Article 29 Working Party releases Opinion on proposed ePrivacy Regulation

On 4 April 2017, the Article 29 Working Party (“A29 WP”) adopted its ‘Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC)’ (“Opinion”) – a link to which can be found here. In the midst of the preparations for the General Data Protection Regulation (“GDPR”), you may have slightly forgotten about the ePrivacy Regulation, yet its importance should not be underestimated and the A29 WP’s Opinion confirms this. However, what is important now is ensuring that as closely aligned as these two pieces of regulation aim to be, that the proposed ePrivacy Regulation does not undermine the level of protection offered by the GDPR as the A29 WP’s Opinion seems to suggest.

What is the ePrivacy Regulation?

The ePrivacy Regulation is intended to replace the existing ePrivacy Directive 2002/58/EC which is essentially concerned with respecting private life and protecting personal data in electronic communications. Like the GDPR, the proposed ePrivacy legislation would take the form of an EU Regulation with the intent of ensuring uniform rules across the EU (with a few exceptions of course) in respect of electronic communications.

One of the key changes to note is that the ePrivacy Regulation extends the scope of the existing rules to include:

  • Over-The-Top (OTT) providers - the A29 WP’s Opinion confirms that these are essentially “services that are functionally equivalent to more traditional communication means and therefore have a similar potential to impact on the privacy and right to secrecy of communications of people in the EU”; and
  • Content and Associated Metadata.

What are the benefits of the ePrivacy Regulation?

The A29 WP’s Opinion highlights many positives of the proposed ePrivacy Regulation including:

  • EU-wide harmonisation – the choice of instrument for the new legislation is a Regulation meaning uniform rules across the EU;
  • Enforcement authority same as under GDPR – the enforcement of the new ePrivacy Regulation will be by the same supervisory authority that is responsible for monitoring compliance with the GDPR;
  • Alignment of fines regime with GDPR – the level of fines set in the ePrivacy Regulation (Article 23) are largely similar to those under the GDPR for violation of the rules; and
  • Removal of data breach notification rules – there is no provision for data breach notification under the ePrivacy Regulation meaning there will be no unnecessary overlap with the requirements of the GDPR.

However, the A29 WP Opinion has also raised a number of concerns which I’ve highlighted below.

What are the A29 WP’s key concerns?

Although largely positive, the A29 WP’s Opinion highlights 4 key areas of concern in relation to the proposed ePrivacy Regulation which it believes would undermine the level of protection provided by the GDPR. These key concerns are in relation to:

  1. Tracking of the location of terminal equipment
  2. The conditions under which the analysis of content and metadata is permitted
  3. The default settings of terminal equipment and software
  4. Tracking walls

In relation to each highlighted concern, the Opinion sets out suggestions for ways in which the ePrivacy Regulation could provide the same protection as the GDPR or a higher level of protection more appropriate to the sensitive nature of electronic communications data.

In addition to the points outlined above, the Opinion also highlights areas of the draft ePrivacy Regulation which require clarification “to better protect end-users, and to introduce more legal certainty for all stakeholders involved”.

What happens next?

The draft ePrivacy Regulation is planned to come into effect in May 2018 and the next step is for the European Parliament and the European Council to each review the draft and then negotiate the final text. As we saw with the GDPR, this can be a challenging process however, given the looming implementation date of the GDPR in 2018 it is hoped negotiations of the ePrivacy Regulation will be finalised in time to meet the May 2018 deadline.

The UK Information Commissioner’s Office has also confirmed in a recent blog that it is planning to release an initial guidance document on the new ePrivacy Regulation later this year highlighting key issues that fall out of the negotiations.

We will be monitoring the negotiations closely as they develop – so stay tuned for updates.

Samantha Sayers  | Solicitor – Cyber Security and Data Protection | PwC - UK
[email protected] |+44 (0)20 7213 4697

More articles by Samantha Sayers