With a changing digital landscape and emerging data driven technologies, the rules of the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) are in need of updating. The proposed E-Privacy Regulation was intended to address new legal challenges and complement the General Data Protection Regulation (GDPR) in relation to privacy in electronic communications.
The first draft of the E-Privacy Regulation was presented in January 2017, with the aim that it would be passed quickly and would apply from May 25, 2018, together with the GDPR. However, over three years since the original proposal was published, the draft E-Privacy Regulation is still not finalised, as EU Member States have not yet been able to agree on the draft legislation. After the exchange of many conflicting drafts, the Croatian presidency of the Council of the European Union presented its proposed text in February 2020, and issued a further revised version in early March.
The expected changes will influence a wide range of topics, the most important ones being:
- protecting the confidentiality of communications sent over the internet such as emails, VoiP services (e.g. Skype) and messaging services;
- e-direct marketing, such as sending commercial emails and text messages and making marketing phone calls (including automated calls);
- placing cookies (and other similar technologies) on computers, mobile phones and other similar electronic devices.
The last topic – very much connected with “cookie banners”, which have been under scrutiny by many data protection regulators in the EU – is of relevance to most companies. In this alert we will take a closer look at the possible outcome of the current discussions and the impact for EU and UK businesses.
Protection of end-users’ terminal equipment information
Similar to the GDPR, a legitimate interest assessment should be carried out, including a balancing test to determine whether the interests or fundamental rights and freedoms of the end-user override such interest. However, unlike GDPR, the Croatian draft only refers to legitimate interests of the service provider. Thus, it is narrower than the GDPR provision (art. 6 (1) point f), which allows relying also on the interests of third parties.
The Croatian proposal provides some concrete examples of purposes that might be considered as legitimate and others that might not. For example, a service provider may rely on legitimate interest to drop cookies to prevent fraud or detect technical faults. Moreover, a service provider whose website content or services are accessible without direct monetary payment, and which is wholly or mainly financed by advertising, or certain audiovisual media service, may also rely upon legitimate interests to place cookies. In the latter case, the end-user must be provided with clear, precise and user-friendly information about the purposes of the cookies used and “accept” such use. Interestingly enough, consent terminology is avoided in this context.
However, the draft does not allow reliance on legitimate interests in all circumstances. For example, a provider cannot rely upon legitimate interests if the information were to be used to build an individual profile of an end-user. The proposal states clearly that in such cases, the end user’s interests and fundamental rights and freedoms override the interest of the service provider. Interestingly, the draft does not define what constitutes a “user profile” nor refers to GDPR, which already provides for rules on “profiling” (Articles 21 and 22), including a right to object to profiling in the context of marketing activities. Proposal also bans processing special categories of personal data, as defined under the GDPR, based on legitimate interests (unless specific exemption applies).
The balancing test, proposed in the text goes beyond the GDPR standard for legitimate interest, by introducing the mandatory requirement to carry out a Data Protection Impact Assessment (DPIA, as defined under Art.35 GDPR). The DPIA should be carried out prior to the start of the processing based on legitimate interest, and in certain circumstances may require prior consultation with the relevant supervisory authority.
The proposal also restricts the providers from sharing information collected from the users with any third parties, other than processors. This restriction does not apply however to anonymised data.
UK Data Protection and Brexit
The UK formally left the EU on 31 January 2020 and entered a transition period until at least 31 December 2020 (unless extended, although the current UK government has indicated it does not plan to extend the transition period). As far as the GDPR is concerned, this changes little in the short term; the revised Withdrawal Agreement (under which the UK left the EU) essentially preserves the existing position from a data protection perspective during transition, and so the GDPR remains applicable in the UK until the end of the transition period (to read more about the implications of Brexit for data protection generally, see our blogpost on this topic here). Currently it is expected that after the end of transition, the GDPR will be incorporated into domestic UK law, known as the “UK GDPR”, although this position could change depending on negotiations during the transition period.
However, the position is different for e-Privacy. In the likely event that the e-Privacy Regulation does not become effective by the end of the transition period, it will not form part of the body of retained EU law which is incorporated into UK law at the end of transition. Under the UK legislation governing the UK’s withdrawal, direct EU legislation operative immediately before the end of the transition period will form part of domestic UK law after the end of transition. This includes EU Regulations which have effect in EU law immediately before the end of the transition period, meaning that any EU Regulations which are effective at the end of the transition period will be incorporated into UK law at that stage.
Although the default position is that the GDPR will be incorporated into UK law in this way, this is unlikely to be the case for the proposed e-Privacy Regulation. Even if the text is finalised and the Regulation adopted during the transition period, based on the current drafts there will be a two-year period between the Regulation being adopted and becoming effective (as was the case for the GDPR). Given that the transition period is currently due to end on 31 December 2020, it seems very unlikely that the Regulation will be effective by that time, in which case it will not be incorporated into UK law.
Divergences between the UK and EU requirements on e-Privacy
Assuming the e-Privacy Regulation does not become effective by the end of the transition period, the current UK e-privacy rules under the Privacy and Electronic Communications Regulations 2003 (“PECR“), which cover electronic direct marketing, cookies and electronic communications and derive from the e-Privacy Directive, will continue to apply (as recently confirmed by the ICO in its Brexit FAQ). It is therefore possible that, if and when the e-Privacy Regulation is finally settled, we will start to see divergences between the UK and EU requirements on e-Privacy. That said, it is also possible that the UK could opt to replace PECR with new legislation which mirrors the e-Privacy Regulation’s requirements, or to pursue another route entirely – although at this stage the UK government has not indicated any intention to update or replace PECR post-transition.
In short, it currently appears very unlikely that the e-Privacy Regulation will become law in the UK at the end of the transition period. This position could still change, for example if the transition period were to be extended, but this does not seem likely at the moment. For the time being, organisations should continue to comply with PECR in the UK.
Extra territorial scope of e-Privacy Regulation
However, regardless of whether the UK government decides to enact laws which mirror or are similar to the new e-Privacy Regulation requirements once these are finalised by the EU, if the e-Privacy Regulation has extra territorial scope as envisaged in the current drafts, UK companies will still be required to comply with the e-Privacy Regulation if sending direct marketing to individuals in the EU or placing cookies or similar technologies on their devices.
What’s next? The Working Party on Telecommunications will discuss the draft further in its upcoming meetings. However, the introduction of legitimate interests is likely to be controversial, particularly among Member States which, to date, have consistently sought to include greater protections for internet users. As such, the Croatian draft is unlikely to muster sufficient support to move forward to trialogue negotiations. The task of agreeing the text will then fall to the German presidency in the second half of 2020.
 The European Union (Withdrawal Act) 2018, as amended by the European Union (Withdrawal Agreement) Act 2020.