The EU ePR (ePrivacy Regulation)

A proposed regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)

What is the EU ePrivacy Regulation?

The proposed EU Regulation on Privacy and Electronic Communications (also known as the ePrivacy Regulation or ePR) will replace the 2002 ePrivacy Directive (the ‘cookie law’) and all EU member state laws that implement it.

It is not yet known whether the UK’s PECR (Privacy and Electronic Communications (EU Directive) Regulations 2003), which enacts the ePrivacy Directive, will be amended or superseded to bring UK law into line with the ePR.

When will the ePrivacy Regulation take effect?

The European Commission proposed the ePrivacy Regulation in January 2017. It was intended to take effect alongside the EU GDPR (General Data Protection Regulation) on 25 May 2018.

However, the final text is still to be agreed, with the Council of the European Union and the European Parliament disagreeing about a number of issues.

You can follow the ePrivacy Regulation’s progress and read all drafts on the EU’s EUR-Lex website

How are the ePrivacy Regulation and GDPR linked?

The ePrivacy Regulation will complement the GDPR’s general rules on personal data processing by providing specific rules governing electronic communications.

As such, the ePrivacy Regulation will take precedent over the GDPR in situations where both laws apply.

Unlike the GDPR, the ePrivacy Regulation does not apply to just personal data. It also affects B2B marketing, for instance.

The scope of the ePrivacy Regulation

The final text of the ePR is yet to be agreed, but the Council’s draft recommends that the Regulation applies to:

  • The processing of electronic communications content and metadata carried out in connection with the provision and use of electronic communications services;
  • End users’ terminal equipment information;
  • The offering of a publicly available directory of end users of electronic communications services; and/or
  • The sending of direct marketing communications to end users.

Whatever the Regulation’s final wording, it will have the same territorial scope as the GDPR and apply directly in all EU member states as well as having extraterritorial reach to non-EEA organisations that:

  • Process EU residents’ electronic communications content and/or metadata;
  • Process EU residents’ terminal equipment information;
  • Offer publicly available directories of EU residents; or
  • Send direct marketing communications to EU residents.

EU representatives

Organisations that fall within the ePrivacy Regulation’s scope but are not based in the EU must designate a representative in an EU member state where their end users are based.

Organisations that have already appointed an EU representative to meet their GDPR obligations could appoint the same representative to comply with the ePrivacy Regulation.

Learn more about EU GDPR representatives

What are the main differences between the 2002 ePrivacy Directive/PECR and the proposed ePrivacy Regulation?

The ePrivacy Regulation will expand the 2002 Directive’s scope to cover newer technologies like instant messaging apps and VoIP (Voice over Internet Protocol) platforms, and machine-to-machine communications such as the IoT (Internet of Things).

As the Regulation’s final text is yet to be agreed, it is impossible to provide a detailed commentary on how it differs from the Directive. However, certain areas are worth examining.

Cookies

The ePrivacy Directive was nicknamed ‘the cookie law’. It prompted many organisations to introduce cookie walls and consent mechanisms that prevented end users from accessing websites unless they blindly accepted cookies.

The ePrivacy Regulation is meant to eliminate such issues while still giving people online privacy and protecting the confidentiality of their terminal equipment.

The Commission’s proposal states that cookies used only to process information anonymously should no longer require end-user consent. This should mean fewer cookie walls and banners for end users.

Many other exemptions from consent are retained in the proposal, including cookies necessary for:

  • Transmitting a communication.
  • Security.
  • Billing or collecting payments; or
  • Detecting or stopping fraud.

Even though there are fewer restrictions about collecting electronic communications data, the ePrivacy Regulation sets out rules about how that data must be stored, protected and erased.

However, in October 2019 the European Court of Justice ruled that users must actively consent to companies storing any cookies on their equipment, irrespective of “whether or not the information stored or accessed on the user’s equipment is personal data”. We should expect to see this reflected in the final draft of the Regulation.

Where consent is required, the GDPR’s standard for consent applies.

For more information on the GDPR’s standard for consent, read our blog ‘GDPR: lawful bases for processing, with examples’

Processing electronic communications content and/or metadata

The proposed use of legitimate interests as a lawful basis for processing electronic communications metadata also proves contentious.

On 25 May 2018, the EDPB (European Data Protection Board) released its Statement on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications, which recommends that:

“User consent should be obtained systematically in a technically viable and enforceable manner before processing electronic communications data or before using the storage or processing capabilities of a user’s terminal equipment. There should be no exceptions to process this data based on the ‘legitimate interest’ of the data controller, or on the general purpose of the performance of a contract.”

Marketing communications

Article 16 of the Commission’s draft states that end users may not be sent direct marketing communications unless they consent.

It then provides several exemptions, including marketing to existing customers. It sets out rules for marketers, including the obligation to reveal their identity and provide the opportunity for recipients to opt out of further marketing communications.

The Council’s latest draft amends Article 16 to refer to ‘unsolicited’ and direct marketing communications and adds the option for member states to set a time limit after which organisations may not send marketing communications to their customers.

Note that, although the GDPR states in Recital 47 that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”, the ePrivacy Regulation, as ‘lex specialis’ to the GDPR’s ‘lex generalis’, will overrule the GDPR, so if the final version requires consent, legitimate interests will not be valid for direct marketing even though the GDPR says they are.

End users will also have the absolute right to object, in which case you must stop marketing to them as soon as possible, but certainly within one month. You must also inform them of that right and the fact that you intend to use their data for direct marketing purposes.

Fines for non-compliance

The ePrivacy Regulation is expected to carry an identical penalty regime to the GDPR, with maximum fines of €20 million (about €17.5 million) or 4% of a non-compliant organisation’s global annual turnover, whichever is greater.

End users who suffer “material or non-material damage” due to infringement of the ePrivacy Regulation also have the right to receive compensation from the infringer.

We will update this page when the final text of the ePrivacy Regulation has been agreed.

Meanwhile, UK organisations should continue to comply with the PECR.

How IT Governance can help you comply with the PECR

Understand your level of PECR compliance with our independent PECR Audit service, which assesses:

PECR Audit service

  • Organisation-wide awareness of the PECR;
  • How risks are managed and the accompanying documentation;
  • The security procedures in place such as access limitation;
  • Handling of data subjects’ rights and privacy notices;
  • Staff training;
  • Data transfer mechanisms and third-party processors;
  • Your ISMS (information security management system), including testing and frameworks; and
  • Your breach response processes.

We will identify areas of non-compliance and deliver a report to help you take remedial action.

Find out more

LEARN
FOR LESS
SAVE 25%