Where next for the e-Privacy Regulation?

Where next for the e-Privacy Regulation?

Maybe it's the long hot summer - or perhaps everyone is still a little exhausted by the whole GDPR gallop to the finish (start?) line - but it's all gone a bit quiet on the ePrivacy front.

However, there has been quite a lot of press around the ePrivacy Regulation this week because on 31st July the Austrian presidency announced that it intends to do little more than produce a status update by the end of the year. This means that it is likely that the file will be passed to the Romanians in the first half of 2019 with nothing happening until after the May elections. Therefore it seems that the law will not come into force until 2020.

You can read the whole of David Meyer's report for the IAPP here

Birgit Sippel, who is responsible for getting the legislation through is spitting feathers. In her mind the Austrians have bowed to media pressure to keep pushing the legislation back. The Austrians haven't made things easier for anyone who is trying to get it across the line by saying that 'we are not sure if a common position in this topic is reachable'.

It is to be surmised that one of the reasons behind this timidity is that ePrivacy has been one of the most lobbied pieces of legislation ever to go through the European Parliament. Jan Philipp Albrecht (who was the MEP responsible for driving the GDPR forward) has said that much of the industry lobbying has been completely over exaggerated and unprecedented - with lobbyists claiming that the ePrivacy Regulation will hold Europeans hostage - turning web browsers into 'private gatekeepers; and hinder Europe's move to 5G'. He has remarked that much of the lobbying has been 'extremist and populist and completely unreasonable' with a lack of transparency as to who is pulling the strings/funding the various industry bodies making a case.

Birgit Sippel sees the lobbying and the lack of the action on the part of the Austrians as an attack on Democracy "ePrivacy is indispensible to safeguard the rights of our citizens in the digital environment". Not everyone agrees with her. There is a view that ePrivacy has a much wider scope than GDPR since it covers communications to legal entities and between machines, so many believe it requires a more cautious approach so that the final legislation is not open to interpretation.

Just before the Austrian announcement, on 26th July - the German parliament gave its official response to negotiations around the legislation and it is reasonable to suppose that their views will carry a great deal of weight.

The four main points they have raised are:

  • That the ePrivacy regulation needs to reflect how further processing of data by communication service providers will be protected by the GDPR
  • That they will not support anything that will allow processing without consent
  • That the legislation must ensure that the use of online services financed by advertising can be made dependent on user's consent to setting of cookies for ad purposes, and users should be informed about privacy settings on first installation and have to choose a setting, software must not be preset and updates must not override users' privacy settings. 

The Germans have also made it clear that they want a 2 year transition period similar to that for the GDPR. Which means that effective regulation of activity under the Regulation could be as much as four years away.

The conclusions we must draw at the moment therefore are: that the legislation isn't going to be with us any time soon; the online ad industry is throwing money at the issue via aggressive/emotive lobbying; even if the legislation gets smooth passage through the next stage it is going to be while yet; and if Germany gets its way everyone will have 24 months to get their house in order after that.

From a privacy perspective - we know that cookie banners/privacy by design etc. are covered by existing legislation; GDPR has real issues for the data market as a whole and email marketing will never quite be the same. So regardless of when the ePrivacy Regulation may come to pass, and what it may or may not contain, it is worth looking forward cautiously and budgeting to make changes because they are going to come - only not quite as quickly as some quarters would like.