July 2018 - Data Protection & Privacy | ePrivacy | GDPR

The Proposed EU E-Privacy Regulation

Electronic Communications, Technological Neutrality, and Consent for Cookies: Hot on the heels of the GDPR, the European Union is working towards a sister regulation, the ePrivacy Regulation. In this video interview, Oliver Süme, Chair of the eco Association, explains the current status of the legislation and what companies need to be prepared for.

© Dmytro Yarmolin | istockphoto.com

Watch the 7-minute video above or on YouTube, or read the transcript below.

Oliver Süme is a specialist attorney for IT law. He is a partner of the international law firm Fieldfisher, and founder of the Hamburg Top-Level-Domain GmbH (Registry for “.hamburg”.) At the end of 2017, he took over the role of Chair of eco – Association of the Internet Industry. He is also President of EuroISPA, the European Internet service providers association.

Transcript

dotmagazine:  What is the difference between the proposed ePrivacy Regulation and the GDPR?

Oliver Süme: The GDPR is covering the processing of personal data in general. So that is important for almost any business that is dealing with or processing personal data, and the draft ePrivacy regulation is a complimentary legislation and that is a so-called Lex specialis, as the lawyers would say, which is exclusively dealing with communication data, so with covering electronic communications services. And the goal is to protect the confidentiality of communication between users, consumers, and data subjects. 

According to the GDPR, you have different options for legal grounds that you can rely on in order to process personal data lawfully. And the most important one according to the GDPR is consent and the so-called legitimate interest, which means that this is a very flexible approach and that depends very much on the risk level of the certain purpose or processing of data. That is different in the ePrivacy regulation because besides some very narrow exceptions, the only legal grounds for processing communication data is consent. And that is something that is quite under criticism because that is not a very flexible approach. You need consent for almost each and every process, which doesn't make it flexible and which means that you only have one risk level. Everything would be considered as high risk and that is something that I don't think is very flexible from the general approach of the regulation.

dot: Speaking of flexibility: one of the criticisms of the ePrivacy Regulation is that it's not technology neutral. 

If you mention one specific technology in a law, that would mean that the law is not valid anymore once you have more innovative or different technologies in the market.

Süme: Yes, the principle of technological neutrality is very important for any piece of legislation that has to deal with technology, and the European Commission is considering that for many years now. Unfortunately, I think they haven't considered that in the right way when they drafted the ePrivacy regulation, because this piece of legislation very much focuses on browser settings and it describes in long terms how the settings in a potential browser would have to be made to comply with this law, which again means it's not very flexible. If you mention one specific technology in a law, that would mean that the law is not valid anymore once you have more innovative or different technologies in the market. And I think that is a very important thing that has to be further negotiated in the ongoing legislative process.

dot: How should companies be preparing themselves for ePrivacy? 

The general approach of consent when it comes to the use of cookie is something companies have to be prepared for.

Süme: That's a little bit difficult currently because no one knows when exactly it will come and no one knows what the final output and the final version will say. Right. So that makes it difficult to get prepared. So my first advice would be monitor the ongoing legislative process as closely as you can so that a company might be aware at the most early stage about that potential final version and the final wording.

However, I think two things will be for sure: The territorial scope will stay the same - that is the same approach that has been taken with regard to the GDPR, which basically says that the law will cover also entities from outside the European Union, as soon as they provide electronic communication services in the EU and to EU consumers. That is a basic principle and I think that will remain untouched, as well as the basic idea to have consent for cookies as the second general approach that is in this directive. That is of course very much under criticism, in particular from the industries around online marketing, digital advertising, and all these companies who might suffer from that in a very special way. But I would expect that the general approach of consent when it comes to the use of cookie will stay the same and I think that is something companies have to be prepared for. 

dot: When is the ePrivacy Regulation likely to come into effect?

Süme: Well, we are in the last stage actually before the trilogue can start. We have the initial draft seen from the commission. We have seen the comments and the changes according to the position of the European Parliament and we are now waiting for the European Council to find its position because that would be the condition to start the trilogue. So maybe in autumn 2018 the council will have found its position and then the trilogue could start maybe at the end of 2018 - which definitely means that the regulation will not come into force earlier than 2019. And looking at 2019, we have an additional challenge because there will be elections for a new European Parliament in June 2019. So from the perspective of the lawmakers it would be really important to have this regulation completed and adopted before spring 2019 because otherwise it will not come into effect because it will be interrupted by the legislations for a new parliament and in the consequence for a new commission.

dot: So, for the moment, companies should still keep their focus on the GDPR, and wait and see what happens with ePrivacy? 

Süme: Yes. GDPR compliance is the top priority currently for almost all businesses. And then you have to monitor very closely the ongoing process with regard to the ePrivacy Regulation and of course you have to deal with the question of what are the conditions for a lawful electronic communications, for the lawful use of cookies, for that time until the new ePrivacy regulation will come into effect. And how do we deal with this in the meantime. That is a very important challenge for businesses and I would strongly recommend to take care of that as timely as possible.