Understanding the new ePrivacy Regulation and how it differs from GDPR
Now that organizations have hopefully gotten accustomed to the data privacy and protections requirements of GDPR, a new regulation looms on the horizon, the ePrivacy Regulation, or ePR.
The ePR is expected to address electronic communications, including text messages, email, chat applications and IoT devices. Think of the ePR as the traffic cop for data as it travels between controllers and processors governed by GDPR.
While only in draft form, the law is expected to impose (i) similar technical and organization safeguards to those imposed by GDPR and (ii) significant limitations on electronic communications in the absence of consent from the person receiving the message, among other things. It will build on the ePrivacy Directive, an EU directive on data protection which took effect in 2002.
Key Differences from GDPR
The ePR will apply specifically to electronic communications. GDPR by contrast, applies generally to the processing of personal data, and “processing” under GDPR is very broadly defined.
Although the ePR is more specific to electronic communications than GDPR, it is broader in one sense--namely, the ePR may apply to data about legal persons (i.e., corporations), not just personal data about natural persons.
What Will the ePrivacy Regulation Do?
Since the regulation remains in draft form, any analysis of its impact is necessarily speculative. Nevertheless, the European Commission’s Proposal for an ePrivacy Regulation offers some clues as to what will be in the final draft. Some of the key points include:
- A focus on privacy regarding metadata, including for instance the time of a telephone call or its location.
- A focus on consent and obtaining consent from users for uses of non-anonymized data. The ePR is likely to be more specific than GDPR in this regard but probably will not alter the core definition of consent.
- Finally, the European Commission promises “simpler rules on cookies.” Anecdotally, this appears to be welcome guidance in some markets. The cookie rules currently in effect are complex and not well understood. The result has been an “overload of consent requests for internet users,” as the European Commission has recognized. Clarity, particularly on the issue of whether one may consent to cookies through browser settings (as opposed to accepting cookies on every website), would be a significant improvement over the current uncertainty.
Differences Between a Directive and a Regulation
Even as the precise contours of the new law remain unclear, it seems that there is sufficient support for a new regulation, as opposed to a directive. This is consistent with the overarching goal in Europe of creating a single digital market. GDPR was the first step toward a consistent, EU-wide framework and ePR would be a logical continuation.
An EU directive relies on member states to implement legislation to achieve its aims. A directive merely states aims or goals for the member states to implement, which in this case has resulted in inconsistent application of the directive, and shoddy (sometime non-existent) enforcement.
A regulation is a law unto itself; it goes into force immediately, without implementing legislation from member states. By way of analogy to American law, a regulation is preemptive federal legislation, and a directive is something less than a law, such as a Medicaid spending target.
ePR will be uniform throughout the EU and as such is likely to be more rigorously enforced than the prior directive. This is doubly the case as member states already are in the process of building enforcement apparatuses under the now-effective GDPR. Regulators will take up the new law seamlessly and integrate it into their existing investigations.
Although the details remain murky, we can expect a new regulation which will unify EU law concerning electronic communications. Supervisory authorities within member states that are now focused on GDPR enforcement are likely to swiftly take up enforcement of the new law.
EU regulatory authorities continue to negotiate the precise terms of the new regulation, and while several drafts have been published, the new law is unlikely to go into effect before 2020.