Skip to content

While many are still digesting the changes brought about by the EU General Data Protection Regulation (GDPR), a new privacy regulation is already on its way. The Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications – in short, the ePrivacy Regulation  – is currently a draft under discussion (the latest version by the EU Council was published on 13 March 2019).

Relationship Between the ePrivacy Regulation and the GDPR

Unlike the GDPR, the draft ePrivacy Regulation focuses on privacy with respect to electronic communication services and on the data processed by electronic communication services. This means that in relation to such communication services, the ePrivacy Regulation provides the specific obligations that flesh out the more general provisions of the GDPR. The draft ePrivacy Regulation covers more than just data protection law; it also relates to non-personal data, such as metadata. Lastly, the draft ePrivacy Regulation contains provisions on telecommunication confidentiality.

Background

The draft ePrivacy Regulation is meant to update and replace the current ePrivacy Directive, which, together with the GDPR, provides the current legal framework to ensure digital privacy for EU citizens. By changing from a directive to a regulation, the new rules will apply directly in all EU member states, and implementation into national laws will no longer be required. This promises a uniform set of rules in all member states. However, as GDPR has shown, this probably sounds easier than it will be in practice.

Key Changes

In a nutshell, the main points of the draft ePrivacy Regulation include:

  1. While the existing ePrivacy Directive applies to emails and text messages (SMS), the new ePrivacy Regulation aims to also catch data created or processed by the newest forms of electronic communication, such as machine-to-machine communication (Internet of Things), internet telephony, and internet access provider services.
  2. The draft ePrivacy Regulation scope extends to more than just personal data – it covers certain non-personal data such as metadata. Not only does this further increase the compliance obligations for enterprises, it may also challenge data analytics schemes dealing with anonymized or aggregated data instead of personalized data, developed to allow big data business models.
  3. While many concepts of when and how data may be processed may essentially stay the same, the draft ePrivacy Regulation introduces new, additional obligations requiring enterprises to adapt their compliance systems. For example, Article 7 of the draft ePrivacy Regulation requires that enterprises delete electronic communications data after its receipt by the intended recipient. Such obligation is new in many member states and would require operators to implement certain technical measures. It also raises questions about the ability to pursue certain communications, for example in relation to illegal content.
  4. The draft ePrivacy Regulation provides a clear, albeit more restrictive, legal framework for the use of cookies and similar tools that collect data from end-users’ equipment (e.g., mobile phones and laptops). The use of cookies will require that such cookies are necessary for the transmission or the security of the electronic communication service, or that the end-user has given consent. Previous drafts of the regulation contained several different ways in which such consent could be given. The most recent draft refers to giving consent to providers via white lists.

Outlook

The new draft ePrivacy Regulation has been approved by the EU Council. After the May 2019 European Parliament elections, negotiations on the regulation between the Council and the European Parliament will start. The ePrivacy Regulation will likely not enter into force before 2021, given it covers many different subjects (i.e., metadata, cookies, and telecommunications confidentiality).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dr. Viola Bensinger Dr. Viola Bensinger

Viola Bensinger is Global Co-Chair of the Greenberg Traurig’s IP & Technology Practice Group and the Global Data Privacy & Cybersecurity Practice, and also chairs the Technology Practice in Germany. She advises clients from the technology, media, health care, automotive and other industries.

Photo of Carsten A. Kociok Carsten A. Kociok

Carsten Kociok focuses his practice on the technology industry. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from

Carsten Kociok focuses his practice on the technology industry. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution, franchising, outsourcing and technology transactions. This includes all aspects of e-money and payments law, financial services law, data protection and data security regulations, money laundering obligations as well as marketing, unfair competition, consumer protection and general contract law.

Prior to joining the firm, Carsten worked at Olswang for eight years and in the Capital Transaction Practice Group of an international law firm in New York.

Photo of Greenberg Traurig Greenberg Traurig

Willeke Kemkers is a member of the IP / Tech department of Greenberg Traurig’s Amsterdam office. She focuses on a broad range of intellectual property issues, including proceedings, drafting of (commercial) contracts and providing of advice regarding transactions (mergers and acquisitions). Willeke also

Willeke Kemkers is a member of the IP / Tech department of Greenberg Traurig’s Amsterdam office. She focuses on a broad range of intellectual property issues, including proceedings, drafting of (commercial) contracts and providing of advice regarding transactions (mergers and acquisitions). Willeke also has deep knowledge of EU e-commerce regulations and regularly counsels clients with respect to the interpretation and application of the relevant laws.

Furthermore, Willeke counsels clients on a wide range of privacy issues such as data processing agreements, cross-border transfers of data, privacy policies and data breaches. With respect to the coming into force of the GDPR, Willeke prepared clients from many different industries (transport, medical, legal) to be GDPR compliant.

Willeke also has experience with drafting and reviewing of IT contracts including hosting (cloud), outsourcing (SaaS, Iaas and Paas) and IT development contracts.