Main menu


+44 (0)151 600 3000


+44 (0)161 836 8800


+44 (0)1772 823 921

Search form

Search form


European Parliament Moves to Begin E-Privacy Regulation Negotiations

European Parliament Moves to Begin E-Privacy Regulation Negotiations
Wednesday 15th November 2017

The European Parliament last week voted to begin informal trialogue negotiations with the Council of the European Union and the European Commission on the draft wording of the new E-Privacy Regulation (EPR).

What is the E-Privacy Regulation?

The Regulation on Respect for Private Life and the Protection of Personal Data in Electronic Communications (EPR) is a new law emanating from the EU. The EPR is concerned with the collection and use of electronic communications data, including both content and metadata, as well as with tracking technologies, such as cookies or digital fingerprinting.

The EPR will repeal and replace the current law in this area, the Directive on Privacy and Electronic Communications 2002 (DPEC). Similar to the General Data Protection Regulation (GDPR), the EPR will have direct effect in EU member states and so should lead to greater harmonisation and eventual cost savings for businesses that operate within the single market.

How does the E-Privacy Regulation relate to GDPR?

The GDPR is, as the name suggests, a regulation with general application. It takes a blanket approach to data protection and does not distinguish between sources or methods of collection of personal data. The EPR is designed to complement the GDPR, sitting alongside it and applying in tandem. The EPR will only apply to information collected via certain channels; electronic communications and tracking technologies. For this information, whether it amounts to personal data or not, the EPR will lay down specific rules that apply in addition to any GDPR obligations. The EPR will not create any exceptions to the GDPR regime.

This means that businesses using electronic communications data will have to look to both regulations to ensure compliance. In the first instance, the EPR will define the rights and obligations involved in the collection and use of all electronic communications data, and then, if that data contains personal data, the GDPR will also kick in.

Who will be affected?

The EPR takes a much broader approach to electronic communications data than the DPEC. The new definition aims to catch all electronic communications in any form, including text, voice-over-internet-phone services such as Skype, and internet messaging platforms such as Whatsapp or Facebook Messenger.

In addition, the EPR will specifically apply to those businesses that provide communications services only as an ancillary function intrinsically linked to another service. This means that businesses that include communications platforms within their products, sites or services will also be caught, for example, a player-to-player messenger built into an online game, a messaging service between guests and hosts on an accommodation website, or even connectivity between appliances in an Internet-Of-Things context.

Like the GDPR, the EPR will take a global, extra-territorial view of compliance. The provisions of the EPR will apply to any business that is providing electronic communication services to individuals within the EU, or using tracking technologies placed on the devices of individuals within the EU. It does not matter where the business is established.

What are the key provisions of the E-Privacy Regulation?

The EPR splits ‘electronic communications data’ into two categories, content and metadata. The content is the message, the information or signal input by one end-user and transmitted to another. The metadata is all the surrounding information, the date of the message, the time, the identity of the sender and recipient, the IP addresses of each, etc.

Different rules apply to the collection and use of each category of electronic communications data. The rules’ key aim is to enshrine the principle that communications data should be private, however, they also seek to achieve a balance in which legitimate uses of such data are allowed, and wider uses are allowed with consent.

The use of metadata for billing purposes for example, is a legitimate use and will not require consent. On the other hand, accessing the content of messages to improve targeted adverts within a service would be seen as a wider use that would require the consent of the users.

The other main strand of the EPR is that individuals should not be tracked by technologies such as cookies without their consent. The European Commission proposal aims to improve the current state of regulation in this area, which is inconsistent in both its application and enforcement, leading to widespread non-compliance and consent fatigue.

The EPR marks a major departure from previous attempts to enforce a requirement for consent, by moving the obligation to seek consent from the website to the browsers or operating systems that enable access to the internet.

There are still technical issues to overcome in order to achieve this, as what the regulation essentially requires is a universally understood signal that can be sent by a browser to a website to tell it that the individual has not consented to tracking technologies. The idea of a Do Not Track signal has been under discussions in the World Wide Web Consortium for over 5 years with little progress seen so far.

When will the E-Privacy Regulation enter force?

The current aim is for the EPR and the GDPR to come into force together on the 25 May 2018. This would create a unified and complete system of data protection regulation across the EU.

However, the EPR is still in draft form and must be negotiated and agreed between the 28 member states of the EU and adopted by both the Council of the European Union and the European Parliament. The negotiations in respect of the GDPR took around 4 and a half years to complete, and the draft text of the EPR was only released in January of this year.

Given the short timescales that would be required for negotiations, and the key technical hurdles involved in cookie consent, it appears unlikely that the 25 May 2018 deadline will be met. What is clear is that the EPR remains a high priority for European legislators, despite these challenges.

What to do now

The consequences of non-compliance match those of the GDPR, with a maximum fine of up to 4% of annual worldwide turnover or €20million. Getting ready for the EPR should therefore be high on the agenda of any business, based anywhere in the world, that provides communications in the EU or uses tracking technologies in the EU.

Currently, we only have a draft text of the EPR and there are substantial amendments still likely to be made. This does not mean that preparation cannot begin now. At the moment there are three key points to take away from the draft proposals:

  1. Privacy of electronic communications is paramount: Organisations should review how and why they are collecting and using communications data.
  2. Consent will be required for tracking technologies, and the consequences of non-compliance will be much greater: Proper cookie consent should be sought in all instances, consider implementing banners.
  3. The scope of application is not limited to just those businesses in the EU: The EPR and GDPR are likely to affect most businesses in some way, resources should be sought to enable the changes required for compliance to be made.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.