Start of main content

Commission and European Parliament fail to agree on 'ePrivacy' regulation after fourteen drafts

| News | Privacy, IT & Digital Business

Isabel Martínez analyzes the regulations in an article published by Confilegal

The European Union aims to create a homogeneous body of legislation for the internal market to increase the protection of consumers and legal subjects.

In this context, the ePrivacy Regulation (ePR) is at the centre of all discussions. With this regulation, the European Union aims to formulate a mandatory privacy policy that is valid in all Member States.

For her part, Isabel Martínez, director at Andersen, explains to Confilegal that the ePrivacy Regulation is going through a complex approval process, as was the case with the GDPR (which took four years to be approved), with extensive debates between the Member States (represented in the Council), the European Commission and the European Parliament.

She states that they have different views on how to balance the fundamental right to data protection of European citizens, on the one hand, and to give a definite boost to the development of the data economy in the framework of the digital single market, on the other.

She reveals that some of the most contentious issues are, among others, its territorial scope of application. It could be aligned with the GDPR and applies to any entity providing services to European citizens or residents, regardless of whether it is located outside the EU.

She also believes that it extends obligations to OTT operators, multiplying the obligations they had until now (unlike the previous e-Privacy Directive), as well as extending protection and security obligations not only to users' personal data, but, in general, to the content of electronic communications and, above all, it regulates and extends protection to metadata.

Martínez points out that the different draft proposals of the e-Privacy Regulation included the proposal to predominantly require express consent as the basis of legitimisation for each processing of data and metadata, to the detriment of other equally valid bases of legitimisation, provided for in the GDPR, such as legitimate interest or the fulfilment of a service or performance of a contract.

It also highlights its impact on a more user-friendly browsing experience and greater transparency regarding the processing of personal data and the metadata generated by the user's browsing or use of the device, although it did not clarify some important issues for programmatic advertising.

Another element of debate relates to the protection and confidentiality of content and information stored on users' devices, which challenged operators to provide their online services in a way that respects the obligations set out in relation to access to data and metadata stored on the device.

In their view, they will, for example, have to encrypt communications and data to be transmitted, including before sharing them for statistical analysis or impact assessments to analyse data processing.

Isabel Martínez explains to Confilegal that the e-Privacy Regulation is a special law compared to the GDPR, and therefore complements and details some specific obligations in the framework of electronic communications and information transmission networks.

It reveals that, on aspects such as advertising impact techniques through cookies and direct marketing, all operators involved (whether advertisers or intermediaries) will have to consider the new specific rules included in the Regulation.

Regarding the access, transmission and processing of non-personal data, the e-Privacy Regulation, by establishing homogenous rules across the Union, can be a catalyst for the definitive take-off of the data economy within the EU, she says.

"We have to bear in mind that accessing and processing considerable volumes of non-personal information is primarily for research, improving public services, transport safety or creating innovative solutions to existing needs, through the application of big data analysis technologies and artificial intelligence, in a way that is efficient and beneficial for society as a whole.”

In her view, there is uncertainty in the industry as to what the final position and consequences of the final text will be. The incorporation of a two-year 'vacatio legis' period is of particular importance to allow operators to adapt their business models to the new legal requirements in an orderly manner.

As for the adaptation of companies and other operators to this new regulatory framework, after the experience of the GDPR in most organisations, she believes that companies and operators are more prepared to comply with this new regulation when it is finally approved.

Isabel Martínez believes that the experience gained in a similar process and, above all, the growing awareness of compliance issues, make the transition easier.

The full article can be read in Confilegal

End of main content