangered the advertising-financed business models of online services, which are based on personalized advertising. On November 26, 2018, the EU Council Presidency published a progress report on the status of the discussions: it shows that, among other things, the prohibition of coupling is to be relaxed, although details are still in dispute. A provision in the draft that would obligate providers of Internet access software to offer privacy settings to end users to prevent or control access to their terminal equipment is to be removed entirely. The report also shows, however, that the EU Member States are still far from reaching a consensus on the ePrivacy Regulation.

There is a long way to go before the ePrivacy Regulation will enter into force. Until then, companies will have to contend with the uncertainties resulting from delays in the introduction of the ePrivacy Regulation and its yet to be finalized content. In any event, it is advisable to monitor developments to get ready for the ePrivacy Regulation.

Your contacts are the experts of the Data Protection Task Force. Astrid Luedtke and the other members of the Data Protection Task Force specialized in data protection law and the additional fields of law that are important for implementation, such as IT and Competition Law, Employment Law, Banking & Finance, as well as Compliance.