Chances are you’ve heard about the General Data Protection Regulation (GDPR) that comes into force in May 2018, repealing the 95/46/EC Data Protection Directive currently in force. Following in the footsteps of this legislative overhaul is the ePrivacy Regulation, which complements and elaborates the GDPR. It deals with protection of personal data in electronic communications. In a nutshell, ePrivacy is about repealing Directive 2002/58/EC, which some of you might remember for the “cookie walls” and cookie havoc from back in the day.
After talks, lobbying, and months of crafting the text of the ePrivacy Regulation, this expected piece of legislation has completed two major milestones in the past few days. It’s now entering into Trilogue mode.*
What’s next for ePrivacy? It will be submitted to plenary sittings of the European Parliament: the forum in which the Members of the European Parliament (MEPs) take part. The plenary sittings are an essential part of the EU’s decision-making process, and come before the final version of the ePrivacy Regulation can be adopted.
*Trilogue is a form of informal tripartite meetings attended by representatives of (1) the European Parliament, (2) the European Council and (3) the European Commission. The purpose of these contacts is to reach an agreement on a package of amendments acceptable to the Council and the European Parliament. Any agreement in trilogues is informal and has to be approved by the formal procedures applicable within each of the three institutions.
The GDPR and ePrivacy Regulation address two very different articles contained in the Charter of Fundamental Rights of the European Union:
Compliance with respect to ePrivacy will be built on top of your GDPR best practices, as the GDPR opens up privacy obligations to online identifiers (listed as personal data under Art. 4 about definitions) while further mentioning cookies under Recital 30:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
The ePrivacy Regulation will therefore be about placing, accessing, and using identification technologies on users’ devices. Note that the previous reference to Article 30 also includes digital fingerprinting, just in case you were wondering.
In its Article 6, the GDPR addresses Lawfulness of processing, setting out six methods by which processing (in the broad sense of the word, it includes collection as defined in Art. 4 (2)) is understood to be lawful. In a nutshell, you are allowed to do it.
These six methods include: option “a”, known as consent, and option “f”, known as legitimate interest.
More specifically, f reads as follows:
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The current proposal for the ePrivacy Regulation, however, does not provide such a broad method for processing data. Indeed, the current version of Article 6 in the ePrivacy Regulation on Lawful processing of electronic communications data talks mainly of consent, with some exceptions related to fraud.
The Commission came out with a proposal for reform of the nightmarish “cookie wall” directive in January of 2017. This document went through the processes listed below, was put to a parliamentary vote on 26 October, and then passed into Trilogue mode.
The current version of the ePrivacy Regulation, comparing the Commission’s wording on the left and the delivered LIBE Committee vote on the right, can be viewed here. This is the text which will be used in the Trilogue process.
LIBE Committee Vote:
European Parliament Trilogue Vote:
Both votes were tight:
– 24 against vs. 31 for with one abstention for LIBE, and with significant pressure from lobbying groups such as the IAB arguing that the GDPR was enough, no further legislation was needed, and more legislation would stifle innovation;
– 280 against vs. 318 for with mainly the EPP group* failing to back the proposal, arguing that the document had been rushed and that the Council wasn’t ready.
* The EPP (European People’s Party) Group – a political group in the European Parliament comprised mostly of politicians of Christian democratic, conservative and liberal-conservative orientation, including members of the European People’s Party.
It will be interesting to see how the different amendments pass through the Trilogue phase. As we’ve seen with the GDPR, this means political bargaining at a more local level as the Council is involved with countries such as Ireland, often the entry point for a lot of US-based companies on European soil. Those countries need to strike a balance between privacy legislation stances and economic benefit. Whether adoption will take place in May 2018 is still the big unknown. The current rumors say Summer 2019, but nothing official has been communicated.
As it is not our custom to speculate on what the final text will look like, we won’t do that. But we do want to address the impact of the ePrivacy Regulation on marketing automation, re-marketing, content personalization, and web analytics technologies. We’ll tackle those topics in our next blog post, so stay tuned!