Data Protection Report - Norton Rose Fulbright

Earlier this week, the first draft of the EU’s ePrivacy Regulation was leaked. ePrivacy laws in Europe aim to protect the right to privacy and confidentiality with respect to the processing of personal data in the electronic communications sector (e.g., relating to cookie usage and online direct marketing). The leaked draft is intended to bring the law up-to-date and to align it with other developments in European data protection law. We understand that the leaked draft is still under discussion (and may have been superseded). Nevertheless, the leaked draft may foreshadow what will be contained in the official draft, which sources at the International Association of Privacy Professionals (IAPP) say is expected to be released in January 2017. Based on the leaked draft, we expect that many technology companies and online advertisers will not be happy with the official draft.


The current law on privacy in relation to electronic communications is set out in the ePrivacy Directive (as amended in 2009). Among other things, the ePrivacy Directive governs the performance of electronic direct marketing, the use of cookies (and other similar technology) and the requirement to keep communications data confidential. As it is an EU directive, Member States have had to implement the requirements of the ePrivacy Directive into their national laws.

The intention behind the review and proposed reform of the existing ePrivacy Directive was to assess the existing law’s effectiveness and relevance in the context of today’s technological environment and also to ensure consistency with the General Data Protection Regulation (the GDPR). As part of this review, the EU engaged both citizens and industry representative stakeholders and concluded that there was a need for “measured reinforcement of privacy/confidentiality” and “simplification” in the new ePrivacy law. (We have previously covered the Article 29 Working Party’s opinion recommending changes to the ePrivacy Directive.)

Interesting Points

Here are some interesting points from the leaked draft:

  1. It’s a Regulation: The leaked draft is a regulation, meaning that it will apply directly in a harmonised way across all Member States. (This is in contrast to the current ePrivacy Directive, which has had to be implemented into each Member State’s national laws). Given that the backbone of European data protection law (the GDPR) will be a regulation from May 2018, it is unsurprising that the proposed new ePrivacy law is also in the form of a regulation. As with the GDPR, Member States will still be given some freedom to deviate from the Regulation, particularly in the area of national security.
  2. Alignment with the GDPR: One aim of the review was to achieve consistency with the GDPR and a number of provisions in the proposed Regulation demonstrate this alignment. As with the GDPR, the draft has a broad territorial scope and applies to the provision of electronic communication services (e.g. voice telephony, SMS services and the “OTT” services referred to below) from outside the EU to end users in the EU. The fining regime also aligns with the fining regime under the GDPR, exposing organisations that breach the law to fines of up to 4% of worldwide annual turnover for breaches of communications secrecy requirements, cookies requirements and the rules on the use of metadata.
  3. It applies to “OTT” services: In line with the aim to keep up with technological developments and despite some heavy lobbying by technology companies, the leaked draft indicates that the new Regulation will apply to providers of services that run over the Internet (referred to as “over-the-top” or “OTT” service providers), such as WhatsApp, Skype and other messenger services. This expansion in scope is achieved by the broad definition of “electronic communications services” in the leaked draft, which encompasses services of this type.
  4. Apparent simplification of cookies rules: The leaked draft broadly maintains the position set out in current law on the use of cookies and similar technologies (namely that prior consent is needed unless the cookie usage is necessary to carry out the communication or is necessary to provide a service requested by the end-user). The recitals suggest that the circumstances in which consent is not required can be interpreted more broadly than currently. For example, cookies used to give effect to users’ website preferences or required to fill in online forms or keep shopping trollies stable are likely to be exempt from the consent requirement. It would also appear that consent is not required for the use of analytics cookies. This, coupled with the point below, may lead to the end of the cookie consent pop-ups that many users find irritating.
  5. Privacy by design and default “do not track”: The leaked draft of the Regulation expressly references “Privacy by design.” Significantly, this requires technology providers to configure all terminal equipment and software used to retrieve and present information on the Internet (e.g. browsers) so that their default setting prevents third parties from storing information on, or using information about, a user’s device. Therefore, users would need to intentionally activate cookie usage before information can be collected from their devices. This is likely to significantly reduce the number of individuals that will consent to the use of cookies and similar tracking technology, which will create major headaches for browser providers and online advertisers, whose businesses rely on this type of technology.
  6. Marketing: The leaked draft does not draw a distinction between corporate and individual subscribers and requires all end users to consent to direct marketing communications undertaken via electronic communications services. The conditions for consent in the Regulation are those higher standards set out in the GDPR. Telephone marketing continues to be permitted on an opt-out basis, but the proposed Regulation would require entities placing marketing calls to use a specific code or prefix identifying that it is a marketing call.
  7. Implementation: The leaked draft states that it will take effect just six months after it enters into force, clearly demonstrating the Commission’s objective to ensure that this Regulation comes into force at the same time of the GDPR. Whether that will be possible remains to be seen. In practice, this will mean that the draft will need to be finalised by the end of Q3 on 2017. This is an exceptionally tight timeframe, especially given the nature of some of the changes that this leaked draft suggests will be included, which will need to be considered and agreed.

Our Take

Revisions to the ePrivacy law have been expected for some time, and this leaked draft reveals some potentially significant areas of change, especially in the context of privacy by design and the default opting out of cookies. We think that a number of industry groups, especially in the area of online advertising, will have some major concerns about many of these areas and will be keen to have their views heard. This, and the rest of the finalisation process, will need to be done to a very tight timetable, so 2017 looks set to be an interesting year in the area of ePrivacy.

We will continue to monitor the development of this Regulation and provide a more detailed analysis when the official draft is published in the New Year.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.