Newsletter March 2021 – Finally a breakthrough for the planned ePrivacy Regulation – what’s in store for businesses?

New EU-wide data protection rules

With the ePrivacy Regulation, the European Union aims to set additional data protection rules that will apply in the EU. The planned law will complement the existing General Data Protection Regulation (GDPR), and – in Germany –the Telemedia and Telecommunications Acts.

What is the goal of the ePrivacy Regulation?

The goal of the new regulation is to strengthen citizens’ trust in digital communication channels. The EU is hoping to strengthen the privacy of citizens online and is therefore attempting to further regulate data protection in this area.

What will the new law be about?

Here are some examples:

  • Cookies: opt-in instead of opt-out
    • Website operators will only be allowed to set cookies if the user has specifically consented to this.
    • Users will need to be be shown all content even if they have not given their consent (ban on ‘forced consent’).
  • Requirements for data transmissions in IoT/machine-to-machine communication
    • requirements are identical to data transmission where ‘live’ users are directly involved
    • devices will only be allowed to transmit personal data such as GPS data from smartphones if users have consented to this
  • mandatory end-to-end encryption for communications services:
    • data transmissions for communications services will need to be fully encrypted, even governments may not be granted access
    • the creation of “back doors” by manufacturers to grant access to governments would thus be illegal

The ePrivacy Regulation will replace the currentePrivacy Directive and complement the GDPR.

A regulation replacing a directive

The current ePrivacy Directive is not a directly binding law, but a set of common principles that needed to be implemented in national laws.

The new ePrivacy Regulation, on the other hand, will be directly applicable throughout the EU.

What will happen to the GDPR as well as to national laws such as the German Federal Data Protection Act, or the Telemedia and Telecommunications Acts?

The GDPR will remain in force and will be complemented by the additional rules of the ePrivacy Regulation, which will take precedence over the GDPR.

For this reason, the ePrivacy Regulation  covers more specific issues (especially concerning online matters) than the GDPR.

In addition, the German Federal Data Protection Act as well as the Telemedia and Telecommunications Acts will remain in force, albeit with the upcoming changes by the new TTDSG act as covered by our August 2020 newsletter.

New developments

Originally, the ePrivacy Regulation meant to enter into force together with the GDPR, but the legislative process stalled. Since then, the text of the planned regulation has been changed again and again; the last compromise proposal had been rejected by the EU member states in November 2020.

Under the Portugal’s presidency in the EU Council, a new initiative has brought agreement on a common negotiating position of the member states in January. This will open negotiations with the EU Commission and the European Parliament and thus further advance the possible adoption of the planned law.

Major changes from previos drafts:

  • removal of the “browser solution“
    • the mandatory regulation of consent management through browsers was removed
  • removal of the reference to the free withdrawal of consent in favor of a general reference to the GDPR
  • no explicit restriction on the collection of personal data for advertising purposes through cookies (beyond the consent requirement)
  • collection of metadata without explicit prior consent
    • “compatible grounds” shall be sufficient for processing
    • messaging services such as WhatsApp can thus evaluate user behavior and use the results for advertising purposes.
  • privacy may be limited for reasons of national security and defense
    • protection of personal data may be limited by intelligence services

What is the significance of the new version for data protection?

What protection do users enjoy when using online stores and online services, and when browsing the web in general? Can a provider determine whether a service is available to the user depending on consent?

We will keep you up to date on the latest developments. At any rate, we do not currently expect the law to come into force before 2022. Please feel free to contact us if you have any questions about the new ePrivacy Regulation.