e-Privacy Regulation: 2020?

e-privacy GDPR legal services

Big data futuristic visualization

On June 7 the EU telecom ministers met in Brussels to discuss the progress of the proposed e-Privacy Regulation (ePR). There was no remarcable progress to speak of. Meanwhile, the presidency of the EU’s Council of the Ministers rotated to Finland and new promises are made that year 2020 will set in with a new e-Privacy Regulation. But hopes remain low.

The Regulation on Privacy and Electronic Communications (the longer name of the ePR) was proposed at the beginning of 2017 and its meaning was to replace the current EU e-Privacy Directive with a view to serve as another element of reinforcement of the trust and security in the Digital Single Market. Despite the fact that the European Parliament adopted the proposal within the same year, the Council of Ministers is still sleeping on it. The points of divergence are several, but in general they result from the differences of approach on confidentiality, where the Parliament’s expectation of strong protections comes contra to Council’s more business/technology applied approach which entertains a broader range of exceptions to seeking consent for cookies.   

The examination of the proposal, conducted by the Working Party on Telecommunications and Information Society, proves to be a challenging step in the enactment process and has lasted almost two years under the presidencies of Malta, Estonia, Bulgaria, Austria, Romania and now Finland. Significant clarifications were made in regard of ePR’s interaction with new technologies such as IoT and AI. Continue to be under debate important aspects such as prevention, detection and reporting of child abuse imagery or the possibility of the Member States to limit the scope of obligations and rights set forth in the sections concerning the confidentiality of electronic communication data (Article 5 – 8), permitted processing of electronic communications data (Article 6), storage and erasure of electronic communications data (Article 7), and protection of end-users’ terminal equipment information (Article 8).

When enacted, ePR should be regarded as special, or lex specialis, to the GDPR (the General Data Protection Regulation, which entered into effect on 25 May 2018). What this really means is that in areas where ePR contains provisions of greater specificity and detail which may be contrary to more general and less detailed provisions in the GDPR purporting to address the same range of situations, the ePR will apply. This specificity or speciality of the e-privacy provisions is already mentioned in the GDPR (Article 95 and Recital 173), which states that GDPR shall not impose obligations on natural or legal persons in regard of data processing for which they are already subject to specific obligations under the Directive 2002/58/EC (the current e-Privacy act). Surely, this speciality effect will extend to provisions of the ePR, when in effect, a position already confirmed by the European Data Protection Board. The expected points of divergence between the two regulations are expected to flow from their respective areas of application: while GDPR regulates the processing of personal data belonging to natural persons, the ePR regulates electronic communication whether or not it includes personal data.