When will the new EU ePrivacy Regulation come into action?
Originally, the ambitious intention was to let the new ePrivacy Regulation apply on May 25th, 2018 (the same date as the GDPR).
That timeline wasn’t just ambitious but also turned out to be impossible, given the fact that the draft text was published so late (January 10th, 2017), the many comments and criticism from delegations since it was published (with tremendous lobbying) and the fact that after the final vote in plenary session end October 2017 on the Lauristin report, including the amended text, in the European Parliament, it is clear that there are still things to be discussed before an agreement between the Council and Parliament is reached.
The Council of the European Union responded a first time to comments on May 19 with a so-calledinterinstitutional file (2017/0003, PDF opens) which states that the delegations which took part in the discussion in the Council’s Working Party on Telecommunications and Information Society consider the date unrealistic.
More work was needed with several concerns to tackle and the goal was to finalize the first examination of the proposal by the end of the Maltese Presidency in June 2017. This in turn should be a ‘solid base for future progress’. As you can read in a January 2018 update below in the Council has published an overview of its work done so far in December 2017 and, again, there is still work to be done.
In other words: the EU ePrivacy Regulation text will not be published, enter into force or be applied on the same day as the GDPR.
In the meantime obviously the current ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector) remains in place, which is a matter of national legislation.
It remains key to include online data and identifiers such as cookies and many others in your GDPR strategy as, regardless of where and how the text will be adapted according to discussions as a result of concerns raised by delegations (the extension to OTT companies, the machine-to-machine communications stipulations, the lack of clarity in some areas, the mentioned possibility that the suggested solution for cookies will not achieve what it aims to, the overlap with other regulations and legislation and so forth), the scope remains.
Moreover, some delegations point to the legal grounds which are available in the GDPR to tackle several of the EU Privacy Regulation’s original text, among others including the permitted processing.
October 19, 2017: LIBE Committee votes in favor of amended ePrivacy Regulation texts
On October 19th, 2017, the European Parliament Committee on on Civil Liberties, Justice and Home Affairs, a.k.a. LIBE Committee, has voted on a report, the Lauristin report, which includes amendments to the ePrivacy Regulation draft.
A victory for advocates of strict privacy and data protection rules
Despite tremendous lobbying and the far-reaching consequences of the amended ePrivacy Regulation draft texts, the law makers in the European Parliament who went for a strong and clear vote ‘no’ to the lobbying groups won the vote. In other words: a victory for the advocates of strict privacy and data protection rules and a major blowback for the several lobby groups
Now that the amendments and report with MEP Marju Lauristin as rapporteur (hence also the Lauristin report) has been approved by the LIBE Committee the next step is a vote in the plenary session of the EU Parliament end October. The ePrivacy Regulation is not a fact yet but as it stands now, the lobbying will certainly increase as the vote isn’t good news for the several industries that have been demanding for changes on many levels.
These lobby groups include the marketing, advertising and media industry but also other groups that have come to understand that “the vote on the Respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC” as the EU calls it on its ePrivacy update page isn’t just a vote about cookies and electronic communications as we have known it so far but that, as previously mentioned also a range of new ‘channels’ and technologies, including IoT and the likes of WhatsApp and Skype are included.
Just as was and still is the case with the GDPR (where preparations of companies to become as GDPR compliant lag behind and are often not approached from the overall risk and personal data protection perspective), it is amazing how it took so long before the extent of the new “Regulation on Privacy and Electronic Communications” became clear. That wasn’t the case for the advertising and media industries or the telecommunications industry given the fact that they already knew the current relation with cookies but it certainly is with, among others, the inclusion of IoT, a topic we write about very often but whereby we see very little reference to the IoT and the ePrivacy Regulation, let alone GDPR.
A blow to European publishing, media and advertising industries
Anyway, the vote has been a clear victory for the advocates of strict and clear privacy and data protection rules and a major hit for the several lobby groups, including those from the mentioned industries.
Only little over a week before the vote eight associations, representing parties from the European publishing, media and advertising industries sent an open letter to the MEPS in a warning that specific amendments to the ePrivacy Regulation text, which as the vote has shown are supported by several MEPS, are a threat to the advertising and media business models.
More specifically they asked that the ePrivacy Regulation would support the right of online services which essentially means that publishers have the right to restrict full access to their services to those online users who have not consented to the data processing which is deemed necessary to monetize a service through data-driven advertising, without forcing publishers to adopt an alternative payments-based business model without data-driven advertising as the IAB Europe puts it.
October 26, 2017: EP votes in favor of amended version and Lauristin report in plenary despite criticism of lobby groups and political differences
After the vote of the LIBE Committee, a.k.a. the Justice Committee of the European Parliament (EP), members of the EP voted in favor of the so-called Lauristin report in plenary session.
The vote is in fact on the decision to enter the negotiations, one of the final stages in the EU policy-making process with the Parliament, Commission and Council (representing member states). This means that the report drafted by MEP and rapporteur Marju Lauristin as it is in the SlideShare above also has been said yes to by the majority of MEPs in the EP’s plenary which, as said was the next step to get to the next step. Of the 618 voting MEPs, 318 voted for, 280 against and there were 20 abstentions.
It’s the second blow in a row for whomever wanted changes in the ePrivacy Regulation and a second victory for pro-privacy advocates in a row. With the Parliament having given the green light for the negotiations with the Commission and Council it’s up to the next steps.
ePrivacy Regulation updates January 2018
While the GDPR becomes applicable on the date everyone knows we can’t emphasize enough that this will not be the case for the ePrivacy Regulation as we read now and then.
The so-called Lauristin report which the European Parliament adopted end October 2017 in plenary session as mentioned consists of the “draft European Parliament legislative resolution on the proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC “ (which is the ePrivacy Regulation or Regulation on Privacy and Electronic Communications), a brief explanatory statement, a list of ‘entities’ having given input to rapporteur Lauristin, opinions and more.
The consolidated version of the European Council and further ePrivacy Regulation topics to analyze
Early December 2017, as part of the next steps in which the European Council plays a role, that European Council published “Interinstitutional File 2017/0003 (COD)”.
This is essentially a consolidation as the Council works towards its final position. As the document (PDF opens) puts it: “In order to facilitate future work on this file, the Presidency has put together a full text of the proposal, consolidating the work done in the second half of 2017”.
The document also states that further analysis is necessary with regards to articles 6, 7 and 8 and processing grounds, as they are in the above embedded Lauristin report (European Parliament) and are in the draft ePrivacy Regulation text as consolidated in the December 2017 document of the European Council. So, further analysis.
Next steps and WHEN the ePrivacy Regulation might be applied (which is not the same as entering into force)
Then it’s up to the European Council to come up with the final version of the “Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC”, so the final proposal and the position of the Council in the trilogue process with the Commission and Council involved.
This will not happen before the date the GDPR enters into force. Moreover, once that final proposal is done it still can require further discussions between the European Commission, European Council and European Parliament if there are disagreements on the amendments (in the Lauristin report) which were adopted by the European Parliament, along with this Lauristin report (since they are part of it) in October 2017.
A bit of context on the whole process perhaps: in the trilogue process with the Parliament, Council and Commission we’re in, once the European Council has finalized its position, the Council and European Parliament can agree at a first reading (there are, however, still differences and as we have entered 2018 the Council isn’t done with its so-called ‘General Approach’ yet). If there is no agreement at a first reading (whereby the European Parliament and the Council, representing member state ministers with the Council’s work being prepared and coordinated by the Permanent Representatives Committee, supported by working parties, in this case for instance the Article 29 Working Party which becomes the European Data Protection Board, are ‘equal’ so to say), a second reading takes place. If there still isn’t an agreement then, conciliation comes in the picture (which happened until now for about 10 percent of EU legislation).
As the European Commission made clear in the scope of the progress of EU member states with the GDPR, all focus is on the GDPR at this time and it is pretty sure that the ePrivacy Regulation will NOT enter into force before 2019 and even most probably the second half of 2019.
And then it is not done yet! Do note there is a difference between entering into force and being applied.
That’s where a so-called grace period can come in. By way of comparison: as its Article 99 stipulates the GDPR entered into force the twentieth day following that of its publication in the Official Journal of the European Union. However, it applies from 25 May 2018. The ePrivacy Regulation by far is not in the Official Journal of the European Union and will almost certainly not be before end 2019.
Loading...