ePrivacy Reg­u­la­tion 2022

For years, the European Union has been trying to establish uniform rules for the internal market of digital services, to better protect users and copyright owners. The EU ePrivacy Reg­u­la­tion is discussed within this context. With this, the European Union wants to formulate binding data privacy reg­u­la­tions with EU-wide ap­pli­ca­tions. These policies will not have any direct effect on internet services operating within the United States but will be important to know for anybody looking to operate their online practices within the borders of the EU. It hasn’t yet been de­ter­mined, though, when the EU’s ePrivacy Act will come into force and which re­quire­ments it will bring with it for the digital industry.

With the ePrivacy Reg­u­la­tion (of­fi­cial­ly: Reg­u­la­tion of the European Par­lia­ment and of the Council con­cern­ing the respect for private life and the pro­tec­tion of personal data in elec­tron­ic com­mu­ni­ca­tions and repealing Directive 2002/58/EC), the European Union wants to strength­en the privacy of citizens in online com­mu­ni­ca­tion and in­ten­sive­ly regulate data pro­tec­tion in the EU. Basically, it’s concerned with restoring people’s trust in digital com­mu­ni­ca­tion channels. The ePrivacy Reg­u­la­tion, which has not yet entered into force, is the third and pre­sum­ably final measure in an ini­tia­tive for binding rules and reg­u­la­tions on European data pro­tec­tion, following the first Data Pro­tec­tion Directive (Directive 95/46/EC) and the ePrivacy Directive (2002/58/EC). In short, the EU's planned ePrivacy is intended to ensure that privacy and data pro­tec­tion will no longer be re­strict­ed by national borders in the future (at least within the EU).

With this ini­tia­tive, the EU embarks on a path that’s more than necessary: The Internet, as we all know, knows no borders. But what exactly does the European authority an­tic­i­pate with the ePrivacy Reg­u­la­tion? It’s important to first establish that the ePrivacy Reg­u­la­tion will affect more companies than any previous data pro­tec­tion policy. The re­quire­ments that are made this time are aimed specif­i­cal­ly at website owners and software providers, for example, Meta (formerly Facebook), Google and Zoom – basically at the entire online industry.

One major change is set to affect the use of cookies. Rejecting cookies that are not necessary should become simpler for web users and for example be regulated via browser settings. Website operators may only use cookies if users ex­plic­it­ly agree to it or they are “tech­ni­cal­ly necessary cookies” that enable the proper func­tion­ing of a website (e.g., login cookies). Even if the user doesn’t agree, all content should still be displayed to them in the future. Instead of an opt-out, a double opt-in would be required.

To implement this, browser man­u­fac­tur­ers could also be put under oblig­a­tion: According to the draft, web browsers in the future should offer users the pos­si­bil­i­ty to fun­da­men­tal­ly regulate tracking. Is anybody allowed to read my cookie data? And if yes, are these only direct providers, or are they also third parties? Among other things, there’s con­tro­ver­sy as to exactly how the default setting should look – i.e., whether the user has to become active them­selves in order to protect their privacy. The GDPR at least assumes “Privacy by Default”: Data pro­tec­tion settings should be as strict as possible directly following in­stal­la­tion, and then can only be weakened by the user af­ter­wards. In general, tracking services should only be allowed without per­mis­sion by the user if they serve a purely sta­tis­ti­cal purpose.

The draft for ePrivacy also includes machine-to-machine com­mu­ni­ca­tion. This is the EU’s response to the chal­lenges of the Internet of Things. For these types of data transfer, the same should go for such instances where users are directly involved. The plan is that devices will only transfer personal data if the user has agreed to it. This could apply to GPS data for smart­phones, for example. In general, it should apply that users must be informed about which data is being collected from them and for what purpose. Therefore, it shouldn’t be possible to hide an agreement in the T&Cs or link it to another service. For example, if user data needs to be trans­ferred for online shopping – as it always does – this is allowed. It should not be allowed, though, to use this data for ad­ver­tis­ing purposes at the same time. For this, a new, specific agreement would be needed.

The ePrivacy Reg­u­la­tion shouldn’t be limited to the tapping of personal data by companies, though. In­ter­ven­tion on the state side should also be strongly regulated by ePrivacy. An end-to-end en­cryp­tion should be oblig­a­tory: All data trans­mis­sions should be fully encrypted and not viewable by gov­ern­ments. The in­tro­duc­tion of backdoors is also to be forbidden: Backdoors that the producer built to grant access for the gov­ern­ment would be illegal.

ePrivacy shifts away from the internet when it comes to direct marketing: While nothing changes in the principle of email marketing, the reg­u­la­tion intends to regulate telephone marketing more strongly. The proposal says that telephone calls for so­lic­i­ta­tion purposes should only be allowed if the caller reveals their telephone number or if they use an in­te­grat­ed code to indicate that it’s an ad­ver­tis­ing call.

The ePrivacy Reg­u­la­tion partially exists to replace the old ePrivacy guide­lines and partially to sup­ple­ment the GDPR. The old reg­u­la­tions have existed since 2002 and were expanded in 2009. However, a European community guideline is not directly effective and binding law, but instead di­rec­tives that have to be converted into national law. As a result, in­di­vid­ual nations are afforded a longer period. In the case of the reg­u­la­tion, the situation is different: As with the GDPR, it’s an EU-wide law that’s binding for all countries and comes into effect im­me­di­ate­ly. The law can grant a tran­si­tion­al period, though, for example.

What about the GDPR, though? What do you need to stick to now? As soon as the ePrivacy Reg­u­la­tion takes effect, the answer is simple: to both! The plan is that the reg­u­la­tions in ePrivacy will make the GDPR more concrete. The ePR (as the new reg­u­la­tions will be called) should be a lex specialis. This means that it has priority over the basic data pro­tec­tion reg­u­la­tion – a lex generalis. The GDPR is more general and should be made clearer by the ePR through specific points with definite rules. The data pro­tec­tion reg­u­la­tion is not specif­i­cal­ly tailored to the internet. ePrivacy will better protect this area.

The ePR should also contain the opening clauses: local reg­u­la­tions should be able to influence certain sections of the reg­u­la­tion when it comes to im­ple­men­ta­tion details. In­di­vid­ual lawmakers must change or adapt points that are in­con­sis­tent with EU laws, however.

The ePrivacy Reg­u­la­tion has been discussed since April 2016 but has not yet come to a binding con­clu­sion. In January 2017, the European Com­mis­sion published its first draft. Sub­se­quent­ly, multiple com­mit­tees issued responses to the Com­mis­sion’s proposals, which even­tu­al­ly led to the EU Par­lia­ment’s own draft in October 2017 (the GDPR had already been decided at this time). Almost one month later, the EU Council Pres­i­den­cy published an as­sess­ment report, in which the current state of things was sum­ma­rized. At this point, it’s the most current pub­li­ca­tion. The next move is for the EU Council to decide on the draft.

Orig­i­nal­ly, it was planned that ePrivacy and the GDPR would take effect at the same time. This plan has long since been abandoned. For years, the EU member states haven’t been able to agree on a common policy. But there is hope. In February 2021, the EU Council of Ministers agreed on a common version – the starting signal for the so-called trialogue. This means that current rep­re­sen­ta­tives of the three bodies involved in the EU leg­isla­tive process, i.e., the EU Com­mis­sion, Par­lia­ment and Council of Ministers, are ne­go­ti­at­ing with each other.

Since a year-long tran­si­tion period is also predicted for the ePrivacy Reg­u­la­tion, there won’t be any need to reckon with an immediate im­ple­men­ta­tion of the draft signed off by all par­tic­i­pat­ing countries. To which extent the draft will still be changed can’t yet be predicted. However, it’s fairly likely that this won’t remain as the final version. For 2022, France will assume the Council Pres­i­den­cy, taking over from Portugal and Germany, whose proposals failed.

Cuts made by an ePrivacy Reg­u­la­tion such as the one currently under ne­go­ti­a­tion affect operators of internet services and the online marketing industry, in par­tic­u­lar (in addition to citizens whose privacy is to be protected). So, it’s not very sur­pris­ing that the greatest criticism is drawn from these areas. The ad­ver­tis­ing industry finds fault with the EU project.

• More effort for users: The industry expects that users in the future will be over­whelmed by the number of approvals that would be required by the ePR. This is assuming that for each in­di­vid­ual trans­mis­sion, a specific approval would have to be given.
   
• Financing for online media at risk: The biggest point of criticism is that ad-financed online media are in danger. At the moment, there are in­di­vid­ual blogs, newspaper websites, and other media in our business model that are dependent on pop-up ads. Users don’t pay with monetary value, but instead through ad con­sump­tion. The number of pop-ups is based for the most part on data that’s collected by ad­ver­tis­ers through tracking. If the ePrivacy Reg­u­la­tion takes effect in its current form, then such ad­ver­tise­ments would only be possible when paired with explicit approvals that most users probably would not give. Parts of the online marketing industry are ap­pre­hen­sive that the free avail­abil­i­ty of in­for­ma­tion on the internet could be prevented.

• No coherence with GDPR: There are con­tra­dic­tions visible with the GDPR. For this reason, the concerned or­ga­ni­za­tions assume that the new reg­u­la­tion won’t bring more clarity in data pro­tec­tion for online com­mu­ni­ca­tion, as envisaged by the European Com­mis­sion, but rather lead to more legal un­cer­tain­ty. Some are afraid that changes in the business model being made now for the GDPR will be changed even further in the future.

Click here for important legal dis­claimers.